import bind-9.11.36-3.el8

This commit is contained in:
CentOS Sources 2022-05-10 03:19:40 -04:00 committed by Stepan Oksanichenko
parent 0f18d3fb97
commit d8d371d1e8
12 changed files with 226 additions and 286 deletions

View File

@ -1,2 +1,2 @@
14064c865920842e48f444be2bda9dc91770e439 SOURCES/bind-9.11.26.tar.gz 4b45d15edc1e3b7902129ce27baec58a50d76b5c SOURCES/bind-9.11.36.tar.gz
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/bind-9.11.26.tar.gz SOURCES/bind-9.11.36.tar.gz
SOURCES/random.data SOURCES/random.data

View File

@ -143,7 +143,7 @@ index 390aa0c..851a008 100644
CWARNINGS = CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index 3166368..a403941 100644 index 277a0f5..52a6375 100644
--- a/bin/named-pkcs11/Makefile.in --- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in +++ b/bin/named-pkcs11/Makefile.in
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ @@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
@ -260,7 +260,7 @@ index 3166368..a403941 100644
@DLZ_DRIVER_RULES@ @DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 3166368..890574f 100644 index 277a0f5..0e00885 100644
--- a/bin/named/Makefile.in --- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in +++ b/bin/named/Makefile.in
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ @@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
@ -294,10 +294,10 @@ index 2c19e7e..8223d5e 100644
DEPLIBS = ${ISCDEPLIBS} DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.ac b/configure.ac diff --git a/configure.ac b/configure.ac
index c6715b4..8144268 100644 index 83cad4a..e1e1a32 100644
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -1176,12 +1176,14 @@ AC_SUBST(USE_GSSAPI) @@ -1178,12 +1178,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC) AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS) AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -312,7 +312,7 @@ index c6715b4..8144268 100644
# #
# was --with-randomdev specified? # was --with-randomdev specified?
@@ -1554,12 +1556,12 @@ AC_ARG_ENABLE(openssl-hash, @@ -1556,12 +1558,12 @@ AC_ARG_ENABLE(openssl-hash,
AC_MSG_CHECKING(for OpenSSL library) AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING= OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw" openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
@ -331,7 +331,7 @@ index c6715b4..8144268 100644
if test "auto" = "$use_openssl" if test "auto" = "$use_openssl"
then then
@@ -1572,6 +1574,7 @@ then @@ -1574,6 +1576,7 @@ then
fi fi
done done
fi fi
@ -339,7 +339,7 @@ index c6715b4..8144268 100644
OPENSSL_ECDSA="" OPENSSL_ECDSA=""
OPENSSL_GOST="" OPENSSL_GOST=""
OPENSSL_ED25519="" OPENSSL_ED25519=""
@@ -1593,11 +1596,10 @@ case "$with_gost" in @@ -1595,11 +1598,10 @@ case "$with_gost" in
;; ;;
esac esac
@ -354,7 +354,7 @@ index c6715b4..8144268 100644
CRYPTOLIB="pkcs11" CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS="" OPENSSLECDSALINKSRCS=""
@@ -1607,7 +1609,9 @@ case "$use_openssl" in @@ -1609,7 +1611,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS="" OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS="" OPENSSLLINKOBJS=""
OPENSSLLINKSRCS="" OPENSSLLINKSRCS=""
@ -365,7 +365,7 @@ index c6715b4..8144268 100644
no) no)
AC_MSG_RESULT(no) AC_MSG_RESULT(no)
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
@@ -1639,7 +1643,7 @@ case "$use_openssl" in @@ -1641,7 +1645,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl]) If you do not want OpenSSL, use --without-openssl])
;; ;;
*) *)
@ -374,7 +374,7 @@ index c6715b4..8144268 100644
then then
AC_MSG_RESULT() AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
@@ -2067,6 +2071,7 @@ AC_SUBST(OPENSSL_ED25519) @@ -2077,6 +2081,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST) AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -382,7 +382,7 @@ index c6715b4..8144268 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes" if test "yes" = "$with_aes"
@@ -2353,6 +2358,7 @@ esac @@ -2363,6 +2368,7 @@ esac
AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS) AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO) AC_SUBST(CRYPTO)
@ -390,7 +390,7 @@ index c6715b4..8144268 100644
AC_SUBST(PKCS11_ECDSA) AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519) AC_SUBST(PKCS11_ED25519)
@@ -5501,8 +5507,11 @@ AC_CONFIG_FILES([ @@ -5491,8 +5497,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile bin/delv/Makefile
bin/dig/Makefile bin/dig/Makefile
bin/dnssec/Makefile bin/dnssec/Makefile
@ -402,7 +402,7 @@ index c6715b4..8144268 100644
bin/nsupdate/Makefile bin/nsupdate/Makefile
bin/pkcs11/Makefile bin/pkcs11/Makefile
bin/python/Makefile bin/python/Makefile
@@ -5575,6 +5584,10 @@ AC_CONFIG_FILES([ @@ -5565,6 +5574,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile lib/dns/include/dst/Makefile
lib/dns/tests/Makefile lib/dns/tests/Makefile
@ -413,7 +413,7 @@ index c6715b4..8144268 100644
lib/irs/Makefile lib/irs/Makefile
lib/irs/include/Makefile lib/irs/include/Makefile
lib/irs/include/irs/Makefile lib/irs/include/irs/Makefile
@@ -5599,6 +5612,24 @@ AC_CONFIG_FILES([ @@ -5589,6 +5602,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile lib/isc/unix/include/pkcs11/Makefile
@ -452,21 +452,21 @@ index f089bea..3ed939b 100644
@BIND9_MAKE_RULES@ @BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 8fc4e94..5eefb14 100644 index 1d0f5df..98c9ba0 100644
--- a/lib/dns-pkcs11/Makefile.in --- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@ @@ -24,17 +24,17 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ @BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ -CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \ - ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ +CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ + ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} -CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} +CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@
CWARNINGS = CWARNINGS =
@ -478,7 +478,7 @@ index 8fc4e94..5eefb14 100644
LIBS = ${MAXMINDDB_LIBS} @LIBS@ LIBS = ${MAXMINDDB_LIBS} @LIBS@
@@ -150,15 +149,15 @@ version.@O@: version.c @@ -148,15 +148,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \ -DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c -c ${srcdir}/version.c
@ -498,7 +498,7 @@ index 8fc4e94..5eefb14 100644
include: gen include: gen
${MAKE} include/dns/enumtype.h ${MAKE} include/dns/enumtype.h
@@ -189,22 +188,22 @@ gen: gen.c @@ -187,22 +187,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS} ${BUILD_LIBS} ${LFS_LIBS}

View File

@ -1,27 +0,0 @@
From 9f331a945071365ccc0cfba24241c4af6919af30 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 15 Feb 2021 12:18:14 +0100
Subject: [PATCH] CVE-2020-8625
5562. [security] Fix off-by-one bug in ISC SPNEGO implementation.
(CVE-2020-8625) [GL #2354]
---
lib/dns/spnego.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index dea108b..13cf15d 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -877,7 +877,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
return (ASN1_OVERRUN);
}
- data->components = malloc(len * sizeof(*data->components));
+ data->components = malloc((len + 1) * sizeof(*data->components));
if (data->components == NULL) {
return (ENOMEM);
}
--
2.26.2

