Update to BIND 9.11.25

Moved Red Hat specific changes from generated named.8 file to docbook. It is regenerated to named.8 during the build. Release notes: https://downloads.isc.org/isc/bind9/9.11.25/RELEASE-NOTES-bind-9.11.25.html
2020-11-26 13:21:59 +01:00 · 2020-11-26 13:21:59 +01:00 · ad33c6c095
parent aae89bb5ed
commit ad33c6c095
6 changed files with 213 additions and 208 deletions
--- a/.gitignore
+++ b/.gitignore
@ -118,3 +118,5 @@ bind-9.7.2b1.tar.gz
 /bind-9.11.23.tar.gz.asc
 /bind-9.11.24.tar.gz
 /bind-9.11.24.tar.gz.asc
+/bind-9.11.25.tar.gz
+/bind-9.11.25.tar.gz.asc
--- a/bind-9.11-rh1893761.patch
+++ b/bind-9.11-rh1893761.patch
@ -1,28 +0,0 @@
-From ee53b9558fb73dc0c2f328fe91421f2c32e9a369 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Tue, 3 Nov 2020 11:25:55 +1100
-Subject: [PATCH] Call nta_detach() before dns_view_weakdetach() so view is
- available.
-
-(cherry picked from commit ea956976d1e89f49570a4690fbad377e4f607c77)
---
- lib/dns/nta.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/dns/nta.c b/lib/dns/nta.c
-index 79058bb9b5..73febe44ed 100644
--- a/lib/dns/nta.c
-+++ b/lib/dns/nta.c
-@@ -283,8 +283,8 @@ checkbogus(isc_task_t *task, isc_event_t *event) {
- 					  &nta->sigrdataset,
- 					  &nta->fetch);
- 	if (result != ISC_R_SUCCESS) {
-		dns_view_weakdetach(&view);
- 		nta_detach(view->mctx, &nta);
-+		dns_view_weakdetach(&view);
- 	}
- }
- 
-- 
-2.26.2
-
--- a/bind-9.11-rt31459.patch
+++ b/bind-9.11-rt31459.patch
@ -1,4 +1,4 @@
-From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001
+From 63d1fe9e1ac0db37f89cf31b40c35d6d22578ded Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Tue, 12 Sep 2017 19:05:46 -0700
 Subject: [PATCH] rebased rt31459c
@ -53,7 +53,7 @@ Include new unit test
 create mode 100644 lib/dns/tests/dstrandom_test.c

 diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
-index 5015abb..295e16f 100644
+index 40cf74c..bd269e7 100644
 --- a/bin/confgen/keygen.c
 +++ b/bin/confgen/keygen.c
@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
@ -71,7 +71,7 @@ index 5015abb..295e16f 100644
 							     &entropy_source,
 							     randomfile,
 diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
-index d9d6bb9..de4b15f 100644
+index 4420f2d..9cb63a8 100644
 --- a/bin/dnssec/dnssec-dsfromkey.c
 +++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -498,14 +498,14 @@ main(int argc, char **argv) {
@ -103,7 +103,7 @@ index d9d6bb9..de4b15f 100644
 	dns_name_destroy();
 	if (verbose > 10)
 diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
-index d65a514..04b3094 100644
+index dc9a293..52863a1 100644
 --- a/bin/dnssec/dnssec-importkey.c
 +++ b/bin/dnssec/dnssec-importkey.c
@@ -404,14 +404,14 @@ main(int argc, char **argv) {
@ -135,7 +135,7 @@ index d65a514..04b3094 100644
 	dns_name_destroy();
 	if (verbose > 10)
 diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
-index 7d82dbf..10f9359 100644
+index 0121a34..74a99b0 100644
 --- a/bin/dnssec/dnssec-revoke.c
 +++ b/bin/dnssec/dnssec-revoke.c
@@ -184,14 +184,14 @@ main(int argc, char **argv) {
@ -167,10 +167,10 @@ index 7d82dbf..10f9359 100644
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
-index 7afcaee..1cfa511 100644
+index f017895..2c568fc 100644
 --- a/bin/dnssec/dnssec-settime.c
 +++ b/bin/dnssec/dnssec-settime.c
-@@ -380,14 +380,14 @@ main(int argc, char **argv) {
+@@ -391,14 +391,14 @@ main(int argc, char **argv) {
 
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
@ -188,7 +188,7 @@ index 7afcaee..1cfa511 100644
 	isc_entropy_stopcallbacksources(ectx);
 
 	if (predecessor != NULL) {
-@@ -672,8 +672,8 @@ main(int argc, char **argv) {
+@@ -683,8 +683,8 @@ main(int argc, char **argv) {
 	if (prevkey != NULL)
 		dst_key_free(&prevkey);
 	dst_key_free(&key);
@ -199,10 +199,10 @@ index 7afcaee..1cfa511 100644
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
 diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
-index 319a805..27ae4d4 100644
+index dde1b2f..7308fc6 100644
 --- a/bin/dnssec/dnssec-signzone.c
 +++ b/bin/dnssec/dnssec-signzone.c
-@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
+@@ -3465,14 +3465,15 @@ main(int argc, char *argv[]) {
 	if (!pseudorandom)
 		eflags |= ISC_ENTROPY_GOODONLY;
 
