import bind-9.11.13-6.el8_2.1

.bind.metadata

@@ -0,0 +1,2 @@
+550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
+a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/bind-9.11.13.tar.gz
+SOURCES/random.data

SOURCES/README.sdb_pgsql

@@ -0,0 +1,79 @@
+			PGSQL BIND SDB driver
+
+The postgresql BIND SDB driver is of experimental status and should not be 
+used for production systems.
+
+Usage:
+
+o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named )
+
+o Edit your named.conf to contain a database zone, eg. :
+  
+zone "pgdb.net." IN {
+        type master;
+        database "pgsql  bind        pgdb     localhost pguser pgpasswd";
+        #                ^- DB name  ^-Table  ^-host    ^-user ^-password
+};
+
+o Create the database zone table
+  The table must contain the columns "name", "rdtype", and "rdata", and
+  is expected to contain a properly constructed zone.  The program "zonetodb"
+  creates such a table.
+  
+  zonetodb usage:
+    
+    zonetodb origin file dbname dbtable
+
+    where
+	origin : zone origin, eg "pgdb.net."
+	file   : master zone database file, eg. pgdb.net.db
+	dbname : name of postgresql database 
+        dbtable: name of table in database
+
+    Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database 
+        'pgdb' table:
+
+---
+#pgdb.net.db:
+$TTL 1H
+@       SOA     localhost.      root.localhost. (       1
+                                                3H
+                                                1H
+                                                1W
+                                                1H )
+        NS      localhost.
+host1   A       192.168.2.1
+host2   A       192.168.2.2
+host3   A       192.168.2.3
+host4   A       192.168.2.4
+host5   A       192.168.2.5
+host6   A       192.168.2.6
+host7   A       192.168.2.7
+---
+
+Issue this command as the pgsql user authorized to update the bind database:
+ 
+# zonetodb pgdb.net. pgdb.net.db bind pgdb
+
+will create / update the pgdb table in the 'bind' db:
+
+$ psql -dbind -c 'select * from pgdb;'
+      name      | ttl  | rdtype |                        rdata
+----------------+------+--------+-----------------------------------------------------
+ pgdb.net       | 3600 | SOA    | localhost. root.localhost. 1 10800 3600 604800 3600
+ pgdb.net       | 3600 | NS     | localhost.
+ host1.pgdb.net | 3600 | A      | 192.168.2.1
+ host2.pgdb.net | 3600 | A      | 192.168.2.2
+ host3.pgdb.net | 3600 | A      | 192.168.2.3
+ host4.pgdb.net | 3600 | A      | 192.168.2.4
+ host5.pgdb.net | 3600 | A      | 192.168.2.5
+ host6.pgdb.net | 3600 | A      | 192.168.2.6
+ host7.pgdb.net | 3600 | A      | 192.168.2.7
+(9 rows)
+
+I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK.
+
+NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named
+      service .
+
+USE AT YOUR OWN RISK!