View File

@ -1,44 +0,0 @@
From 4eff09c6b1e524b0efc393ee948b5c4cdf16ccb8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 3 Feb 2021 11:10:20 +1100
Subject: [PATCH] Check SOA owner names in zone transfers
An IXFR containing SOA records with owner names different than the
transferred zone's origin can result in named serving a version of that
zone without an SOA record at the apex. This causes a RUNTIME_CHECK
assertion failure the next time such a zone is refreshed. Fix by
immediately rejecting a zone transfer (either an incremental or
non-incremental one) upon detecting an SOA record not placed at the apex
of the transferred zone.
---
lib/dns/xfrin.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 3a3f407289..0ba82e4974 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
dns_rdatatype_ismeta(rdata->type))
FAIL(DNS_R_FORMERR);
+ /*
+ * Immediately reject the entire transfer if the RR that is currently
+ * being processed is an SOA record that is not placed at the zone
+ * apex.
+ */
+ if (rdata->type == dns_rdatatype_soa &&
+ !dns_name_equal(&xfr->name, name)) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ dns_name_format(name, namebuf, sizeof(namebuf));
+ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+ namebuf);
+ FAIL(DNS_R_NOTZONETOP);
+ }
+
redo:
switch (xfr->state) {
case XFRST_SOAQUERY:
--
2.26.3

View File

@ -1,40 +0,0 @@
From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 27 Apr 2021 10:56:12 +0200
Subject: [PATCH 2/2] CVE-2021-25215
5616. [security] named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query. (CVE-2021-25215) [GL #2540]
---
bin/named/query.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/bin/named/query.c b/bin/named/query.c
index a95f5ad..11a888e 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
if (noqname != NULL)
query_addnoqnameproof(client, noqname);
/*
- * We shouldn't ever fail to add 'rdataset'
- * because it's already in the answer.
+ * 'rdataset' will only be non-NULL here if the ANSWER section
+ * of the message to be sent to the client already contains an
+ * RRset with the same owner name and the same type as
+ * 'rdataset'. This should never happen, with one exception:
+ * when chasing DNAME records, one of the DNAME records placed
+ * in the ANSWER section may turn out to be the final answer to
+ * the client's query, but we have no way of knowing that until
+ * now. In such a case, 'rdataset' will be freed later, so we
+ * do not need to free it here.
*/
- INSIST(rdataset == NULL);
+ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
}
addauth:
--
2.26.3

View File

@ -1,4 +1,4 @@
From 14ad3e0b42bc999072d30268396412bec158a22d Mon Sep 17 00:00:00 2001 From 1dc81c51cd5c70b783aab8b6156aec4cfedd6fe3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200 Date: Thu, 2 Aug 2018 23:46:45 +0200
Subject: [PATCH] FIPS tests changes Subject: [PATCH] FIPS tests changes
@ -96,12 +96,14 @@ Date: Wed Mar 7 10:44:23 2018 +0100
bin/tests/system/rndc/setup.sh | 2 +- bin/tests/system/rndc/setup.sh | 2 +-
bin/tests/system/rndc/tests.sh | 23 ++++--- bin/tests/system/rndc/tests.sh | 23 ++++---
bin/tests/system/tsig/ns1/named.conf.in | 10 +-- bin/tests/system/tsig/ns1/named.conf.in | 10 +--
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
bin/tests/system/tsig/setup.sh | 5 ++ bin/tests/system/tsig/setup.sh | 5 ++
bin/tests/system/tsig/tests.sh | 65 +++++++++++------- bin/tests/system/tsig/tests.sh | 65 +++++++++++-------
bin/tests/system/tsiggss/setup.sh | 2 +- bin/tests/system/tsiggss/setup.sh | 2 +-
bin/tests/system/upforwd/ns1/named.conf.in | 2 +- bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
bin/tests/system/upforwd/tests.sh | 2 +- bin/tests/system/upforwd/tests.sh | 2 +-
43 files changed, 220 insertions(+), 170 deletions(-) 44 files changed, 230 insertions(+), 170 deletions(-)
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
index 9999ada..e3f8d0e 100644 index 9999ada..e3f8d0e 100644
@ -598,10 +600,10 @@ index b66207a..359b220 100644
; TTL of 3 weeks ; TTL of 3 weeks
weeks 1814400 A 10.53.0.2 weeks 1814400 A 10.53.0.2
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index 2109001..ded5557 100644 index a3ebc31..0d9b9b8 100644
--- a/bin/tests/system/digdelv/tests.sh --- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh
@@ -155,7 +155,7 @@ if [ -x "$DIG" ] ; then @@ -173,7 +173,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +rrcomments works for DNSKEY($n)" echo_i "checking dig +rrcomments works for DNSKEY($n)"
ret=0 ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -610,7 +612,7 @@ index 2109001..ded5557 100644
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1 check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -164,7 +164,7 @@ if [ -x "$DIG" ] ; then @@ -182,7 +182,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)" echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
ret=0 ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -619,7 +621,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -172,7 +172,7 @@ if [ -x "$DIG" ] ; then @@ -190,7 +190,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +nosplit works($n)" echo_i "checking dig +short +nosplit works($n)"
ret=0 ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1 $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -628,7 +630,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -180,7 +180,7 @@ if [ -x "$DIG" ] ; then @@ -198,7 +198,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works($n)" echo_i "checking dig +short +rrcomments works($n)"
ret=0 ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -637,7 +639,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -197,7 +197,7 @@ if [ -x "$DIG" ] ; then @@ -215,7 +215,7 @@ if [ -x "$DIG" ] ; then
echo_i "checking dig +short +rrcomments works($n)" echo_i "checking dig +short +rrcomments works($n)"
ret=0 ret=0
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
@ -646,7 +648,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -827,7 +827,7 @@ if [ -x ${DELV} ] ; then @@ -846,7 +846,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +rrcomments works for DNSKEY($n)" echo_i "checking delv +rrcomments works for DNSKEY($n)"
ret=0 ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -655,7 +657,7 @@ index 2109001..ded5557 100644
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1 check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -836,7 +836,7 @@ if [ -x ${DELV} ] ; then @@ -855,7 +855,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)" echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
ret=0 ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -664,7 +666,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -844,7 +844,7 @@ if [ -x ${DELV} ] ; then @@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +rrcomments works ($n)" echo_i "checking delv +short +rrcomments works ($n)"
ret=0 ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -673,7 +675,7 @@ index 2109001..ded5557 100644
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -852,7 +852,7 @@ if [ -x ${DELV} ] ; then @@ -871,7 +871,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit works ($n)" echo_i "checking delv +short +nosplit works ($n)"
ret=0 ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -682,7 +684,7 @@ index 2109001..ded5557 100644
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
f=`awk '{print NF}' < delv.out.test$n` f=`awk '{print NF}' < delv.out.test$n`
test "${f:-0}" -eq 14 || ret=1 test "${f:-0}" -eq 14 || ret=1
@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then @@ -882,7 +882,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking delv +short +nosplit +norrcomments works ($n)" echo_i "checking delv +short +nosplit +norrcomments works ($n)"
ret=0 ret=0
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
@ -909,7 +911,7 @@ index ba39f90..f20a2dd 100755
cat $infile $keyname1.key $keyname2.key >$zonefile cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index e28b3f1..29c169b 100644 index d401823..139c7ad 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh --- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -126,8 +126,8 @@ zone=in-addr.arpa. @@ -126,8 +126,8 @@ zone=in-addr.arpa.
@ -953,10 +955,10 @@ index 75cf699..b4d848c 100644
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV"; + "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
}; };
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 3e8e4d5..da692f9 100644 index 30f7fc5..2f34b6d 100644
--- a/bin/tests/system/dnssec/tests.sh --- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh
@@ -3257,8 +3257,8 @@ do @@ -3281,8 +3281,8 @@ do
alg=`expr $alg + 1` alg=`expr $alg + 1`
continue;; continue;;
3) size="-b 512";; 3) size="-b 512";;
@ -1112,10 +1114,10 @@ index e6e2382..b0a94e0 100644
}; };
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 6fbf1d7..a712b17 100644 index 2b3b154..8240c42 100644
--- a/bin/tests/system/nsupdate/setup.sh --- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh +++ b/bin/tests/system/nsupdate/setup.sh
@@ -53,7 +53,12 @@ EOF @@ -68,7 +68,12 @@ EOF
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
@ -1130,10 +1132,10 @@ index 6fbf1d7..a712b17 100644
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 6b2c8f6..96ad95e 100755 index 60cf7ee..f8994ff 100755
--- a/bin/tests/system/nsupdate/tests.sh --- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh
@@ -788,7 +788,14 @@ fi @@ -804,7 +804,14 @@ fi
n=`expr $n + 1` n=`expr $n + 1`
ret=0 ret=0
echo_i "check TSIG key algorithms ($n)" echo_i "check TSIG key algorithms ($n)"
@ -1149,7 +1151,7 @@ index 6b2c8f6..96ad95e 100755
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1 $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT} server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3 update add ${alg}.keytests.nil. 600 A 10.10.10.3
@@ -796,7 +803,7 @@ send @@ -812,7 +819,7 @@ send
END END
done done
sleep 2 sleep 2
@ -1233,6 +1235,22 @@ index 4905ffd..958d9fb 100644
key "sha1-trunc" { key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
index 0000000..0682194
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index f42aa79..bfcf4a6 100644 index f42aa79..bfcf4a6 100644
--- a/bin/tests/system/tsig/setup.sh --- a/bin/tests/system/tsig/setup.sh
@ -1247,7 +1265,7 @@ index f42aa79..bfcf4a6 100644
+ cat ns1/rndc5.conf.in >> ns1/named.conf + cat ns1/rndc5.conf.in >> ns1/named.conf
+fi +fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index ed41e1d..98c542e 100644 index e0c2903..327fa50 100644
--- a/bin/tests/system/tsig/tests.sh --- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh +++ b/bin/tests/system/tsig/tests.sh
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f @@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
@ -1375,5 +1393,5 @@ index 1cf8d3b..f4c3216 100644
update add updated.example. 600 A 10.10.10.1 update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo update add updated.example. 600 TXT Foo
-- --
2.26.2 2.31.1