@ -222,7 +222,7 @@ index 319a805..27ae4d4 100644
 	isc_stdtime_get(&now);
 
 	if (startstr != NULL) {
-@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) {
+@@ -3884,8 +3885,8 @@ main(int argc, char *argv[]) {
 	dns_master_styledestroy(&dsstyle, mctx);
 
 	cleanup_logging(&log);
@ -233,7 +233,7 @@ index 319a805..27ae4d4 100644
 	dns_name_destroy();
 	if (verbose > 10)
 diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
-index 4c293bf..3263cbc 100644
+index 087cd5d..07c7294 100644
 --- a/bin/dnssec/dnssec-verify.c
 +++ b/bin/dnssec/dnssec-verify.c
@@ -281,15 +281,15 @@ main(int argc, char *argv[]) {
@ -257,7 +257,7 @@ index 4c293bf..3263cbc 100644
 
 	rdclass = strtoclass(classname);
 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
-index 618ec5b..5654435 100644
+index 7f045e8..2a0f9c6 100644
 --- a/bin/dnssec/dnssectool.c
 +++ b/bin/dnssec/dnssectool.c
@@ -34,6 +34,7 @@
@ -293,7 +293,7 @@ index 618ec5b..5654435 100644
 					   usekeyboard);
 
 diff --git a/bin/named/server.c b/bin/named/server.c
-index 4e503e5..f27071f 100644
+index 30d38be..b2ae57c 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -36,6 +36,7 @@
@ -304,7 +304,7 @@ index 4e503e5..f27071f 100644
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/random.h>
-@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8286,6 +8287,10 @@ load_configuration(const char *filename, ns_server_t *server,
 				      "no source of entropy found");
 		} else {
 			const char *randomdev = cfg_obj_asstring(obj);
@ -315,7 +315,7 @@ index 4e503e5..f27071f 100644
 			int level = ISC_LOG_ERROR;
 			result = isc_entropy_createfilesource(ns_g_entropy,
 							      randomdev);
-@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8320,6 +8325,7 @@ load_configuration(const char *filename, ns_server_t *server,
 				}
 				isc_entropy_detach(&ns_g_fallbackentropy);
 			}
@ -324,10 +324,10 @@ index 4e503e5..f27071f 100644
 		}
 
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index bbb3936..0286987 100644
+index 5a2c660..7f15cbc 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
-@@ -272,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
+@@ -278,7 +278,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 	if (*ectx == NULL) {
 		result = isc_entropy_create(mctx, ectx);
 		if (result != ISC_R_SUCCESS)
@ -337,7 +337,7 @@ index bbb3936..0286987 100644
 		ISC_LIST_INIT(sources);
 	}
 
-@@ -281,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
+@@ -287,6 +288,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 		randomfile = NULL;
 	}
 
@ -351,7 +351,7 @@ index bbb3936..0286987 100644
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
 					   usekeyboard);
 
-@@ -979,11 +987,11 @@ setup_system(void) {
+@@ -989,11 +997,11 @@ setup_system(void) {
 		}
 	}
 
@ -366,7 +366,7 @@ index bbb3936..0286987 100644
 	result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
 	check_result(result, "dns_dispatchmgr_create");
 diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c
-index 61a41b0..acc71a1 100644
+index 68b5e5a..cd54c8d 100644
 --- a/bin/tests/makejournal.c
 +++ b/bin/tests/makejournal.c
@@ -102,12 +102,12 @@ main(int argc, char **argv) {
@ -386,7 +386,7 @@ index 61a41b0..acc71a1 100644
 	isc_log_registercategories(lctx, categories);
 	isc_log_setcontext(lctx);
 diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
-index c6ab7f8..f0a6ff2 100644
+index e16ec11..95b65bf 100644
 --- a/bin/tests/system/pipelined/pipequeries.c
 +++ b/bin/tests/system/pipelined/pipequeries.c
@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
@ -448,7 +448,7 @@ index c6ab7f8..f0a6ff2 100644
 
 	isc_log_destroy(&lctx);
 diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
-index 61f1ff7..ed1302a 100644
+index c0a99a2..0245527 100644
 --- a/bin/tests/system/pipelined/tests.sh
 +++ b/bin/tests/system/pipelined/tests.sh
@@ -19,7 +19,7 @@ status=0
@ -470,7 +470,7 @@ index 61f1ff7..ed1302a 100644
 $DIFF refb outputb || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
-index 4462f2e..f06268d 100644
+index abf12ed..fa5182c 100644
 --- a/bin/tests/system/rsabigexponent/bigkey.c
 +++ b/bin/tests/system/rsabigexponent/bigkey.c
@@ -20,6 +20,7 @@
@ -492,7 +492,7 @@ index 4462f2e..f06268d 100644
 					"../random.data",
 					ISC_ENTROPY_KEYBOARDNO),
 diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
-index 653c951..fe8698e 100644
+index 34360aa..3236968 100644
 --- a/bin/tests/system/tkey/keycreate.c
 +++ b/bin/tests/system/tkey/keycreate.c
@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
@ -561,7 +561,7 @@ index 653c951..fe8698e 100644
 