SOURCES/bind-9.10-dist-native-pkcs11.patch

@@ -0,0 +1,612 @@
+diff --git a/bin/Makefile.in b/bin/Makefile.in
+index f0c504a..ce7a2da 100644
+--- a/bin/Makefile.in
++++ b/bin/Makefile.in
+@@ -11,8 +11,8 @@ srcdir =	@srcdir@
+ VPATH =		@srcdir@
+ top_srcdir =	@top_srcdir@
+ 
+-SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
+-		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
++SUBDIRS =	named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
++		check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+ TARGETS =
+ 
+ @BIND9_MAKE_RULES@
+diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
+index 4b8ca13..32f4470 100644
+--- a/bin/dnssec-pkcs11/Makefile.in
++++ b/bin/dnssec-pkcs11/Makefile.in
+@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
+ 
+ @BIND9_MAKE_INCLUDES@
+ 
+-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
++CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
+ 
+-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+-		@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
++CDEFINES =	-DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
++		@CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+ CWARNINGS =
+ 
+-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+-ISCLIBS =	../../lib/isc/libisc.@A@
+-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
++DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
++ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
++ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
+ 
+-DNSDEPLIBS =	../../lib/dns/libdns.@A@
+-ISCDEPLIBS =	../../lib/isc/libisc.@A@
++DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
++ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ 
+ DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+ 
+@@ -35,10 +35,10 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+ NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+ 
+ # Alphabetically
+-TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
+-		dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
+-		dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
+-		dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
++TARGETS =	dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
++		dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
++		dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \
++		dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@
+ 
+ OBJS =		dnssectool.@O@
+ 
+@@ -59,15 +59,15 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
+ 
+ @BIND9_MAKE_RULES@
+ 
+-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
++dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+ 	export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
+ 	${FINALBUILDCMD}
+ 
+-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
++dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+ 	export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
+ 	${FINALBUILDCMD}
+ 
+-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
++dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+ 	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
+ 	${FINALBUILDCMD}
+ 
+@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
+ 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+ 		-c ${srcdir}/dnssec-signzone.c
+ 
+-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
++dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+ 	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
+ 	${FINALBUILDCMD}
+ 
+@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
+ 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
+ 		-c ${srcdir}/dnssec-verify.c
+ 
+-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
++dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+ 	export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
+ 	${FINALBUILDCMD}
+ 
+-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
++dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ 	dnssec-revoke.@O@ ${OBJS} ${LIBS}
+ 
+-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
++dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ 	dnssec-settime.@O@ ${OBJS} ${LIBS}
+ 
+-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
++dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ 	dnssec-importkey.@O@ ${OBJS} ${LIBS}
+ 
+@@ -106,16 +106,14 @@ docclean manclean maintainer-clean::
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+ 
+ install-man8: ${MANPAGES}
+ 	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+ 
+-install:: ${TARGETS} installdirs install-man8
++install:: ${TARGETS} installdirs
+ 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
+ 
+ uninstall::
+-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
+ 	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
+ 
+ clean distclean::
+diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
+index 4b8ca13..4175996 100644
+--- a/bin/dnssec/Makefile.in
++++ b/bin/dnssec/Makefile.in
+@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
+ 
+ CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+ 
+-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
++CDEFINES =	-DVERSION=\"${VERSION}\" \
+ 		@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+ CWARNINGS =
+ 
+diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
+index 3166368..a403941 100644
+--- a/bin/named-pkcs11/Makefile.in
++++ b/bin/named-pkcs11/Makefile.in
+@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+ 
+ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+-		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+-		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
++		${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
++		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
+ 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ 		@DST_OPENSSL_INC@
+ 
+-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
++CDEFINES =      @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@
+ 
+ CWARNINGS =
+ 
+-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
++DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+-ISCLIBS =	../../lib/isc/libisc.@A@
+-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
++ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
++ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
+ LWRESLIBS =	../../lib/lwres/liblwres.@A@
+ BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ 
+-DNSDEPLIBS =	../../lib/dns/libdns.@A@
++DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+-ISCDEPLIBS =	../../lib/isc/libisc.@A@
++ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+ BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ 
+@@ -72,15 +72,15 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+ 
+ LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+ 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
+-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
++		@LIBS@
+ 
+ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+ 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
+-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
++		@LIBS@
+ 
+ SUBDIRS =	unix
+ 
+-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
++TARGETS =	named-pkcs11@EXEEXT@
+ 
+ GEOIPLINKOBJS = geoip.@O@
+ GEOIP2LINKOBJS = geoip.@O@
+@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
+ 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
+ 		zoneconf.@O@ \
+ 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
+-		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
+-		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
++        lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
+ 
+ UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
+ 
+@@ -113,8 +112,7 @@ SRCS =		builtin.c client.c config.c control.c \
+ 		tkeyconf.c tsigconf.c update.c xfrout.c \
+ 		zoneconf.c \
+ 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
+-		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
+-		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
++        lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
+ 
+ MANPAGES =	named.8 lwresd.8 named.conf.5
+ 
+@@ -154,14 +152,14 @@ server.@O@: server.c
+ 		-DPRODUCT=\"${PRODUCT}\" \
+ 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
+ 
+-named@EXEEXT@: ${OBJS} ${DEPLIBS}
++named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
+ 	export MAKE_SYMTABLE="yes"; \
+ 	export BASEOBJS="${OBJS} ${UOBJS}"; \
+ 	${FINALBUILDCMD}
+ 
+-lwresd@EXEEXT@: named@EXEEXT@
++lwresd@EXEEXT@: named-pkcs11@EXEEXT@
+ 	rm -f lwresd@EXEEXT@
+-	@LN@ named@EXEEXT@ lwresd@EXEEXT@
++	@LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
+ 
+ doc man:: ${MANOBJS}
+ 
+@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8
+ 
+ install-man: install-man5 install-man8
+ 
+-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
+-	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
++install:: named-pkcs11@EXEEXT@ installdirs
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
+ 
+ uninstall::
+-	rm -f ${DESTDIR}${mandir}/man5/named.conf.5
+-	rm -f ${DESTDIR}${mandir}/man8/lwresd.8
+-	rm -f ${DESTDIR}${mandir}/man8/named.8
+-	rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
+-	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
++	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
+ 
+ @DLZ_DRIVER_RULES@
+ 
+diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
+index 3166368..890574f 100644
+--- a/bin/named/Makefile.in
++++ b/bin/named/Makefile.in
+@@ -48,7 +48,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+ 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ 		@DST_OPENSSL_INC@
+ 
+-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
++CDEFINES =      @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
+ 
+ CWARNINGS =
+ 
+diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
+index a058c91..d4b689a 100644
+--- a/bin/pkcs11/Makefile.in
++++ b/bin/pkcs11/Makefile.in
+@@ -15,13 +15,13 @@ top_srcdir =	@top_srcdir@
+ 
+ @BIND9_MAKE_INCLUDES@
+ 
+-CINCLUDES =	${ISC_INCLUDES}
++CINCLUDES =	${ISC_PKCS11_INCLUDES}
+ 
+ CDEFINES =
+ 
+-ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
++ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
+ 
+-ISCDEPLIBS =	../../lib/isc/libisc.@A@
++ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ 
+ DEPLIBS =	${ISCDEPLIBS}
+ 
+diff --git a/configure.ac b/configure.ac
+index 9b7d778..59ba20b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
+ AC_SUBST(DST_GSSAPI_INC)
+ AC_SUBST(DNS_GSSAPI_LIBS)
+ DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
+ 
+ #
+ # Applications linking with libdns also need to link with these libraries.
+ #
+ 
+ AC_SUBST(DNS_CRYPTO_LIBS)
++AC_SUBST(DNS_CRYPTO_PK11_LIBS)
+ 
+ #
+ # was --with-randomdev specified?
+@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
+ AC_MSG_CHECKING(for OpenSSL library)
+ OPENSSL_WARNING=
+ openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
+-if test "yes" = "$want_native_pkcs11"
+-then
+-	use_openssl="native_pkcs11"
+-	AC_MSG_RESULT(use of native PKCS11 instead)
+-fi
++# if test "yes" = "$want_native_pkcs11"
++# then
++# 	use_openssl="native_pkcs11"
++# 	AC_MSG_RESULT(use of native PKCS11 instead)
++# fi
+ 
+ if test "auto" = "$use_openssl"
+ then
+@@ -1511,6 +1513,7 @@ then
+ 		fi
+ 	done
+ fi
++CRYPTO_PK11=""
+ OPENSSL_ECDSA=""
+ OPENSSL_GOST=""
+ OPENSSL_ED25519=""
+@@ -1532,11 +1535,10 @@ case "$with_gost" in
+ 		;;
+ esac
+ 
+-case "$use_openssl" in
+-	native_pkcs11)
+-		AC_MSG_RESULT(disabled because of native PKCS11)
++if test "$want_native_pkcs11" = "yes"
++then
+ 		DST_OPENSSL_INC=""
+-		CRYPTO="-DPKCS11CRYPTO"
++		CRYPTO_PK11="-DPKCS11CRYPTO"
+ 		CRYPTOLIB="pkcs11"
+ 		OPENSSLECDSALINKOBJS=""
+ 		OPENSSLECDSALINKSRCS=""
+@@ -1546,7 +1548,9 @@ case "$use_openssl" in
+ 		OPENSSLGOSTLINKSRCS=""
+ 		OPENSSLLINKOBJS=""
+ 		OPENSSLLINKSRCS=""
+-		;;
++fi
++
++case "$use_openssl" in
+ 	no)
+ 		AC_MSG_RESULT(no)
+ 		DST_OPENSSL_INC=""
+@@ -1578,7 +1582,7 @@ case "$use_openssl" in
+ If you do not want OpenSSL, use --without-openssl])
+ 		;;
+ 	*)
+-		if test "yes" = "$want_native_pkcs11"
++		if false # test "yes" = "$want_native_pkcs11"
+ 		then
+ 			AC_MSG_RESULT()
+ 			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
+@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
+ AC_SUBST(OPENSSL_GOST)
+ 
+ DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
++DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
+ 
+ ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
+ if test "yes" = "$with_aes"
+@@ -2291,6 +2296,7 @@ esac
+ AC_SUBST(PKCS11LINKOBJS)
+ AC_SUBST(PKCS11LINKSRCS)
+ AC_SUBST(CRYPTO)
++AC_SUBST(CRYPTO_PK11)
+ AC_SUBST(PKCS11_ECDSA)
+ AC_SUBST(PKCS11_GOST)
+ AC_SUBST(PKCS11_ED25519)
+@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
+ 	bin/delv/Makefile
+ 	bin/dig/Makefile
+ 	bin/dnssec/Makefile
++	bin/dnssec-pkcs11/Makefile	
+ 	bin/named/Makefile
+ 	bin/named/unix/Makefile