View File

@ -1,38 +0,0 @@
From 4757898440d52b0adbf7ec7ee7f0f89b61aac0fb Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 18 Dec 2020 13:31:07 +1100
Subject: [PATCH] Inactive incorrectly incremented
It is possible to have two threads destroying an rbtdb at the same
time when detachnode() executes and removes the last reference to
a node between exiting being set to true for the node and testing
if the references are zero in maybe_free_rbtdb(). Move NODE_UNLOCK()
to after checking if references is zero to prevent detachnode()
changing the reference count too early.
(cherry picked from commit 859d2fdad6d1c6ff20083a4c463a929cbeb26438)
(cherry picked from commit 25150c15e7cfa73289f04470e2e699ebb7c28fef)
---
lib/dns/rbtdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 8ea4d47..77ef7a4 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1460,11 +1460,11 @@ maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
for (i = 0; i < rbtdb->node_lock_count; i++) {
NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
rbtdb->node_locks[i].exiting = true;
- NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
if (isc_refcount_current(&rbtdb->node_locks[i].references)
== 0) {
inactive++;
}
+ NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
}
if (inactive != 0) {
--
2.26.3

View File

@ -1,4 +1,4 @@
From 63d1fe9e1ac0db37f89cf31b40c35d6d22578ded Mon Sep 17 00:00:00 2001 From 346683631ae0f83ad4f09a69cfa5e5c6ea49e5d9 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org> From: Evan Hunt <each@isc.org>
Date: Tue, 12 Sep 2017 19:05:46 -0700 Date: Tue, 12 Sep 2017 19:05:46 -0700
Subject: [PATCH] rebased rt31459c Subject: [PATCH] rebased rt31459c
@ -199,10 +199,10 @@ index f017895..2c568fc 100644
if (verbose > 10) if (verbose > 10)
isc_mem_stats(mctx, stdout); isc_mem_stats(mctx, stdout);
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index dde1b2f..7308fc6 100644 index a097ac8..6567421 100644
--- a/bin/dnssec/dnssec-signzone.c --- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c
@@ -3465,14 +3465,15 @@ main(int argc, char *argv[]) { @@ -3472,14 +3472,15 @@ main(int argc, char *argv[]) {
if (!pseudorandom) if (!pseudorandom)
eflags |= ISC_ENTROPY_GOODONLY; eflags |= ISC_ENTROPY_GOODONLY;
@ -222,7 +222,7 @@ index dde1b2f..7308fc6 100644
isc_stdtime_get(&now); isc_stdtime_get(&now);
if (startstr != NULL) { if (startstr != NULL) {
@@ -3884,8 +3885,8 @@ main(int argc, char *argv[]) { @@ -3896,8 +3897,8 @@ main(int argc, char *argv[]) {
dns_master_styledestroy(&dsstyle, mctx); dns_master_styledestroy(&dsstyle, mctx);
cleanup_logging(&log); cleanup_logging(&log);
@ -293,7 +293,7 @@ index 7f045e8..2a0f9c6 100644
usekeyboard); usekeyboard);
diff --git a/bin/named/server.c b/bin/named/server.c diff --git a/bin/named/server.c b/bin/named/server.c
index 30d38be..b2ae57c 100644 index 9826588..b3e3fc3 100644
--- a/bin/named/server.c --- a/bin/named/server.c
+++ b/bin/named/server.c +++ b/bin/named/server.c
@@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
@ -304,7 +304,7 @@ index 30d38be..b2ae57c 100644
#include <isc/portset.h> #include <isc/portset.h>
#include <isc/print.h> #include <isc/print.h>
#include <isc/random.h> #include <isc/random.h>
@@ -8286,6 +8287,10 @@ load_configuration(const char *filename, ns_server_t *server, @@ -8291,6 +8292,10 @@ load_configuration(const char *filename, ns_server_t *server,
"no source of entropy found"); "no source of entropy found");
} else { } else {
const char *randomdev = cfg_obj_asstring(obj); const char *randomdev = cfg_obj_asstring(obj);
@ -315,7 +315,7 @@ index 30d38be..b2ae57c 100644
int level = ISC_LOG_ERROR; int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy, result = isc_entropy_createfilesource(ns_g_entropy,
randomdev); randomdev);
@@ -8320,6 +8325,7 @@ load_configuration(const char *filename, ns_server_t *server, @@ -8325,6 +8330,7 @@ load_configuration(const char *filename, ns_server_t *server,
} }
isc_entropy_detach(&ns_g_fallbackentropy); isc_entropy_detach(&ns_g_fallbackentropy);
} }
@ -324,10 +324,10 @@ index 30d38be..b2ae57c 100644
} }
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 5a2c660..7f15cbc 100644 index 52b0274..23b69c9 100644
--- a/bin/nsupdate/nsupdate.c --- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c
@@ -278,7 +278,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { @@ -279,7 +279,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
if (*ectx == NULL) { if (*ectx == NULL) {
result = isc_entropy_create(mctx, ectx); result = isc_entropy_create(mctx, ectx);
if (result != ISC_R_SUCCESS) if (result != ISC_R_SUCCESS)
@ -337,7 +337,7 @@ index 5a2c660..7f15cbc 100644
ISC_LIST_INIT(sources); ISC_LIST_INIT(sources);
} }
@@ -287,6 +288,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) { @@ -288,6 +289,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
randomfile = NULL; randomfile = NULL;
} }
@ -351,7 +351,7 @@ index 5a2c660..7f15cbc 100644
result = isc_entropy_usebestsource(*ectx, &source, randomfile, result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard); usekeyboard);
@@ -989,11 +997,11 @@ setup_system(void) { @@ -990,11 +998,11 @@ setup_system(void) {
} }
} }
@ -561,10 +561,10 @@ index 34360aa..3236968 100644
isc_mem_destroy(&mctx); isc_mem_destroy(&mctx);
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 4b5b901..43fb6b0 100644 index a3dd450..350723f 100644
--- a/bin/tests/system/tkey/keydelete.c --- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) { @@ -137,6 +137,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
int int
main(int argc, char **argv) { main(int argc, char **argv) {
char *keyname; char *keyname;
@ -572,7 +572,7 @@ index 4b5b901..43fb6b0 100644
isc_taskmgr_t *taskmgr; isc_taskmgr_t *taskmgr;
isc_timermgr_t *timermgr; isc_timermgr_t *timermgr;
isc_socketmgr_t *socketmgr; isc_socketmgr_t *socketmgr;
@@ -156,10 +157,21 @@ main(int argc, char **argv) { @@ -157,10 +158,21 @@ main(int argc, char **argv) {
RUNCHECK(isc_app_start()); RUNCHECK(isc_app_start());
@ -594,7 +594,7 @@ index 4b5b901..43fb6b0 100644
keyname = argv[1]; keyname = argv[1];
dns_result_register(); dns_result_register();
@@ -169,14 +181,22 @@ main(int argc, char **argv) { @@ -170,14 +182,22 @@ main(int argc, char **argv) {
ectx = NULL; ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx)); RUNCHECK(isc_entropy_create(mctx, &ectx));
@ -619,7 +619,7 @@ index 4b5b901..43fb6b0 100644
taskmgr = NULL; taskmgr = NULL;
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr)); RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
@@ -264,8 +284,8 @@ main(int argc, char **argv) { @@ -265,8 +285,8 @@ main(int argc, char **argv) {