 	isc_mem_destroy(&mctx);
 diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
-index 70a40c3..2146f9b 100644
+index 4b5b901..43fb6b0 100644
 --- a/bin/tests/system/tkey/keydelete.c
 +++ b/bin/tests/system/tkey/keydelete.c
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
@ -630,50 +630,50 @@ index 70a40c3..2146f9b 100644
 
 	isc_mem_destroy(&mctx);
 diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
-index 9f90dd7..fad6c83 100644
+index b265156..bcd60a6 100644
 --- a/bin/tests/system/tkey/tests.sh
 +++ b/bin/tests/system/tkey/tests.sh
@@ -33,7 +33,7 @@ for owner in . foo.example.
 do
- 	echo "I:creating new key using owner name \"$owner\""
+ 	echo_i "creating new key using owner name \"$owner\" ($n)"
 	ret=0
 -	keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
 +	keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
 	if [ $ret != 0 ]; then
- 		echo "I:failed"
- 		status=`expr $status + $ret`
-@@ -55,7 +55,7 @@ do
+ 		echo_i "failed"
+ 		status=$((status+ret))
+@@ -57,7 +57,7 @@ do
 
- 	echo "I:deleting new key"
+ 	echo_i "deleting new key ($n)"
 	ret=0
 -	$KEYDELETE $keyname || ret=1
 +	$KEYDELETE -r $RANDFILE $keyname || ret=1
 	if [ $ret != 0 ]; then
- 		echo "I:failed"
+ 		echo_i "failed"
 	fi
-@@ -75,7 +75,7 @@ done
+@@ -79,7 +79,7 @@ done
 
- echo "I:creating new key using owner name bar.example."
+ echo_i "creating new key using owner name bar.example. ($n)"
 ret=0
 -keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
 +keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
-         echo "I:failed"
- 	status=`expr $status + $ret`
-@@ -116,7 +116,7 @@ status=`expr $status + $ret`
+         echo_i "failed"
+ 	status=$((status+ret))
+@@ -124,7 +124,7 @@ n=$((n+1))
 
- echo "I:recreating the bar.example. key"
+ echo_i "recreating the bar.example. key ($n)"
 ret=0
 -keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
 +keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
-         echo "I:failed"
- 	status=`expr $status + $ret`
+         echo_i "failed"
+ 	status=$((status+ret))
 diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
-index bf6dbb6..0416b21 100644
+index 26fa609..fb34aa0 100644
 --- a/bin/tools/mdig.c
 +++ b/bin/tools/mdig.c
-@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) {
+@@ -2005,12 +2005,11 @@ main(int argc, char *argv[]) {
 
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
@ -688,7 +688,7 @@ index bf6dbb6..0416b21 100644
 	parse_args(false, argc, argv);
 	if (server == NULL)
 diff --git a/configure b/configure
-index 6d05371..33689c9 100755
+index 0faca65..d5ffc87 100755
 --- a/configure
 +++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\
@ -723,7 +723,7 @@ index 6d05371..33689c9 100755
   --enable-largefile      64-bit file support
   --enable-backtrace      log stack backtrace on abort [default=yes]
   --enable-symtable       use internal symbol table for backtrace
-@@ -17144,6 +17148,7 @@ case "$use_openssl" in
+@@ -17205,6 +17209,7 @@ case "$use_openssl" in
 $as_echo "disabled because of native PKCS11" >&6; }
 		DST_OPENSSL_INC=""
 		CRYPTO="-DPKCS11CRYPTO"
@ -731,7 +731,7 @@ index 6d05371..33689c9 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -17158,6 +17163,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
+@@ -17219,6 +17224,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
 $as_echo "no" >&6; }
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -739,7 +739,7 @@ index 6d05371..33689c9 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -17170,6 +17176,7 @@ $as_echo "no" >&6; }
+@@ -17231,6 +17237,7 @@ $as_echo "no" >&6; }
 	auto)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -747,7 +747,7 @@ index 6d05371..33689c9 100755
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -17179,7 +17186,7 @@ $as_echo "no" >&6; }
+@@ -17240,7 +17247,7 @@ $as_echo "no" >&6; }
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -756,7 +756,7 @@ index 6d05371..33689c9 100755
 		;;
 	*)
 		if test "yes" = "$want_native_pkcs11"
-@@ -17210,6 +17217,7 @@ $as_echo "not found" >&6; }
+@@ -17271,6 +17278,7 @@ $as_echo "not found" >&6; }
 			as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
 		fi
 		CRYPTO='-DOPENSSL'
@ -764,7 +764,7 @@ index 6d05371..33689c9 100755
 		if test "/usr" = "$use_openssl"
 		then
 			DST_OPENSSL_INC=""
-@@ -17835,8 +17843,6 @@ fi
+@@ -17897,8 +17905,6 @@ fi
 # Use OpenSSL for hash functions
 #
 
@ -773,7 +773,7 @@ index 6d05371..33689c9 100755
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
 case $want_openssl_hash in
 	yes)
-@@ -18211,6 +18217,86 @@ if test "rt" = "$have_clock_gt"; then
+@@ -18273,6 +18279,86 @@ if test "rt" = "$have_clock_gt"; then
 	LIBS="-lrt $LIBS"
 fi
 