++	bin/named-pkcs11/Makefile
++	bin/named-pkcs11/unix/Makefile
+ 	bin/nsupdate/Makefile
+ 	bin/pkcs11/Makefile
+ 	bin/python/Makefile
+@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
+ 	lib/dns/include/dns/Makefile
+ 	lib/dns/include/dst/Makefile
+ 	lib/dns/tests/Makefile
++	lib/dns-pkcs11/Makefile
++	lib/dns-pkcs11/include/Makefile
++	lib/dns-pkcs11/include/dns/Makefile
++	lib/dns-pkcs11/include/dst/Makefile
+ 	lib/irs/Makefile
+ 	lib/irs/include/Makefile
+ 	lib/irs/include/irs/Makefile
+@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
+ 	lib/isc/unix/include/Makefile
+ 	lib/isc/unix/include/isc/Makefile
+ 	lib/isc/unix/include/pkcs11/Makefile
++	lib/isc-pkcs11/$arch/Makefile
++	lib/isc-pkcs11/$arch/include/Makefile
++	lib/isc-pkcs11/$arch/include/isc/Makefile
++	lib/isc-pkcs11/$thread_dir/Makefile
++	lib/isc-pkcs11/$thread_dir/include/Makefile
++	lib/isc-pkcs11/$thread_dir/include/isc/Makefile
++	lib/isc-pkcs11/Makefile
++	lib/isc-pkcs11/include/Makefile
++	lib/isc-pkcs11/include/isc/Makefile
++	lib/isc-pkcs11/include/isc/platform.h
++	lib/isc-pkcs11/include/pk11/Makefile
++	lib/isc-pkcs11/include/pkcs11/Makefile
++	lib/isc-pkcs11/tests/Makefile
++	lib/isc-pkcs11/nls/Makefile
++	lib/isc-pkcs11/unix/Makefile
++	lib/isc-pkcs11/unix/include/Makefile
++	lib/isc-pkcs11/unix/include/isc/Makefile
++	lib/isc-pkcs11/unix/include/pkcs11/Makefile
+ 	lib/isccc/Makefile
+ 	lib/isccc/include/Makefile
+ 	lib/isccc/include/isccc/Makefile
+diff --git a/lib/Makefile.in b/lib/Makefile.in
+index 81270a0..bcb5312 100644
+--- a/lib/Makefile.in
++++ b/lib/Makefile.in
+@@ -15,7 +15,7 @@ top_srcdir =	@top_srcdir@
+ # Attempt to disable parallel processing.
+ .NOTPARALLEL:
+ .NO_PARALLEL:
+-SUBDIRS =	isc isccc dns isccfg bind9 lwres irs samples
++SUBDIRS =	isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples
+ TARGETS =
+ 
+ @BIND9_MAKE_RULES@
+diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
+index 7f09bd6..c388d9e 100644
+--- a/lib/dns-pkcs11/Makefile.in
++++ b/lib/dns-pkcs11/Makefile.in
+@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
+ 
+ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
+ 
+-CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+-		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
+-		@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
++CINCLUDES =	-I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
++		${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+ 
+-CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
++CDEFINES =	-DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+ 
+ CWARNINGS =
+ 
+-ISCLIBS =	../../lib/isc/libisc.@A@
++ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ 
+-ISCDEPLIBS =	../../lib/isc/libisc.@A@
++ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ 
+ LIBS =		${MAXMINDDB_LIBS} @LIBS@
+ 
+@@ -150,15 +149,15 @@ version.@O@: version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libdns.@SA@: ${OBJS}
++libdns-pkcs11.@SA@: ${OBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS}
+ 	${RANLIB} $@
+ 
+-libdns.la: ${OBJS}
++libdns-pkcs11.la: ${OBJS}
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+-		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
++		${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
+ 
+ include: gen
+ 	${MAKE} include/dns/enumtype.h
+@@ -189,22 +188,22 @@ gen: gen.c
+ 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
+ 	${BUILD_LIBS} ${LFS_LIBS}
+ 
+-timestamp: include libdns.@A@
++timestamp: include libdns-pkcs11.@A@
+ 	touch timestamp
+ 
+-testdirs: libdns.@A@
++testdirs: libdns-pkcs11.@A@
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
+ 
+ uninstall::
+-	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
++	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
+ 
+ clean distclean::
+-	rm -f libdns.@A@ timestamp
++	rm -f libdns-pkcs11.@A@ timestamp
+ 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+ 	rm -f include/dns/rdatastruct.h
+ 	rm -f dnstap.pb-c.c dnstap.pb-c.h
+diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
+index 8ad54bb..a3ecdfb 100644
+--- a/lib/isc-pkcs11/Makefile.in
++++ b/lib/isc-pkcs11/Makefile.in
+@@ -23,8 +23,8 @@ CINCLUDES =	-I${srcdir}/unix/include \
+ 		-I${srcdir}/@ISC_THREAD_DIR@/include \
+ 		-I${srcdir}/@ISC_ARCH_DIR@/include \
+ 		-I./include \
+-		-I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
+-CDEFINES =	@CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
++		-I${srcdir}/include ${DNS_PKCS11_INCLUDES}
++CDEFINES =	@CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ CWARNINGS =
+ 
+ # Alphabetically
+@@ -103,40 +103,40 @@ version.@O@: version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
++libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
+ 	${RANLIB} $@
+ 
+-libisc-nosymtbl.@SA@: ${OBJS}
++libisc-pkcs11-nosymtbl.@SA@: ${OBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS}
+ 	${RANLIB} $@
+ 
+-libisc.la: ${OBJS} ${SYMTBLOBJS}
++libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS}
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} ${SYMTBLOBJS} ${LIBS}
+ 
+-libisc-nosymtbl.la: ${OBJS}
++libisc-pkcs11-nosymtbl.la: ${OBJS}
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} ${LIBS}
+ 
+-timestamp: libisc.@A@ libisc-nosymtbl.@A@
++timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
+ 	touch timestamp
+ 
+-testdirs: libisc.@A@ libisc-nosymtbl.@A@
++testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
+ 
+ uninstall::
+-	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
++	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@
+ 
+ clean distclean::
+-	rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
+-	libisc-nosymtbl.la timestamp
++	rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
++	libisc-pkcs11-nosymtbl.la timestamp
+diff --git a/make/includes.in b/make/includes.in
+index fa86ad1..3cfbe9f 100644
+--- a/make/includes.in
++++ b/make/includes.in
+@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
+ 
+ TEST_INCLUDES = \
+ 	-I${top_srcdir}/lib/tests/include
++
++ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
++	-I${top_srcdir}/lib/isc-pkcs11 \
++	-I${top_srcdir}/lib/isc-pkcs11/include \
++	-I${top_srcdir}/lib/isc-pkcs11/unix/include \
++	-I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
++	-I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
++
++DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
++	-I${top_srcdir}/lib/dns-pkcs11/include