isc_log_destroy(&log); isc_log_destroy(&log);
@ -688,7 +688,7 @@ index 26fa609..fb34aa0 100644
parse_args(false, argc, argv); parse_args(false, argc, argv);
if (server == NULL) if (server == NULL)
diff --git a/configure b/configure diff --git a/configure b/configure
index 0faca65..d5ffc87 100755 index 368112f..e060e9d 100755
--- a/configure --- a/configure
+++ b/configure +++ b/configure
@@ -640,6 +640,7 @@ ac_includes_default="\ @@ -640,6 +640,7 @@ ac_includes_default="\
@ -699,7 +699,7 @@ index 0faca65..d5ffc87 100755
BUILD_LIBS BUILD_LIBS
BUILD_LDFLAGS BUILD_LDFLAGS
BUILD_CPPFLAGS BUILD_CPPFLAGS
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS @@ -822,6 +823,7 @@ LIBXML2_CFLAGS
NZDTARGETS NZDTARGETS
NZDSRCS NZDSRCS
NZD_TOOLS NZD_TOOLS
@ -707,7 +707,7 @@ index 0faca65..d5ffc87 100755
PKCS11_TEST PKCS11_TEST
PKCS11_ED25519 PKCS11_ED25519
PKCS11_GOST PKCS11_GOST
@@ -1047,6 +1049,7 @@ with_eddsa @@ -1046,6 +1048,7 @@ with_eddsa
with_aes with_aes
enable_openssl_hash enable_openssl_hash
with_cc_alg with_cc_alg
@ -715,7 +715,7 @@ index 0faca65..d5ffc87 100755
with_lmdb with_lmdb
with_libxml2 with_libxml2
with_libjson with_libjson
@@ -1749,6 +1752,7 @@ Optional Features: @@ -1747,6 +1750,7 @@ Optional Features:
--enable-threads enable multithreading --enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no] --enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no] --enable-openssl-hash use OpenSSL for hash functions [default=no]
@ -723,7 +723,7 @@ index 0faca65..d5ffc87 100755
--enable-largefile 64-bit file support --enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes] --enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace --enable-symtable use internal symbol table for backtrace
@@ -17205,6 +17209,7 @@ case "$use_openssl" in @@ -17204,6 +17208,7 @@ case "$use_openssl" in
$as_echo "disabled because of native PKCS11" >&6; } $as_echo "disabled because of native PKCS11" >&6; }
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO" CRYPTO="-DPKCS11CRYPTO"
@ -731,7 +731,7 @@ index 0faca65..d5ffc87 100755
OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS="" OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKOBJS=""
@@ -17219,6 +17224,7 @@ $as_echo "disabled because of native PKCS11" >&6; } @@ -17218,6 +17223,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
$as_echo "no" >&6; } $as_echo "no" >&6; }
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
CRYPTO="" CRYPTO=""
@ -739,7 +739,7 @@ index 0faca65..d5ffc87 100755
OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS="" OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKOBJS=""
@@ -17231,6 +17237,7 @@ $as_echo "no" >&6; } @@ -17230,6 +17236,7 @@ $as_echo "no" >&6; }
auto) auto)
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
CRYPTO="" CRYPTO=""
@ -747,7 +747,7 @@ index 0faca65..d5ffc87 100755
OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS="" OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKOBJS=""
@@ -17240,7 +17247,7 @@ $as_echo "no" >&6; } @@ -17239,7 +17246,7 @@ $as_echo "no" >&6; }
OPENSSLLINKOBJS="" OPENSSLLINKOBJS=""
OPENSSLLINKSRCS="" OPENSSLLINKSRCS=""
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -756,7 +756,7 @@ index 0faca65..d5ffc87 100755
;; ;;
*) *)
if test "yes" = "$want_native_pkcs11" if test "yes" = "$want_native_pkcs11"
@@ -17271,6 +17278,7 @@ $as_echo "not found" >&6; } @@ -17270,6 +17277,7 @@ $as_echo "not found" >&6; }
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
fi fi
CRYPTO='-DOPENSSL' CRYPTO='-DOPENSSL'
@ -764,7 +764,7 @@ index 0faca65..d5ffc87 100755
if test "/usr" = "$use_openssl" if test "/usr" = "$use_openssl"
then then
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
@@ -17897,8 +17905,6 @@ fi @@ -17904,8 +17912,6 @@ fi
# Use OpenSSL for hash functions # Use OpenSSL for hash functions
# #
@ -773,7 +773,7 @@ index 0faca65..d5ffc87 100755
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in case $want_openssl_hash in
yes) yes)
@@ -18273,6 +18279,86 @@ if test "rt" = "$have_clock_gt"; then @@ -18280,6 +18286,86 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS" LIBS="-lrt $LIBS"
fi fi
@ -860,7 +860,7 @@ index 0faca65..d5ffc87 100755
# #
# was --with-lmdb specified? # was --with-lmdb specified?
# #
@@ -20549,9 +20635,12 @@ _ACEOF @@ -20556,9 +20642,12 @@ _ACEOF
if ac_fn_c_try_compile "$LINENO"; then : if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
$as_echo "size_t for buflen; int for flags" >&6; } $as_echo "size_t for buflen; int for flags" >&6; }
@ -875,7 +875,7 @@ index 0faca65..d5ffc87 100755
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
@@ -21877,12 +21966,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" @@ -21856,12 +21945,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then if test "yes" = "$use_atomic"; then
@ -889,7 +889,7 @@ index 0faca65..d5ffc87 100755
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
# This bug is HP SR number 8606223364. # This bug is HP SR number 8606223364.
@@ -21915,6 +21999,11 @@ cat >>confdefs.h <<_ACEOF @@ -21894,6 +21978,11 @@ cat >>confdefs.h <<_ACEOF
_ACEOF _ACEOF
@ -901,7 +901,7 @@ index 0faca65..d5ffc87 100755
if test $ac_cv_sizeof_void_p = 8; then if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64 arch=x86_64
have_xaddq=yes have_xaddq=yes
@@ -21923,39 +22012,6 @@ _ACEOF @@ -21902,39 +21991,6 @@ _ACEOF
fi fi
;; ;;
x86_64-*|amd64-*) x86_64-*|amd64-*)
@ -941,7 +941,7 @@ index 0faca65..d5ffc87 100755
if test $ac_cv_sizeof_void_p = 8; then if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64 arch=x86_64
have_xaddq=yes have_xaddq=yes
@@ -21986,6 +22042,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; } @@ -21965,6 +22021,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
$as_echo "$arch" >&6; } $as_echo "$arch" >&6; }
fi fi
@ -952,7 +952,7 @@ index 0faca65..d5ffc87 100755
if test "yes" = "$have_atomic"; then if test "yes" = "$have_atomic"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
$as_echo_n "checking compiler support for inline assembly code... " >&6; } $as_echo_n "checking compiler support for inline assembly code... " >&6; }
@@ -24567,6 +24627,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS" @@ -24547,6 +24607,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
# #
dlzdir='${DLZ_DRIVER_DIR}' dlzdir='${DLZ_DRIVER_DIR}'
@ -983,7 +983,7 @@ index 0faca65..d5ffc87 100755
# #
# Private autoconf macro to simplify configuring drivers: # Private autoconf macro to simplify configuring drivers:
# #
@@ -24897,11 +24981,11 @@ $as_echo "no" >&6; } @@ -24877,11 +24961,11 @@ $as_echo "no" >&6; }