@ -860,7 +860,7 @@ index 6d05371..33689c9 100755
 #
 # was --with-lmdb specified?
 #
-@@ -20441,9 +20527,12 @@ _ACEOF
+@@ -20549,9 +20635,12 @@ _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
 $as_echo "size_t for buflen; int for flags" >&6; }
@ -875,7 +875,7 @@ index 6d05371..33689c9 100755
 
 	 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
 
-@@ -21758,12 +21847,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -21877,12 +21966,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
 if test "yes" = "$use_atomic"; then
@ -889,7 +889,7 @@ index 6d05371..33689c9 100755
 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
 # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
 # This bug is HP SR number 8606223364.
-@@ -21796,6 +21880,11 @@ cat >>confdefs.h <<_ACEOF
+@@ -21915,6 +21999,11 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 
 
@ -901,7 +901,7 @@ index 6d05371..33689c9 100755
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -21804,39 +21893,6 @@ _ACEOF
+@@ -21923,39 +22012,6 @@ _ACEOF
 		fi
 	;;
 	x86_64-*|amd64-*)
@ -941,7 +941,7 @@ index 6d05371..33689c9 100755
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -21867,6 +21923,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
+@@ -21986,6 +22042,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
 $as_echo "$arch" >&6; }
 fi
 
@ -952,7 +952,7 @@ index 6d05371..33689c9 100755
 if test "yes" = "$have_atomic"; then
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
 $as_echo_n "checking compiler support for inline assembly code... " >&6; }
-@@ -24421,6 +24481,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
+@@ -24567,6 +24627,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
 #
 dlzdir='${DLZ_DRIVER_DIR}'
 
@ -983,7 +983,7 @@ index 6d05371..33689c9 100755
 #
 # Private autoconf macro to simplify configuring drivers:
 #
-@@ -24751,11 +24835,11 @@ $as_echo "no" >&6; }
+@@ -24897,11 +24981,11 @@ $as_echo "no" >&6; }
 $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
 		;;
 	*)
@ -998,7 +998,7 @@ index 6d05371..33689c9 100755
 		fi
 
 	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
-@@ -24840,7 +24924,7 @@ $as_echo "" >&6; }
+@@ -24986,7 +25070,7 @@ $as_echo "" >&6; }
 			# Check other locations for includes.
 			# Order is important (sigh).
 
@ -1007,7 +1007,7 @@ index 6d05371..33689c9 100755
 			# include a blank element first
 			for d in "" $bdb_incdirs
 			do
-@@ -24865,57 +24949,9 @@ $as_echo "" >&6; }
+@@ -25011,57 +25095,9 @@ $as_echo "" >&6; }
 			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
 			for d in $bdb_libnames
 			do
@ -1067,7 +1067,7 @@ index 6d05371..33689c9 100755
 					break
 				fi
 			done
-@@ -25074,10 +25110,10 @@ $as_echo "no" >&6; }
+@@ -25220,10 +25256,10 @@ $as_echo "no" >&6; }
 		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
 		DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
 	fi
@ -1081,7 +1081,7 @@ index 6d05371..33689c9 100755
 	fi
 
 
-@@ -25163,11 +25199,11 @@ fi
+@@ -25309,11 +25345,11 @@ fi
 		odbcdirs="/usr /usr/local /usr/pkg"
 		for d in $odbcdirs
 		do
@ -1095,7 +1095,7 @@ index 6d05371..33689c9 100755
 				break
 			fi
 		done
-@@ -25442,6 +25478,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
+@@ -25588,6 +25624,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
 
 
 
@ -1104,7 +1104,7 @@ index 6d05371..33689c9 100755
 #
 # Commands to run at the end of config.status.
 # Don't just put these into configure, it won't work right if somebody
-@@ -27819,6 +27857,8 @@ report() {
+@@ -27966,6 +28004,8 @@ report() {
 	    echo "    IPv6 support (--enable-ipv6)"
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1113,7 +1113,7 @@ index 6d05371..33689c9 100755
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
-@@ -27859,6 +27899,8 @@ report() {
+@@ -28006,6 +28046,8 @@ report() {
 	echo "    Very verbose query trace logging (--enable-querytrace)"
     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
 