SOURCES/bind-9.10-sdb.patch

@@ -0,0 +1,310 @@
+diff --git a/bin/Makefile.in b/bin/Makefile.in
+index ce7a2da..4e6a824 100644
+--- a/bin/Makefile.in
++++ b/bin/Makefile.in
+@@ -11,8 +11,8 @@ srcdir =	@srcdir@
+ VPATH =		@srcdir@
+ top_srcdir =	@top_srcdir@
+ 
+-SUBDIRS =	named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+-		check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
++SUBDIRS =	named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
++		check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests
+ TARGETS =
+ 
+ @BIND9_MAKE_RULES@
+diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
+index 03a72d5..4c1cb6d 100644
+--- a/bin/named-sdb/Makefile.in
++++ b/bin/named-sdb/Makefile.in
+@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
+ #
+ # Add database drivers here.
+ #
+-DBDRIVER_OBJS =
+-DBDRIVER_SRCS =
++DBDRIVER_OBJS =	ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
++DBDRIVER_SRCS =	ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
+ DBDRIVER_INCLUDES =
+-DBDRIVER_LIBS =
++DBDRIVER_LIBS =	-lldap -llber -lsqlite3 -lpq
+ 
+ DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
+ 
+@@ -80,7 +80,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+ 
+ SUBDIRS =	unix
+ 
+-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
++TARGETS =	named-sdb@EXEEXT@
+ 
+ GEOIPLINKOBJS = geoip.@O@
+ GEOIP2LINKOBJS = geoip.@O@
+@@ -154,7 +154,7 @@ server.@O@: server.c
+ 		-DPRODUCT=\"${PRODUCT}\" \
+ 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
+ 
+-named@EXEEXT@: ${OBJS} ${DEPLIBS}
++named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS}
+ 	export MAKE_SYMTABLE="yes"; \
+ 	export BASEOBJS="${OBJS} ${UOBJS}"; \
+ 	${FINALBUILDCMD}
+@@ -181,8 +181,6 @@ statschannel.@O@: bind9.xsl.h
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
+-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+ 
+ install-man5: named.conf.5
+ 	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
+@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8
+ 
+ install-man: install-man5 install-man8
+ 
+-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
+-	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
++install:: ${TARGETS} installdirs
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
+ 
+ uninstall::
+-	rm -f ${DESTDIR}${mandir}/man5/named.conf.5
+-	rm -f ${DESTDIR}${mandir}/man8/lwresd.8
+-	rm -f ${DESTDIR}${mandir}/man8/named.8
+-	rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
+-	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
++	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@
+ 
+ @DLZ_DRIVER_RULES@
+ 
+diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
+index 108b8d6..a943421 100644
+--- a/bin/named-sdb/main.c
++++ b/bin/named-sdb/main.c
+@@ -93,6 +93,10 @@
+  * Include header files for database drivers here.
+  */
+ /* #include "xxdb.h" */
++#include "ldapdb.h"
++#include "pgsqldb.h"
++#include "sqlitedb.h"
++#include "dirdb.h"
+ 
+ #ifdef CONTRIB_DLZ
+ /*
+@@ -1069,6 +1073,11 @@ setup(void) {
+ 		ns_main_earlyfatal("isc_app_start() failed: %s",
+ 				   isc_result_totext(result));
+ 
++	ldapdb_clear();
++	pgsqldb_clear();
++	dirdb_clear();
++	sqlitedb_clear();
++
+ 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ 		      ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
+ 		      ns_g_product, ns_g_version,
+@@ -1269,6 +1278,75 @@ setup(void) {
+ 				   isc_result_totext(result));
+ #endif
+ 
++        result = ldapdb_init();
++        if (result != ISC_R_SUCCESS)
++        {
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_ERROR, 
++                          "SDB ldap module initialisation failed: %s.",
++                          isc_result_totext(result)
++                );
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_ERROR, 
++                          "SDB ldap zone database will be unavailable."
++                );
++        }else
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_NOTICE, "SDB ldap zone database module loaded."
++                         );
++
++        result = pgsqldb_init();
++        if (result != ISC_R_SUCCESS)
++        {
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_ERROR, 
++                          "SDB pgsql module initialisation failed: %s.",
++                          isc_result_totext(result)
++                );
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_ERROR, 
++                          "SDB pgsql zone database will be unavailable."
++                );
++        }else
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
++                         );
++
++        result = sqlitedb_init();
++        if (result != ISC_R_SUCCESS)
++        {
++             isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_ERROR, 
++                          "SDB sqlite3 module initialisation failed: %s.",
++                          isc_result_totext(result)
++                );
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_ERROR, 
++                          "SDB sqlite3 zone database will be unavailable."
++                );
++        }else
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded."
++                         );
++
++        result = dirdb_init();
++        if (result != ISC_R_SUCCESS)
++        {
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_ERROR, 
++                          "SDB directory DB module initialisation failed: %s.",
++                          isc_result_totext(result)
++                );
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_ERROR, 
++                          "SDB directory DB zone database will be unavailable."
++                );
++        }else
++            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
++                          ISC_LOG_NOTICE, "SDB directory DB zone database module loaded."
++                         );
++
++
+ 	ns_server_create(ns_g_mctx, &ns_g_server);
+ 
+ #ifdef HAVE_LIBSECCOMP
+@@ -1311,6 +1389,11 @@ cleanup(void) {
+ 
+ 	dns_name_destroy();
+ 
++	ldapdb_clear();
++	pgsqldb_clear();
++	sqlitedb_clear();
++	dirdb_clear();
++
+ 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ 		      ISC_LOG_NOTICE, "exiting");
+ 	ns_log_shutdown();
+diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
+index 03a72d5..47cc046 100644
+--- a/bin/named/Makefile.in
++++ b/bin/named/Makefile.in
+@@ -45,10 +45,10 @@ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+ 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+ 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+-		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
++		${MAXMINDDB_CFLAGS} \
+ 		@DST_OPENSSL_INC@
+ 
+-CDEFINES =      @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
++CDEFINES =      @USE_GSSAPI@ @CRYPTO@
+ 
+ CWARNINGS =
+ 
+@@ -72,11 +72,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+ 
+ LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+ 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
+-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
++		@LIBS@
+ 
+ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+ 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
+-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
++		@LIBS@
+ 
+ SUBDIRS =	unix
+ 
+@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
+ 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
+ 		zoneconf.@O@ \
+ 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
+-		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
+-		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
++		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
+ 
+ UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
+ 
+@@ -113,8 +112,7 @@ SRCS =		builtin.c client.c config.c control.c \
+ 		tkeyconf.c tsigconf.c update.c xfrout.c \
+ 		zoneconf.c \
+ 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
+-		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
+-		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
++		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
+ 
+ MANPAGES =	named.8 lwresd.8 named.conf.5
+ 
+@@ -203,7 +201,5 @@ uninstall::
+ 	rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
+ 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ 
+-@DLZ_DRIVER_RULES@
+-
+ named-symtbl.@O@: named-symtbl.c
+ 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
+diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
+index c7e0868..95ab742 100644
+--- a/bin/sdb_tools/Makefile.in
++++ b/bin/sdb_tools/Makefile.in
+@@ -32,11 +32,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+ LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+ 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
+ 
+-TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@
++TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+ 
+-OBJS	=	zone2ldap.@O@ zonetodb.@O@
++OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
+ 
+-SRCS    =       zone2ldap.c zonetodb.c
++SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c
+ 
+ MANPAGES =      zone2ldap.1
+ 
+@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
+ zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
+ 
++zone2sqlite@EXEEXT@: zone2sqlite.@O@  ${DEPLIBS}
++	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
++
+ clean distclean manclean maintainer-clean::
+ 	rm -f ${TARGETS} ${OBJS}
+ 
+@@ -60,4 +63,5 @@ installdirs:
+ install:: ${TARGETS} installdirs
+ 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
+ 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
+ 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
+diff --git a/configure.ac b/configure.ac
+index eff9f05..d05ad1f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([
+ 	bin/named/unix/Makefile
+ 	bin/named-pkcs11/Makefile
+ 	bin/named-pkcs11/unix/Makefile
++	bin/named-sdb/Makefile
++	bin/named-sdb/unix/Makefile
+ 	bin/nsupdate/Makefile
+ 	bin/pkcs11/Makefile
+ 	bin/python/Makefile
+@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([
+ 	bin/python/isc/tests/dnskey_test.py
+ 	bin/python/isc/tests/policy_test.py
+ 	bin/rndc/Makefile
++	bin/sdb_tools/Makefile
+ 	bin/tests/Makefile
+ 	bin/tests/headerdep_test.sh
+ 	bin/tests/optional/Makefile

SOURCES/bind-9.10-use-of-strlcat.patch

@@ -0,0 +1,18 @@
+diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
+index d56bc56..99c3314 100644
+--- a/bin/sdb_tools/zone2ldap.c
++++ b/bin/sdb_tools/zone2ldap.c
+@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
+     }
+ 
+ 
+-      strlcat (dn, tmp, sizeof (dn));
++      strncat (dn, tmp, sizeof (dn) - strlen (dn));
+     }
+ 
+   sprintf (tmp, "dc=%s", dc_list[0]);
+-  strlcat (dn, tmp, sizeof (dn));
++  strncat (dn, tmp, sizeof (dn) - strlen (dn));
+ 
+ 	    fflush(NULL);
+   return dn;