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; } $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
;; ;;
*) *)
@ -998,7 +998,7 @@ index 0faca65..d5ffc87 100755
fi fi
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL" CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
@@ -24986,7 +25070,7 @@ $as_echo "" >&6; } @@ -24966,7 +25050,7 @@ $as_echo "" >&6; }
# Check other locations for includes. # Check other locations for includes.
# Order is important (sigh). # Order is important (sigh).
@ -1007,7 +1007,7 @@ index 0faca65..d5ffc87 100755
# include a blank element first # include a blank element first
for d in "" $bdb_incdirs for d in "" $bdb_incdirs
do do
@@ -25011,57 +25095,9 @@ $as_echo "" >&6; } @@ -24991,57 +25075,9 @@ $as_echo "" >&6; }
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames for d in $bdb_libnames
do do
@ -1067,7 +1067,7 @@ index 0faca65..d5ffc87 100755
break break
fi fi
done done
@@ -25220,10 +25256,10 @@ $as_echo "no" >&6; } @@ -25200,10 +25236,10 @@ $as_echo "no" >&6; }
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include" DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include" DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
fi fi
@ -1081,7 +1081,7 @@ index 0faca65..d5ffc87 100755
fi fi
@@ -25309,11 +25345,11 @@ fi @@ -25289,11 +25325,11 @@ fi
odbcdirs="/usr /usr/local /usr/pkg" odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs for d in $odbcdirs
do do
@ -1095,7 +1095,7 @@ index 0faca65..d5ffc87 100755
break break
fi fi
done done
@@ -25588,6 +25624,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" @@ -25568,6 +25604,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
@ -1104,7 +1104,7 @@ index 0faca65..d5ffc87 100755
# #
# Commands to run at the end of config.status. # Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody # Don't just put these into configure, it won't work right if somebody
@@ -27966,6 +28004,8 @@ report() { @@ -27946,6 +27984,8 @@ report() {
echo " IPv6 support (--enable-ipv6)" echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)" echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1113,7 +1113,7 @@ index 0faca65..d5ffc87 100755
test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
@@ -28006,6 +28046,8 @@ report() { @@ -27986,6 +28026,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)" echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
@ -1122,7 +1122,7 @@ index 0faca65..d5ffc87 100755
echo " Dynamically loadable zone (DLZ) drivers:" echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \ test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)" echo " Berkeley DB (--with-dlz-bdb)"
@@ -28053,6 +28095,8 @@ report() { @@ -28033,6 +28075,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)" echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)" echo " EDDSA algorithm support (--with-eddsa)"
@ -1132,10 +1132,10 @@ index 0faca65..d5ffc87 100755
test "yes" = "$enable_seccomp" || \ test "yes" = "$enable_seccomp" || \
echo " Use libseccomp system call filtering (--enable-seccomp)" echo " Use libseccomp system call filtering (--enable-seccomp)"
diff --git a/configure.ac b/configure.ac diff --git a/configure.ac b/configure.ac
index 78535bd..faef2e8 100644 index 11f41e8..fdcfc62 100644
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -1598,6 +1598,7 @@ case "$use_openssl" in @@ -1600,6 +1600,7 @@ case "$use_openssl" in
AC_MSG_RESULT(disabled because of native PKCS11) AC_MSG_RESULT(disabled because of native PKCS11)
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
CRYPTO="-DPKCS11CRYPTO" CRYPTO="-DPKCS11CRYPTO"
@ -1143,7 +1143,7 @@ index 78535bd..faef2e8 100644
OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS="" OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKOBJS=""
@@ -1611,6 +1612,7 @@ case "$use_openssl" in @@ -1613,6 +1614,7 @@ case "$use_openssl" in
AC_MSG_RESULT(no) AC_MSG_RESULT(no)
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
CRYPTO="" CRYPTO=""
@ -1151,7 +1151,7 @@ index 78535bd..faef2e8 100644
OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS="" OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKOBJS=""
@@ -1623,6 +1625,7 @@ case "$use_openssl" in @@ -1625,6 +1627,7 @@ case "$use_openssl" in
auto) auto)
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
CRYPTO="" CRYPTO=""
@ -1159,7 +1159,7 @@ index 78535bd..faef2e8 100644
OPENSSLECDSALINKOBJS="" OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS="" OPENSSLECDSALINKSRCS=""
OPENSSLEDDSALINKOBJS="" OPENSSLEDDSALINKOBJS=""
@@ -1633,7 +1636,7 @@ case "$use_openssl" in @@ -1635,7 +1638,7 @@ case "$use_openssl" in
OPENSSLLINKSRCS="" OPENSSLLINKSRCS=""
AC_MSG_ERROR( AC_MSG_ERROR(
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@ -1168,7 +1168,7 @@ index 78535bd..faef2e8 100644
;; ;;
*) *)
if test "yes" = "$want_native_pkcs11" if test "yes" = "$want_native_pkcs11"
@@ -1663,6 +1666,7 @@ If you don't want OpenSSL, use --without-openssl]) @@ -1665,6 +1668,7 @@ If you don't want OpenSSL, use --without-openssl])
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
fi fi
CRYPTO='-DOPENSSL' CRYPTO='-DOPENSSL'
@ -1176,7 +1176,7 @@ index 78535bd..faef2e8 100644
if test "/usr" = "$use_openssl" if test "/usr" = "$use_openssl"
then then
DST_OPENSSL_INC="" DST_OPENSSL_INC=""
@@ -2099,7 +2103,6 @@ fi @@ -2109,7 +2113,6 @@ fi
# Use OpenSSL for hash functions # Use OpenSSL for hash functions
# #
@ -1184,7 +1184,7 @@ index 78535bd..faef2e8 100644
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
case $want_openssl_hash in case $want_openssl_hash in
yes) yes)
@@ -2371,6 +2374,67 @@ if test "rt" = "$have_clock_gt"; then @@ -2381,6 +2384,67 @@ if test "rt" = "$have_clock_gt"; then
LIBS="-lrt $LIBS" LIBS="-lrt $LIBS"
fi fi
@ -1252,7 +1252,7 @@ index 78535bd..faef2e8 100644
# #
# was --with-lmdb specified? # was --with-lmdb specified?
# #
@@ -4188,12 +4252,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM" @@ -4174,12 +4238,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM" ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM" ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
if test "yes" = "$use_atomic"; then if test "yes" = "$use_atomic"; then
@ -1266,7 +1266,7 @@ index 78535bd..faef2e8 100644
if test $ac_cv_sizeof_void_p = 8; then if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64 arch=x86_64
have_xaddq=yes have_xaddq=yes
@@ -4202,7 +4266,6 @@ if test "yes" = "$use_atomic"; then @@ -4188,7 +4252,6 @@ if test "yes" = "$use_atomic"; then
fi fi
;; ;;
x86_64-*|amd64-*) x86_64-*|amd64-*)
@ -1274,7 +1274,7 @@ index 78535bd..faef2e8 100644