@ -1122,7 +1122,7 @@ index 6d05371..33689c9 100755
     echo "    Dynamically loadable zone (DLZ) drivers:"
     test "no" = "$use_dlz_bdb" || \
 	echo "        Berkeley DB (--with-dlz-bdb)"
-@@ -27906,6 +27948,8 @@ report() {
+@@ -28053,6 +28095,8 @@ report() {
 	echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
 	echo "    EDDSA algorithm support (--with-eddsa)"
@ -1132,10 +1132,10 @@ index 6d05371..33689c9 100755
     test "yes" = "$enable_seccomp" || \
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
 diff --git a/configure.ac b/configure.ac
-index d10cde5..68bead8 100644
+index 78535bd..faef2e8 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1550,6 +1550,7 @@ case "$use_openssl" in
+@@ -1598,6 +1598,7 @@ case "$use_openssl" in
 		AC_MSG_RESULT(disabled because of native PKCS11)
 		DST_OPENSSL_INC=""
 		CRYPTO="-DPKCS11CRYPTO"
@ -1143,7 +1143,7 @@ index d10cde5..68bead8 100644
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -1563,6 +1564,7 @@ case "$use_openssl" in
+@@ -1611,6 +1612,7 @@ case "$use_openssl" in
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -1151,7 +1151,7 @@ index d10cde5..68bead8 100644
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -1575,6 +1577,7 @@ case "$use_openssl" in
+@@ -1623,6 +1625,7 @@ case "$use_openssl" in
 	auto)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
@ -1159,7 +1159,7 @@ index d10cde5..68bead8 100644
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
-@@ -1585,7 +1588,7 @@ case "$use_openssl" in
+@@ -1633,7 +1636,7 @@ case "$use_openssl" in
 		OPENSSLLINKSRCS=""
 		AC_MSG_ERROR(
 [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -1168,7 +1168,7 @@ index d10cde5..68bead8 100644
 		;;
 	*)
 		if test "yes" = "$want_native_pkcs11"
-@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl])
+@@ -1663,6 +1666,7 @@ If you don't want OpenSSL, use --without-openssl])
 			AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
 		fi
 		CRYPTO='-DOPENSSL'
@ -1176,7 +1176,7 @@ index d10cde5..68bead8 100644
 		if test "/usr" = "$use_openssl"
 		then
 			DST_OPENSSL_INC=""
-@@ -2050,7 +2054,6 @@ fi
+@@ -2099,7 +2103,6 @@ fi
 # Use OpenSSL for hash functions
 #
 
@ -1184,7 +1184,7 @@ index d10cde5..68bead8 100644
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
 case $want_openssl_hash in
 	yes)
-@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then
+@@ -2371,6 +2374,67 @@ if test "rt" = "$have_clock_gt"; then
 	LIBS="-lrt $LIBS"
 fi
 
@ -1252,7 +1252,7 @@ index d10cde5..68bead8 100644
 #
 # was --with-lmdb specified?
 #
-@@ -4098,12 +4162,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
+@@ -4188,12 +4252,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
 if test "yes" = "$use_atomic"; then
@ -1266,7 +1266,7 @@ index d10cde5..68bead8 100644
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -4112,7 +4176,6 @@ if test "yes" = "$use_atomic"; then
+@@ -4202,7 +4266,6 @@ if test "yes" = "$use_atomic"; then
 		fi
 	;;
 	x86_64-*|amd64-*)
@ -1274,7 +1274,7 @@ index d10cde5..68bead8 100644
 		if test $ac_cv_sizeof_void_p = 8; then
 			arch=x86_64
 			have_xaddq=yes
-@@ -5518,6 +5581,8 @@ report() {
+@@ -5635,6 +5698,8 @@ report() {
 	    echo "    IPv6 support (--enable-ipv6)"
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1283,7 +1283,7 @@ index d10cde5..68bead8 100644
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
-@@ -5558,6 +5623,8 @@ report() {
+@@ -5675,6 +5740,8 @@ report() {
 	echo "    Very verbose query trace logging (--enable-querytrace)"
     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
 
@ -1292,7 +1292,7 @@ index d10cde5..68bead8 100644
     echo "    Dynamically loadable zone (DLZ) drivers:"
     test "no" = "$use_dlz_bdb" || \
 	echo "        Berkeley DB (--with-dlz-bdb)"
-@@ -5605,6 +5672,8 @@ report() {
+@@ -5722,6 +5789,8 @@ report() {
 	echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
 	echo "    EDDSA algorithm support (--with-eddsa)"
@ -1302,7 +1302,7 @@ index d10cde5..68bead8 100644
     test "yes" = "$enable_seccomp" || \
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 65bf25d..1eccbe7 100644
+index 7a86506..aa54afc 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
@ -1366,7 +1366,7 @@ index 65bf25d..1eccbe7 100644
 #endif
 }
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index 1924e74..6813c96 100644
+index 5b42ab4..3aba028 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
@@ -159,6 +159,14 @@ dst_lib_destroy(void);
@ -1385,10 +1385,10 @@ index 1924e74..6813c96 100644
 dst_algorithm_supported(unsigned int alg);
 /*%<
 diff --git a/lib/dns/lib.c b/lib/dns/lib.c
-index 304814b..60543c4 100644
+index d9417de..0dc935d 100644
 --- a/lib/dns/lib.c
 +++ b/lib/dns/lib.c
-@@ -18,6 +18,7 @@
+@@ -16,6 +16,7 @@
 #include <stdbool.h>
 #include <stddef.h>
 
@ -1396,7 +1396,7 @@ index 304814b..60543c4 100644
 #include <isc/hash.h>
 #include <isc/mem.h>
 #include <isc/msgcat.h>
-@@ -78,6 +79,7 @@ static unsigned int references = 0;
+@@ -76,6 +77,7 @@ static unsigned int references = 0;
 static void
 initialize(void) {
 	isc_result_t result;
@ -1404,7 +1404,7 @@ index 304814b..60543c4 100644
 
 	REQUIRE(initialize_done == false);
 