SOURCES/bind-9.11-CVE-2020-8616-test.patch

@@ -0,0 +1,292 @@
+From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001
+From: Stephen Morris <stephen@isc.org>
+Date: Thu, 5 Mar 2020 18:46:46 +0000
+Subject: [PATCH] Add test for reduction in number of fetches
+
+Add a system test that counts how many address fetches are made
+for different numbers of NS records and checks that the number
+are successfully limited.
+
+(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)
+---
+ bin/tests/system/resolver/clean.sh          |  4 +-
+ bin/tests/system/resolver/ns4/named.conf.in |  5 ++
+ bin/tests/system/resolver/ns4/root.db       |  4 +
+ bin/tests/system/resolver/ns4/sourcens.db   | 89 +++++++++++++++++++++
+ bin/tests/system/resolver/ns5/named.conf.in |  9 ++-
+ bin/tests/system/resolver/ns6/named.conf.in | 15 ++++
+ bin/tests/system/resolver/ns6/targetns.db   | 23 ++++++
+ bin/tests/system/resolver/tests.sh          | 34 ++++++++
+ 8 files changed, 180 insertions(+), 3 deletions(-)
+ create mode 100644 bin/tests/system/resolver/ns4/sourcens.db
+ create mode 100644 bin/tests/system/resolver/ns6/targetns.db
+
+diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
+index 4dfde1f3e7..b3e4bc0b5d 100644
+--- a/bin/tests/system/resolver/clean.sh
++++ b/bin/tests/system/resolver/clean.sh
+@@ -17,8 +17,7 @@ rm -f */named.memstats
+ rm -f */named.run
+ rm -f */ans.run
+ rm -f */*.jdb
+-rm -f dig.out dig.out.*
+-rm -f dig.*.out.*
++rm -f dig.out dig.out.* dig.*.out.*
+ rm -f dig.*.foo.*
+ rm -f dig.*.bar.*
+ rm -f dig.*.prime.*
+@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
+ rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
+ rm -f ns6/dsset-ds.example.net*
+ rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
++rm -f ns6/named.stats*
+ rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
+ rm -f ns7/server.db ns7/server.db.jnl
+ rm -f resolve.out.*.test*
+diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
+index c679dc3151..56fe5d0dd8 100644
+--- a/bin/tests/system/resolver/ns4/named.conf.in
++++ b/bin/tests/system/resolver/ns4/named.conf.in
+@@ -50,6 +50,11 @@ zone "broken" {
+ 	file "broken.db";
+ };
+ 
++zone "sourcens" {
++    type master;
++    file "sourcens.db";
++};
++
+ key rndc_key {
+ 	secret "1234abcd8765";
+ 	algorithm hmac-sha256;
+diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
+index 721765d1be..ae541340da 100644
+--- a/bin/tests/system/resolver/ns4/root.db
++++ b/bin/tests/system/resolver/ns4/root.db
+@@ -24,3 +24,7 @@ example.net.		NS	ns.example.net.
+ ns.example.net.		A	10.53.0.6
+ no-questions.		NS	ns.no-questions.
+ ns.no-questions.	A	10.53.0.8
++sourcens.		NS	ns.sourcens.
++ns.sourcens.		A	10.53.0.4
++targetns. 		NS	ns.targetns.
++ns.targetns.		A	10.53.0.6
+diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
+new file mode 100644
+index 0000000000..b02cc6e835
+--- /dev/null
++++ b/bin/tests/system/resolver/ns4/sourcens.db
+@@ -0,0 +1,89 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++; This zone contains a set of delegations with varying numbers of NS
++; records.  This is used to check that BIND is limiting the number of
++; NS records it follows when resolving a delegation.  It tests all
++; numbers of NS records up to twice the number followed.
++
++$TTL 60
++@ 			IN SOA	marka.isc.org. ns.server. (
++				2010   	; serial
++				600         	; refresh
++				600         	; retry
++				1200    	; expire
++				600       	; minimum
++				)
++@			NS	ns
++ns			A	10.53.0.4
++
++target1  		NS	ns.fake11.targetns.
++
++target2  		NS	ns.fake21.targetns.
++			NS	ns.fake22.targetns.
++
++target3  		NS	ns.fake31.targetns.
++			NS	ns.fake32.targetns.
++			NS	ns.fake33.targetns.
++
++target4  		NS	ns.fake41.targetns.
++			NS	ns.fake42.targetns.
++			NS	ns.fake43.targetns.
++			NS	ns.fake44.targetns.
++
++target5  		NS	ns.fake51.targetns.
++			NS	ns.fake52.targetns.
++			NS	ns.fake53.targetns.
++			NS	ns.fake54.targetns.
++			NS	ns.fake55.targetns.
++
++target6  		NS	ns.fake61.targetns.
++			NS	ns.fake62.targetns.
++			NS	ns.fake63.targetns.
++			NS	ns.fake64.targetns.
++			NS	ns.fake65.targetns.
++			NS	ns.fake66.targetns.
++
++target7  		NS	ns.fake71.targetns.
++			NS	ns.fake72.targetns.
++			NS	ns.fake73.targetns.
++			NS	ns.fake74.targetns.
++			NS	ns.fake75.targetns.
++			NS	ns.fake76.targetns.
++			NS	ns.fake77.targetns.
++
++target8  		NS	ns.fake81.targetns.
++			NS	ns.fake82.targetns.
++			NS	ns.fake83.targetns.
++			NS	ns.fake84.targetns.
++			NS	ns.fake85.targetns.
++			NS	ns.fake86.targetns.
++			NS	ns.fake87.targetns.
++			NS	ns.fake88.targetns.
++
++target9  		NS	ns.fake91.targetns.
++			NS	ns.fake92.targetns.
++			NS	ns.fake93.targetns.
++			NS	ns.fake94.targetns.
++			NS	ns.fake95.targetns.
++			NS	ns.fake96.targetns.
++			NS	ns.fake97.targetns.
++			NS	ns.fake98.targetns.
++			NS	ns.fake99.targetns.
++
++target10  		NS	ns.fake101.targetns.
++			NS	ns.fake102.targetns.
++			NS	ns.fake103.targetns.
++			NS	ns.fake104.targetns.
++			NS	ns.fake105.targetns.
++			NS	ns.fake106.targetns.
++			NS	ns.fake107.targetns.
++			NS	ns.fake108.targetns.
++			NS	ns.fake109.targetns.
++			NS	ns.fake1010.targetns.
+diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
+index 07205c9938..90818e4556 100644
+--- a/bin/tests/system/resolver/ns5/named.conf.in
++++ b/bin/tests/system/resolver/ns5/named.conf.in
+@@ -46,4 +46,11 @@ zone "delegation-only" {
+        type delegation-only;
+ };
+ 
+-include "trusted.conf";
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
+diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
+index 7df48558b8..4b01f9ba14 100644
+--- a/bin/tests/system/resolver/ns6/named.conf.in
++++ b/bin/tests/system/resolver/ns6/named.conf.in
+@@ -22,6 +22,7 @@ options {
+ 	recursion no;
+ 	// minimal-responses yes;
+ 	querylog yes;
++	statistics-file "named.stats";
+ 	/*
+ 	 * test that named loads with root-delegation-only that
+ 	 * has a exclude list.
+@@ -67,3 +68,17 @@ zone "delegation-only" {
+ 	type master;
+ 	file "delegation-only.db";
+ };
++
++zone "targetns" {
++	type master;
++	file "targetns.db";
++};
++
++key rndc_key {
++	secret "1234abcd8765";
++	algorithm hmac-sha256;
++};
++
++controls {
++	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
+diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
+new file mode 100644
+index 0000000000..036e64580b
+--- /dev/null
++++ b/bin/tests/system/resolver/ns6/targetns.db
+@@ -0,0 +1,23 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++; In the test for checking how many NS records BIND will follow, this
++; zone marks the server as the one to which the NS lookups will be
++; directed.
++
++$TTL 300
++@ 			IN SOA	marka.isc.org. ns.server. (
++				2010   	; serial
++				600         	; refresh
++				600         	; retry
++				1200    	; expire
++				600       	; minimum
++				)
++			NS	ns
++ns			A	10.53.0.6
+diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
+index 12d2819e30..178ba4d79b 100755
+--- a/bin/tests/system/resolver/tests.sh
++++ b/bin/tests/system/resolver/tests.sh
+@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
+     status=`expr $status + $ret`
+ fi
+ 
++n=`expr $n + 1`
++echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
++# ns5 is the recusor being tested.  ns4 holds the sourcens zone containing names with varying numbers of NS
++# records pointing to non-existent nameservers in the targetns zone on ns6.
++ret=0
++$RNDCCMD 10.53.0.5 flush || ret=1   # Ensure cache is empty before doing this test
++for nscount in 1 2 3 4 5 6 7 8 9 10
++do
++        # Verify number of NS records at source server
++        $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
++        sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
++        test $sourcerecs -eq $nscount || ret=1
++        test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
++        # Expected queries = 2 * number of NS records, up to a maximum of 10.
++        expected=`expr 2 \* $nscount`
++        if [ $expected -gt 10 ]; then expected=10; fi
++        # Work out the queries made by checking statistics on the target before and after the test
++        $RNDCCMD 10.53.0.6 stats || ret=1
++        initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
++        mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
++        $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
++        $RNDCCMD 10.53.0.6 stats || ret=1
++        final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
++        mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
++        # Check number of queries during the test is as expected
++        actual=`expr $final_count - $initial_count`
++        if [ $actual -ne $expected ]; then
++                echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
++                ret=1
++        fi
++done
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=`expr $status + $ret`
++
+ n=`expr $n + 1`
+ echo_i "RT21594 regression test check setup ($n)"
+ ret=0
+-- 
+2.21.1
+