if test $ac_cv_sizeof_void_p = 8; then if test $ac_cv_sizeof_void_p = 8; then
arch=x86_64 arch=x86_64
have_xaddq=yes have_xaddq=yes
@@ -5635,6 +5698,8 @@ report() { @@ -5622,6 +5685,8 @@ report() {
echo " IPv6 support (--enable-ipv6)" echo " IPv6 support (--enable-ipv6)"
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \ test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)" echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
@ -1283,7 +1283,7 @@ index 78535bd..faef2e8 100644
test "X$PYTHON" = "X" || echo " Python tools (--with-python)" test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)" test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)" test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
@@ -5675,6 +5740,8 @@ report() { @@ -5662,6 +5727,8 @@ report() {
echo " Very verbose query trace logging (--enable-querytrace)" echo " Very verbose query trace logging (--enable-querytrace)"
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)" test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
@ -1292,7 +1292,7 @@ index 78535bd..faef2e8 100644
echo " Dynamically loadable zone (DLZ) drivers:" echo " Dynamically loadable zone (DLZ) drivers:"
test "no" = "$use_dlz_bdb" || \ test "no" = "$use_dlz_bdb" || \
echo " Berkeley DB (--with-dlz-bdb)" echo " Berkeley DB (--with-dlz-bdb)"
@@ -5722,6 +5789,8 @@ report() { @@ -5709,6 +5776,8 @@ report() {
echo " ECDSA algorithm support (--with-ecdsa)" echo " ECDSA algorithm support (--with-ecdsa)"
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \ test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
echo " EDDSA algorithm support (--with-eddsa)" echo " EDDSA algorithm support (--with-eddsa)"
@ -2015,7 +2015,7 @@ index 1f785e0..f9051c3 100644
* Define if the hash functions must be provided by OpenSSL. * Define if the hash functions must be provided by OpenSSL.
*/ */
diff --git a/win32utils/Configure b/win32utils/Configure diff --git a/win32utils/Configure b/win32utils/Configure
index 5f66a82..ff39910 100644 index 7ac30fb..55b6c23 100644
--- a/win32utils/Configure --- a/win32utils/Configure
+++ b/win32utils/Configure +++ b/win32utils/Configure
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", @@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
@ -2026,7 +2026,7 @@ index 5f66a82..ff39910 100644
"ISC_PLATFORM_HAVEATOMICSTORE", "ISC_PLATFORM_HAVEATOMICSTORE",
"ISC_PLATFORM_HAVEATOMICSTOREQ", "ISC_PLATFORM_HAVEATOMICSTOREQ",
"ISC_PLATFORM_HAVECMPXCHG", "ISC_PLATFORM_HAVECMPXCHG",
@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER"); @@ -516,7 +517,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
# enable-xxx/disable-xxx # enable-xxx/disable-xxx
@ -2035,16 +2035,16 @@ index 5f66a82..ff39910 100644
+ "developer", + "developer",
"fixed-rrset", "fixed-rrset",
"intrinsics", "intrinsics",
"isc-spnego", "native-pkcs11",
@@ -580,6 +582,7 @@ my @help = ( @@ -578,6 +580,7 @@ my @help = (
"\nOptional Features:\n", "\nOptional Features:\n",
" enable-intrinsics enable intrinsic/atomic functions [default=yes]\n", " enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n", " enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
+" enable-crypto-rand use crypto provider for random [default=yes]\n", +" enable-crypto-rand use crypto provider for random [default=yes]\n",
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n", " enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n", " enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
@@ -628,7 +631,9 @@ my $want_clean = "no"; " enable-fixed-rrset enable fixed rrset ordering [default=no]\n",
@@ -625,7 +628,9 @@ my $want_clean = "no";
my $want_unknown = "no"; my $want_unknown = "no";
my $unknown_value; my $unknown_value;
my $enable_intrinsics = "yes"; my $enable_intrinsics = "yes";
@ -2053,8 +2053,8 @@ index 5f66a82..ff39910 100644
+my $enable_crypto_rand = "yes"; +my $enable_crypto_rand = "yes";
my $enable_openssl_hash = "auto"; my $enable_openssl_hash = "auto";
my $enable_filter_aaaa = "yes"; my $enable_filter_aaaa = "yes";
my $enable_isc_spnego = "yes"; my $enable_fixed_rrset = "no";
@@ -848,6 +853,10 @@ sub myenable { @@ -844,6 +849,10 @@ sub myenable {
if ($val =~ /^yes$/i) { if ($val =~ /^yes$/i) {
$enable_native_pkcs11 = "yes"; $enable_native_pkcs11 = "yes";
} }
@ -2065,7 +2065,7 @@ index 5f66a82..ff39910 100644
} elsif ($key =~ /^openssl-hash$/i) { } elsif ($key =~ /^openssl-hash$/i) {
if ($val =~ /^yes$/i) { if ($val =~ /^yes$/i) {
$enable_openssl_hash = "yes"; $enable_openssl_hash = "yes";
@@ -1154,6 +1163,11 @@ if ($verbose) { @@ -1146,6 +1155,11 @@ if ($verbose) {
} else { } else {
print "native-pkcs11: disabled\n"; print "native-pkcs11: disabled\n";
} }
@ -2077,7 +2077,7 @@ index 5f66a82..ff39910 100644
if ($enable_openssl_hash eq "yes") { if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n"; print "openssl-hash: enabled\n";
} else { } else {
@@ -1511,6 +1525,7 @@ if ($enable_intrinsics eq "yes") { @@ -1498,6 +1512,7 @@ if ($enable_intrinsics eq "yes") {
# enable-native-pkcs11 # enable-native-pkcs11
if ($enable_native_pkcs11 eq "yes") { if ($enable_native_pkcs11 eq "yes") {
@ -2085,7 +2085,7 @@ index 5f66a82..ff39910 100644
if ($use_openssl eq "auto") { if ($use_openssl eq "auto") {
$use_openssl = "no"; $use_openssl = "no";
} }
@@ -1720,6 +1735,7 @@ if ($use_openssl eq "yes") { @@ -1707,6 +1722,7 @@ if ($use_openssl eq "yes") {
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]"); $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
} }
@ -2093,7 +2093,7 @@ index 5f66a82..ff39910 100644
$configcond{"OPENSSL"} = 1; $configcond{"OPENSSL"} = 1;
$configdefd{"CRYPTO"} = "OPENSSL"; $configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path"; $configvar{"OPENSSL_PATH"} = "$openssl_path";
@@ -2291,6 +2307,15 @@ if ($use_aes eq "yes") { @@ -2278,6 +2294,15 @@ if ($use_aes eq "yes") {
} }
@ -2109,7 +2109,7 @@ index 5f66a82..ff39910 100644
# enable-openssl-hash # enable-openssl-hash
if ($enable_openssl_hash eq "yes") { if ($enable_openssl_hash eq "yes") {
if ($use_openssl eq "no") { if ($use_openssl eq "no") {
@@ -3673,6 +3698,7 @@ exit 0; @@ -3650,6 +3675,7 @@ exit 0;
# --enable-developer partially supported # --enable-developer partially supported
# --enable-newstats (9.9/9.9sub only) # --enable-newstats (9.9/9.9sub only)
# --enable-native-pkcs11 supported # --enable-native-pkcs11 supported
@ -2118,5 +2118,5 @@ index 5f66a82..ff39910 100644
# --enable-openssl-hash supported # --enable-openssl-hash supported
# --enable-threads included without a way to disable it # --enable-threads included without a way to disable it
-- --
2.26.2 2.31.1