-@@ -88,11 +90,14 @@ initialize(void) {
+@@ -86,11 +88,14 @@ initialize(void) {
 	result = dns_ecdb_register(dns_g_mctx, &dbimp);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mctx;
@ -1421,7 +1421,7 @@ index 304814b..60543c4 100644
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_hash;
 
-@@ -100,11 +105,17 @@ initialize(void) {
+@@ -98,11 +103,17 @@ initialize(void) {
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_dst;
 
@ -1440,7 +1440,7 @@ index 304814b..60543c4 100644
 	isc_hash_destroy();
   cleanup_db:
 diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index 13e838f..ffe0a69 100644
+index 1e57c71..3f4f822 100644
 --- a/lib/dns/openssl_link.c
 +++ b/lib/dns/openssl_link.c
@@ -31,6 +31,7 @@
@ -1624,7 +1624,7 @@ index 13e838f..ffe0a69 100644
 #endif /* OPENSSL */
 /*! \file */
 diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
-index 5a2c502..8eaef53 100644
+index 6b30309..20552fa 100644
 --- a/lib/dns/pkcs11.c
 +++ b/lib/dns/pkcs11.c
@@ -13,12 +13,15 @@
@ -1692,7 +1692,7 @@ index 937b548..f3c0e38 100644
 tap_test_program{name='gost_test'}
 tap_test_program{name='keytable_test'}
 diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
-index 90dc3a6..7671e1d 100644
+index 4126372..30cab17 100644
 --- a/lib/dns/tests/Makefile.in
 +++ b/lib/dns/tests/Makefile.in
@@ -37,6 +37,7 @@ SRCS =		acl_test.c \
@ -1845,10 +1845,10 @@ index 0000000..bd3d164
 +
 +#endif
 diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
-index 63be973..40b21fa 100644
+index 9c2ef79..f597049 100644
 --- a/lib/dns/win32/libdns.def.in
 +++ b/lib/dns/win32/libdns.def.in
-@@ -1485,6 +1485,13 @@ dst_lib_destroy
+@@ -1487,6 +1487,13 @@ dst_lib_destroy
 dst_lib_init
 dst_lib_init2
 dst_lib_initmsgcat
@ -1863,7 +1863,7 @@ index 63be973..40b21fa 100644
 dst_region_computerid
 dst_result_register
 diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
-index 907e470..451544d 100644
+index 0c1f3ed..fdd17d7 100644
 --- a/lib/isc/entropy.c
 +++ b/lib/isc/entropy.c
@@ -104,11 +104,15 @@ struct isc_entropy {
@ -1921,7 +1921,7 @@ index 907e470..451544d 100644
 +	hook = myhook;
 +}
 diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
-index e8733db..c40a18c 100644
+index b5bc956..f32c9dc 100644
 --- a/lib/isc/include/isc/entropy.h
 +++ b/lib/isc/include/isc/entropy.h
@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
@ -1944,7 +1944,7 @@ index e8733db..c40a18c 100644
 
 #endif /* ISC_ENTROPY_H */
 diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
-index 61960f1..d22993d 100644
+index 2bf8758..f4c684e 100644
 --- a/lib/isc/include/isc/platform.h.in
 +++ b/lib/isc/include/isc/platform.h.in
@@ -359,6 +359,11 @@
@ -1960,10 +1960,10 @@ index 61960f1..d22993d 100644
  * Define if the hash functions must be provided by OpenSSL.
  */
 diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
-index da9d66f..4205400 100644
+index 3bdd54f..d5acd39 100644
 --- a/lib/isc/include/isc/types.h
 +++ b/lib/isc/include/isc/types.h
-@@ -97,6 +97,8 @@ typedef struct isc_time			isc_time_t;		/*%< Time */
+@@ -95,6 +95,8 @@ typedef struct isc_time			isc_time_t;		/*%< Time */
 typedef struct isc_timer		isc_timer_t;		/*%< Timer */
 typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
 
@ -1973,7 +1973,7 @@ index da9d66f..4205400 100644
 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
 
 diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
-index 68aebdc..4b85527 100644
+index 227f807..4a63fdf 100644
 --- a/lib/isc/pk11.c
 +++ b/lib/isc/pk11.c
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
@ -1999,7 +1999,7 @@ index 68aebdc..4b85527 100644
     cleanup:
 	if (stream != NULL)
 diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
-index 8ade705..fa72f9d 100644
+index 1f785e0..f9051c3 100644
 --- a/lib/isc/win32/include/isc/platform.h.in
 +++ b/lib/isc/win32/include/isc/platform.h.in
@@ -73,6 +73,11 @@
@ -2015,7 +2015,7 @@ index 8ade705..fa72f9d 100644
  * Define if the hash functions must be provided by OpenSSL.
  */
 diff --git a/win32utils/Configure b/win32utils/Configure
-index 79d682e..6c78cb2 100644
+index 5f66a82..ff39910 100644
 --- a/win32utils/Configure
 +++ b/win32utils/Configure
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
@ -2054,7 +2054,7 @@ index 79d682e..6c78cb2 100644
 my $enable_openssl_hash = "auto";
 my $enable_filter_aaaa = "yes";
 my $enable_isc_spnego = "yes";
-@@ -847,6 +852,10 @@ sub myenable {
+@@ -848,6 +853,10 @@ sub myenable {
         if ($val =~ /^yes$/i) {
             $enable_native_pkcs11 = "yes";
         }
@ -2065,7 +2065,7 @@ index 79d682e..6c78cb2 100644
     } elsif ($key =~ /^openssl-hash$/i) {
         if ($val =~ /^yes$/i) {
             $enable_openssl_hash = "yes";
-@@ -1153,6 +1162,11 @@ if ($verbose) {
+@@ -1154,6 +1163,11 @@ if ($verbose) {
     } else {
         print "native-pkcs11: disabled\n";
     }
@ -2077,7 +2077,7 @@ index 79d682e..6c78cb2 100644
     if ($enable_openssl_hash eq "yes") {
         print "openssl-hash: enabled\n";
     } else {
-@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") {
+@@ -1511,6 +1525,7 @@ if ($enable_intrinsics eq "yes") {
 