SOURCES/bind-9.11-CVE-2020-8617-test.patch

@@ -0,0 +1,78 @@
+From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 25 Mar 2020 17:44:51 +1100
+Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a
+ request
+
+(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1)
+---
+ bin/tests/system/tsig/badtime  | 37 ++++++++++++++++++++++++++++++++++
+ bin/tests/system/tsig/tests.sh |  9 +++++++++
+ 2 files changed, 46 insertions(+)
+ create mode 100644 bin/tests/system/tsig/badtime
+
+diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
+new file mode 100644
+index 0000000000..7926404cfb
+--- /dev/null
++++ b/bin/tests/system/tsig/badtime
+@@ -0,0 +1,37 @@
++# Transaction ID
++1122
++# Standard query
++0000
++# Questions: 1, Additional: 1
++0001 0000 0000 0001
++# QNAME: isc.org
++03 69 73 63 03 6F 72 67 00
++# Type: A (Host Address)
++0001
++# Class: IN
++0001
++# Specially crafted TSIG Resource Record
++# Name: "sha256"
++06 73 68 61 32 35 36 00
++# Type: TSIG (Transaction Signature)
++00fa
++# Class: ANY
++00ff
++# TTL: 0
++00000000
++# RdLen: 29
++001d
++# Algorithm Name: hmac-sha256
++0b 68 6D 61 63 2D 73 68 61 32 35 36 00
++# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
++00 00 00 00 00 00
++# Fudge: 300
++012c
++# MAC Size: 0; MAC: empty
++0000
++# Original ID: 0
++0000
++# Error: BADSIG
++0010
++# Other Data Length: 0
++0000
+diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
+index cade35bc1d..284aea1056 100644
+--- a/bin/tests/system/tsig/tests.sh
++++ b/bin/tests/system/tsig/tests.sh
+@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then
+ 	echo "I: failed"; status=1
+ fi
+ 
++echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
++ret=0
++$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
++$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
++grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
++if [ $ret -eq 1 ] ; then
++    echo_i "failed"; status=1
++fi
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+-- 
+2.21.1
+