View File

@ -0,0 +1,58 @@
From 6d6acf236841da5c2511f8afcd3e4a89af4c5658 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
Date: Fri, 14 Feb 2020 09:18:48 +0100
Subject: [PATCH] Use RESOLVER_NTASKS_PERCPU - 32 for regular tuning, 8 for
small
Modify original upstream commit 0d80266f7e3, add high limit of used
tasks. Minimum would be lower on machines with few cpus, but maximum
would stay unchanged. Should prevent negatives of this change.
Signed-off-by: Petr Mensik <pemensik@redhat.com>
---
bin/named/server.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 39b1124..94b4daa 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -148,11 +148,13 @@
#endif
#ifdef TUNE_LARGE
-#define RESOLVER_NTASKS 523
+#define RESOLVER_NTASKS_MAX 523
+#define RESOLVER_NTASKS_PERCPU 32
#define UDPBUFFERS 32768
#define EXCLBUFFERS 32768
#else
-#define RESOLVER_NTASKS 31
+#define RESOLVER_NTASKS_MAX 31
+#define RESOLVER_NTASKS_PERCPU 8
#define UDPBUFFERS 1000
#define EXCLBUFFERS 4096
#endif /* TUNE_LARGE */
@@ -3318,7 +3320,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
ns_cache_t *nsc;
bool zero_no_soattl;
dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
- unsigned int query_timeout, ndisp;
+ unsigned int query_timeout, ndisp, ntasks;
bool old_rpz_ok = false;
isc_dscp_t dscp4 = -1, dscp6 = -1;
dns_dyndbctx_t *dctx = NULL;
@@ -3926,7 +3928,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_view_setresquerystats(view, resquerystats);
ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
- CHECK(dns_view_createresolver(view, ns_g_taskmgr, RESOLVER_NTASKS,
+ ntasks = ISC_MIN(RESOLVER_NTASKS_PERCPU * ns_g_cpus,
+ RESOLVER_NTASKS_MAX);
+ CHECK(dns_view_createresolver(view, ns_g_taskmgr, ntasks,
ndisp, ns_g_socketmgr, ns_g_timermgr,
resopts, ns_g_dispatchmgr,
dispatch4, dispatch6));
--
2.34.1