 # enable-native-pkcs11
 if ($enable_native_pkcs11 eq "yes") {
@ -2085,7 +2085,7 @@ index 79d682e..6c78cb2 100644
     if ($use_openssl eq "auto") {
         $use_openssl = "no";
     }
-@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") {
+@@ -1720,6 +1735,7 @@ if ($use_openssl eq "yes") {
         $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
     }   
 
@ -2093,7 +2093,7 @@ index 79d682e..6c78cb2 100644
     $configcond{"OPENSSL"} = 1;
     $configdefd{"CRYPTO"} = "OPENSSL";
     $configvar{"OPENSSL_PATH"} = "$openssl_path";
-@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") {
+@@ -2291,6 +2307,15 @@ if ($use_aes eq "yes") {
 }
 
 
@ -2109,7 +2109,7 @@ index 79d682e..6c78cb2 100644
 # enable-openssl-hash
 if ($enable_openssl_hash eq "yes") {
     if ($use_openssl eq "no") {
-@@ -3665,6 +3690,7 @@ exit 0;
+@@ -3673,6 +3698,7 @@ exit 0;
 #  --enable-developer partially supported
 #  --enable-newstats (9.9/9.9sub only)
 #  --enable-native-pkcs11 supported
@ -2118,5 +2118,5 @@ index 79d682e..6c78cb2 100644
 #  --enable-openssl-hash supported
 #  --enable-threads included without a way to disable it
 -- 
-2.21.1
+2.26.2