SOURCES/bind-9.11-dhcp-time-monotonic.patch

@@ -0,0 +1,171 @@
+diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
+index 0389efa..149cde5 100644
+--- a/lib/isc/include/isc/result.h
++++ b/lib/isc/include/isc/result.h
+@@ -89,7 +89,8 @@
+ #define ISC_R_DISCFULL			67	/*%< disc full */
+ #define ISC_R_DEFAULT			68	/*%< default */
+ #define ISC_R_IPV4PREFIX		69	/*%< IPv4 prefix */
+-#define ISC_R_NRESULTS 			70
++#define ISC_R_TIMESHIFTED               70      /*%< system time changed */
++#define ISC_R_NRESULTS 			71
+ 
+ ISC_LANG_BEGINDECLS
+ 
+diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
+index 973c348..cceeb5e 100644
+--- a/lib/isc/include/isc/util.h
++++ b/lib/isc/include/isc/util.h
+@@ -289,6 +289,10 @@ extern void mock_assert(const int result, const char* const expression,
+  * Time
+  */
+ #define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
++#ifdef CLOCK_BOOTTIME
++#define TIME_MONOTONIC(tp) 	RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
++#endif
++
+ 
+ /*%
+  * Alignment
+diff --git a/lib/isc/result.c b/lib/isc/result.c
+index a9db132..f33fc6b 100644
+--- a/lib/isc/result.c
++++ b/lib/isc/result.c
+@@ -105,6 +105,7 @@ static const char *description[ISC_R_NRESULTS] = {
+ 	"disc full",				/*%< 67 */
+ 	"default",				/*%< 68 */
+ 	"IPv4 prefix",				/*%< 69 */
++	"time changed",                         /*%< 70 */
+ };
+ 
+ static const char *identifier[ISC_R_NRESULTS] = {
+@@ -178,6 +179,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
+ 	"ISC_R_DISCFULL",
+ 	"ISC_R_DEFAULT",
+ 	"ISC_R_IPV4PREFIX",
++	"ISC_R_TIMESHIFTED",
+ };
+ 
+ #define ISC_RESULT_RESULTSET			2
+diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
+index a6e9882..286fe95 100644
+--- a/lib/isc/unix/app.c
++++ b/lib/isc/unix/app.c
+@@ -442,15 +442,47 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
+ static isc_result_t
+ evloop(isc__appctx_t *ctx) {
+ 	isc_result_t result;
++        isc_time_t now;
++#ifdef CLOCK_BOOTTIME
++        isc_time_t monotonic;
++        isc_uint64_t diff  = 0;
++#else
++        isc_time_t prev;
++        TIME_NOW(&prev);
++#endif
+ 
+ 	while (!ctx->want_shutdown) {
+ 		int n;
+-		isc_time_t when, now;
++		isc_time_t when;
+ 		struct timeval tv, *tvp;
+ 		isc_socketwait_t *swait;
+ 		bool readytasks;
+ 		bool call_timer_dispatch = false;
+ 
++                uint64_t us; 
++
++#ifdef CLOCK_BOOTTIME
++                // TBD macros for following three lines
++                TIME_NOW(&now);
++                TIME_MONOTONIC(&monotonic);
++                INSIST(now.seconds > monotonic.seconds)
++                us = isc_time_microdiff (&now, &monotonic);
++                if (us < diff){
++                  us = diff - us;
++                  if (us > 1000000){ // ignoring shifts less than one second
++                    return ISC_R_TIMESHIFTED;
++                  };
++                  diff = isc_time_microdiff (&now, &monotonic);
++                } else {
++                  diff = isc_time_microdiff (&now, &monotonic);
++                  // not implemented
++                }
++#else
++                TIME_NOW(&now);
++                if (isc_time_compare (&now, &prev) < 0)
++                  return ISC_R_TIMESHIFTED;
++                TIME_NOW(&prev);
++#endif
+ 		/*
+ 		 * Check the reload (or suspend) case first for exiting the
+ 		 * loop as fast as possible in case:
+@@ -475,7 +507,6 @@ evloop(isc__appctx_t *ctx) {
+ 			if (result != ISC_R_SUCCESS)
+ 				tvp = NULL;
+ 			else {
+-				uint64_t us;
+ 
+ 				TIME_NOW(&now);
+ 				us = isc_time_microdiff(&when, &now);
+diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
+index b864c29..5dd43c9 100644
+--- a/lib/isc/unix/include/isc/time.h
++++ b/lib/isc/unix/include/isc/time.h
+@@ -132,6 +132,26 @@ isc_time_isepoch(const isc_time_t *t);
+  *\li	't' is a valid pointer.
+  */
+ 
++#ifdef CLOCK_BOOTTIME
++isc_result_t
++isc_time_boottime(isc_time_t *t);
++/*%<
++ * Set 't' to monotonic time from previous boot
++ * it's not affected by system time change. It also
++ * includes the time system was suspended
++ *
++ * Requires:
++ *\li	't' is a valid pointer.
++ *
++ * Returns:
++ *
++ *\li	Success
++ *\li	Unexpected error
++ *		Getting the time from the system failed.
++ */
++#endif /* CLOCK_BOOTTIME */
++ 
++
+ isc_result_t
+ isc_time_now(isc_time_t *t);
+ /*%<
+diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
+index 8edc9df..fe0bb91 100644
+--- a/lib/isc/unix/time.c
++++ b/lib/isc/unix/time.c
+@@ -498,3 +498,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
+ 			 t->nanoseconds / NS_PER_MS);
+ 	}
+ }
++
++
++#ifdef CLOCK_BOOTTIME
++isc_result_t
++isc_time_boottime(isc_time_t *t) {
++  struct timespec ts;
++  
++  char strbuf[ISC_STRERRORSIZE];
++
++  if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){
++    isc__strerror(errno, strbuf, sizeof(strbuf));
++    UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
++    return (ISC_R_UNEXPECTED);    
++  }
++
++  t->seconds = ts.tv_sec;
++  t->nanoseconds = ts.tv_nsec;
++
++  return (ISC_R_SUCCESS);
++  
++};
++#endif