View File

@ -18,6 +18,7 @@
/usr/lib/bind /usr/lib/bind
/usr/share/GeoIP /usr/share/GeoIP
/run/named /run/named
/proc/sys/net/ipv4/ip_local_port_range
# Warning: the order is important # Warning: the order is important
# If a directory containing $ROOTDIR is listed here, # If a directory containing $ROOTDIR is listed here,
# it MUST be listed last. (/var/named contains /var/named/chroot) # it MUST be listed last. (/var/named contains /var/named/chroot)

View File

@ -47,7 +47,7 @@
%endif %endif
%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\ %global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
%{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\ %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
%{_libdir}/bind %{_datadir}/GeoIP %{_libdir}/bind %{_datadir}/GeoIP %{_datadir}/GeoIP /proc/sys/net/ipv4
## The order of libs is important. See lib/Makefile.in for details ## The order of libs is important. See lib/Makefile.in for details
%define bind_export_libs isc dns isccfg irs %define bind_export_libs isc dns isccfg irs
@ -59,7 +59,7 @@
# #
# lib*.so.X versions of selected libraries # lib*.so.X versions of selected libraries
%global sover_dns 1112 %global sover_dns 1115
%global sover_isc 1107 %global sover_isc 1107
%global sover_irs 161 %global sover_irs 161
%global sover_isccfg 163 %global sover_isccfg 163
@ -67,12 +67,12 @@
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind Name: bind
License: MPLv2.0 License: MPLv2.0
Version: 9.11.26 Version: 9.11.36
Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Release: 3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32 Epoch: 32
Url: https://www.isc.org/downloads/bind/ Url: https://www.isc.org/downloads/bind/
# #
Source: https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz Source: https://downloads.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
Source1: named.sysconfig Source1: named.sysconfig
Source3: named.logrotate Source3: named.logrotate
Source7: bind-9.3.1rc1-sdb_tools-Makefile.in Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
@ -154,14 +154,10 @@ Patch174:bind-9.11-fips-disable.patch
Patch175:bind-9.11-json-c.patch Patch175:bind-9.11-json-c.patch
Patch177:bind-9.11-serve-stale.patch Patch177:bind-9.11-serve-stale.patch
Patch178:bind-9.11-dhcp-time-monotonic.patch Patch178:bind-9.11-dhcp-time-monotonic.patch
Patch179:bind-9.11-CVE-2020-8625.patch
Patch180:bind-9.11-CVE-2021-25215.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/dfadbc9d7b485b1af62d77ad6c309792bbaabfdf
Patch181:bind-9.11-CVE-2021-25214.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4533/diffs?commit_id=25150c15e7cfa73289f04470e2e699ebb7c28fef
Patch182:bind-9.11-rh1935152.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5253 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5253
Patch183:bind-9.11-rh1980757.patch Patch183:bind-9.11-rh1980757.patch
# modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067
Patch184: bind-9.15-resolver-ntasks.patch
# SDB patches # SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch Patch11: bind-9.3.2b2-sdbsrc.patch
@ -205,7 +201,7 @@ BuildRequires: libdb-devel
# make unit dependencies # make unit dependencies
BuildRequires: libcmocka-devel kyua BuildRequires: libcmocka-devel kyua
%endif %endif
%if %{with PKCS11} %if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
BuildRequires: softhsm BuildRequires: softhsm
%endif %endif
%if %{with SYSTEMTEST} %if %{with SYSTEMTEST}
@ -253,7 +249,6 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release} Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: softhsm
%description pkcs11 %description pkcs11
This is a version of BIND server built with native PKCS#11 functionality. This is a version of BIND server built with native PKCS#11 functionality.
@ -556,11 +551,8 @@ are used for building ISC DHCP.
%patch175 -p1 -b .json-c %patch175 -p1 -b .json-c
%patch177 -p1 -b .serve-stale %patch177 -p1 -b .serve-stale
%patch178 -p1 -b .time-monotonic %patch178 -p1 -b .time-monotonic
%patch179 -p1 -b .CVE-2020-8625
%patch180 -p1 -b .CVE-2021-25215
%patch181 -p1 -b .CVE-2021-25214
%patch182 -p1 -b .rh1935152
%patch183 -p1 -b .rh1980757 %patch183 -p1 -b .rh1980757
%patch184 -p1 -b .rh2030239
mkdir lib/dns/tests/testdata/dstrandom mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -576,13 +568,13 @@ find bin lib/lwres/man -name '*.docbook' -exec \
-i '{}' ';' -i '{}' ';'
%if %{with PKCS11} %if %{with PKCS11}
%patch150 -p1 -b .engine-pkcs11
cp -r bin/named{,-pkcs11} cp -r bin/named{,-pkcs11}
cp -r bin/dnssec{,-pkcs11} cp -r bin/dnssec{,-pkcs11}
cp -r lib/isc{,-pkcs11} cp -r lib/isc{,-pkcs11}
cp -r lib/dns{,-pkcs11} cp -r lib/dns{,-pkcs11}
%patch136 -p1 -b .dist_pkcs11 %patch136 -p1 -b .dist_pkcs11
%patch149 -p1 -b .kyua-pkcs11 %patch149 -p1 -b .kyua-pkcs11
%patch150 -p1 -b .engine-pkcs11
%endif %endif
%if %{with SDB} %if %{with SDB}
@ -849,7 +841,7 @@ sed -e "/^\s*include(/ d" -e 's/^-- use //' \
%endif %endif
%check %check
%if %{with PKCS11} %if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
# Tests require initialization of pkcs11 token # Tests require initialization of pkcs11 token
export SOFTHSM2_CONF="`pwd`/softhsm2.conf" export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens" sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
@ -1459,6 +1451,7 @@ rm -rf ${RPM_BUILD_ROOT}
%dir %{chroot_prefix}/%{_libdir} %dir %{chroot_prefix}/%{_libdir}
%dir %{chroot_prefix}/%{_libdir}/bind %dir %{chroot_prefix}/%{_libdir}/bind
%dir %{chroot_prefix}/%{_datadir}/GeoIP %dir %{chroot_prefix}/%{_datadir}/GeoIP
%{chroot_prefix}/proc
%defattr(0660,root,named,01770) %defattr(0660,root,named,01770)
%dir %{chroot_prefix}%{_localstatedir}/named %dir %{chroot_prefix}%{_localstatedir}/named
%defattr(0660,named,named,0770) %defattr(0660,named,named,0770)
@ -1612,6 +1605,25 @@ rm -rf ${RPM_BUILD_ROOT}
%endif %endif
%changelog %changelog
* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
- Reduce memory used per-view on machine with few processors (#2030239)
* Tue Dec 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
- Rebuilt on a new side-tag (#2013993)
* Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-1
- Update to 9.11.36
* Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-9
- Correct tsig system test
* Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-8
- Propagate ephemeral port ranges to chroot (#1950714)
* Tue Aug 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-7
- Do not request softhsm from bind-pkcs11, it is only in modular build
(#1934035)
* Fri Jul 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-6 * Fri Jul 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-6
- Use random entropy to generate unique TKEY identifiers (#1980916) - Use random entropy to generate unique TKEY identifiers (#1980916)