--- a/bind-9.3.2-redhat_doc.patch
+++ b/bind-9.3.2-redhat_doc.patch
@ -1,68 +1,98 @@
-diff --git a/bin/named/named.8 b/bin/named/named.8
-index ef10ef4..3150b22 100644
--- a/bin/named/named.8
-+++ b/bin/named/named.8
-@@ -349,6 +349,63 @@ The default configuration file\&.
- /var/run/named/named\&.pid
- .RS 4
- The default process\-id file\&.
-+.PP
-+.SH "NOTES"
-+.PP
-+.TP
-+\fBRed Hat SELinux BIND Security Profile:\fR
-+.PP
-+By default, Red Hat ships BIND with the most secure SELinux policy
-+that will not prevent normal BIND operation and will prevent exploitation
-+of all known BIND security vulnerabilities . See the selinux(8) man page
-+for information about SElinux.
-+.PP
-+It is not necessary to run named in a chroot environment if the Red Hat
-+SELinux policy for named is enabled. When enabled, this policy is far
-+more secure than a chroot environment. Users are recommended to enable
-+SELinux and remove the bind-chroot package.
-+.PP
-+With this extra security comes some restrictions:
-+.PP
-+By default, the SELinux policy does not allow named to write any master
-+zone database files. Only the root user may create files in the $ROOTDIR/var/named
-+zone database file directory (the options { "directory" } option), where
-+$ROOTDIR is set in /etc/sysconfig/named.
-+.PP
-+The "named" group must be granted read privelege to
-+these files in order for named to be enabled to read them.
-+.PP
-+Any file created in the zone database file directory is automatically assigned
-+the SELinux file context named_zone_t .
-+.PP
-+By default, SELinux prevents any role from modifying named_zone_t files; this
-+means that files in the zone database directory cannot be modified by dynamic
-+DNS (DDNS) updates or zone transfers.
-+.PP
-+The Red Hat BIND distribution and SELinux policy creates three directories where
-+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
-+/var/named/data. By placing files you want named to modify, such as
-+slave or DDNS updateable zone files and database / statistics dump files in
-+these directories, named will work normally and no further operator action is
-+required. Files in these directories are automatically assigned the 'named_cache_t'
-+file context, which SELinux allows named to write.
-+.PP
-+\fBRed Hat BIND SDB support:\fR
-+.PP
-+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
-+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
-+.PP
-+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
-+.PP
-+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
-+.br
-+.PP
-+\fBRed Hat system-config-bind:\fR
-+.PP
-+Red Hat provides the system-config-bind GUI to configure named.conf and zone
-+database files. Run the "system-config-bind" command and access the manual
-+by selecting the Help menu.
-+.PP
- .RE
- .SH "SEE ALSO"
- .PP
+From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 26 Nov 2020 12:13:10 +0100
+Subject: [PATCH] Note specific Red Hat changes in manual page
+
+Change docbook template instead of generated manual page. Remove
+system-config-bind reference, package were discontinued.
+---
+ bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 73 insertions(+)
+
+diff --git a/bin/named/named.docbook b/bin/named/named.docbook
+index 7e743a9..802bec3 100644
+--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
+@@ -516,6 +516,79 @@
+ 
+   </refsection>
+ 
+  <refsection><info><title>NOTES</title></info>
+    <refsection><info><title>Red Hat SELinux BIND Security Profile</title></info>
+
+    <para>
+    By default, Red Hat ships BIND with the most secure SELinux policy
+    that will not prevent normal BIND operation and will prevent exploitation
+    of all known BIND security vulnerabilities . See the selinux(8) man page
+    for information about SElinux.
+    </para>
+
+    <para>
+    It is not necessary to run named in a chroot environment if the Red Hat
+    SELinux policy for named is enabled. When enabled, this policy is far
+    more secure than a chroot environment. Users are recommended to enable
+    SELinux and remove the bind-chroot package.
+    </para>
+
+    <para>
+    With this extra security comes some restrictions:
+    </para>
+
+    <para>
+    By default, the SELinux policy allows named to write any master
+    zone database files. Only the root user may create files in the $ROOTDIR/var/named
+    zone database file directory (the options { "directory" } option), where
+    $ROOTDIR is set in /etc/sysconfig/named.
+    </para>
+
+    <para>
+    The "named" group must be granted read privelege to
+    these files in order for named to be enabled to read them.
+    </para>
+
+    <para>
+    Any file created in the zone database file directory is automatically assigned
+    the SELinux file context named_zone_t .
+    </para>
+
+    <para>
+    By default, SELinux prevents any role from modifying named_zone_t files; this
+    means that files in the zone database directory cannot be modified by dynamic
+    DNS (DDNS) updates or zone transfers.
+    </para>
+
+    <para>
+    The Red Hat BIND distribution and SELinux policy creates three directories where
+    named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
+    /var/named/data. By placing files you want named to modify, such as
+    slave or DDNS updateable zone files and database / statistics dump files in
+    these directories, named will work normally and no further operator action is
+    required. Files in these directories are automatically assigned the 'named_cache_t'
+    file context, which SELinux allows named to write.
+    </para>
+    </refsection>
+
+    <refsection><info><title>Red Hat BIND SDB support</title></info>
+
+    <para>
+    Red Hat ships named with compiled in Simplified Database Backend modules that ISC
+    provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them.
+    </para>
+
+    <para>
+    The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into <command>named-sdb</command>.
+    </para>
+
+    <para>
+    See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+    </para>
+    </refsection>
+
+  </refsection>
+
+   <refsection><info><title>SEE ALSO</title></info>
+ 
+     <para><citetitle>RFC 1033</citetitle>,
+-- 
+2.26.2
+
--- a/bind.spec
+++ b/bind.spec
@ -66,8 +66,8 @@
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
 Name:     bind
 License:  MPLv2.0
-Version:  9.11.24
-Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Version:  9.11.25
+Release:  1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -162,7 +162,6 @@ Patch174:bind-9.11-json-c.patch
 Patch175:bind-9.11-fips-disable.patch
 Patch177: bind-9.11-serve-stale.patch
 Patch178: bind-9.11-serve-stale-dbfix.patch
-Patch179: bind-9.11-rh1893761.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -576,7 +575,6 @@ are used for building ISC DHCP.
 %patch175 -p1 -b .rh1709553
 %patch177 -p1 -b .serve-stale
 %patch178 -p1 -b .rh1770492
-%patch179 -p1 -b .rh1893761

 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -1610,6 +1608,9 @@ fi;
 %endif

 %changelog
+* Thu Nov 26 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.25-1
+- Update to 9.11.25
+
 * Wed Nov 04 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.24-2
 - Fix crash on NTA recheck failure (#1893761)

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (bind-9.11.24.tar.gz) = 30b4910be9e59b1df9184ddbd95341494c08a2c530b02077f28492c248af607d7d4c6666459a0e7cc0e9ad6c2b12ff3e7b03f500a720b39d304008f0ab94d5fa
-SHA512 (bind-9.11.24.tar.gz.asc) = 7ec9a0fa9cc61ab64c2c2c67fabfe17311253da509dbe658dfe5a63d4fada2d0800a2e6d388d8303ccaa4ef110c5a110569724030df3a34dee58b0a58904bbcb
+SHA512 (bind-9.11.25.tar.gz) = 852b15b6cf2f77ab103018e6fc078d856653c62c2db0ca2ef4f8bee64a60b06ed481d9fcdf29020e5072c69b9982545f032b2ab4c94dac28848150e04b9cecf9
+SHA512 (bind-9.11.25.tar.gz.asc) = 8cc8e5d21a445d918e82b42057f1d4e73ed977f4eb9584736008b71ae747078d500cc962c3bd03eb4f6a18688b642b108a8e3d673851b0dd4818fc9a33e5faf7