.bind.metadata

@@ -1,2 +0,0 @@
-4b45d15edc1e3b7902129ce27baec58a50d76b5c SOURCES/bind-9.11.36.tar.gz
-a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,2 +1,4 @@
 SOURCES/bind-9.11.36.tar.gz
 SOURCES/random.data
+/bind-9.11.36.tar.gz
+/random.data

bind-9.11-d-max-records-checkconf.patch

@@ -0,0 +1,61 @@
+From 83f283c3aeae99570c9e4c20f10e92ba565fc4be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 7 Oct 2025 16:18:03 +0200
+Subject: [PATCH] Implement settings limits also in named-checkconf
+
+Read and parse max-records-per-type and max-types-per-name options in
+case -z parameter is passed.
+---
+ bin/check/named-checkconf.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
+index e5afd52..42ef76c 100644
+--- a/bin/check/named-checkconf.c
++++ b/bin/check/named-checkconf.c
+@@ -415,6 +415,24 @@ configure_zone(const char *vclass, const char *view,
+ 	return (result);
+ }
+ 
++/* Red Hat 9.11 specific extension. */
++static void
++configure_maxrecords(const cfg_obj_t *voptions)
++{
++	cfg_obj_t *obj;
++	isc_result_t result;
++
++	obj = NULL;
++	result = cfg_map_get(voptions, "max-records-per-type", &obj);
++	if (result == ISC_R_SUCCESS)
++		dns_db_setmaxrrperset(cfg_obj_asuint32(obj));
++
++	obj = NULL;
++	result = cfg_map_get(voptions, "max-types-per-name", &obj);
++	if (result == ISC_R_SUCCESS)
++		dns_db_setmaxtypepername(cfg_obj_asuint32(obj));
++}
++
+ /*% configure a view */
+ static isc_result_t
+ configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
+@@ -431,10 +449,15 @@ configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
+ 		voptions = cfg_tuple_get(vconfig, "options");
+ 
+ 	zonelist = NULL;
+-	if (voptions != NULL)
++	if (voptions != NULL) {
+ 		(void)cfg_map_get(voptions, "zone", &zonelist);
+-	else
++		configure_maxrecords(voptions);
++	} else {
+ 		(void)cfg_map_get(config, "zone", &zonelist);
++		tresult = cfg_map_get(config, "options", &voptions);
++		if (tresult == ISC_R_SUCCESS)
++			configure_maxrecords(voptions);
++	}
+ 
+ 	for (element = cfg_list_first(zonelist);
+ 	     element != NULL;
+-- 
+2.51.0
+

bind-9.11-d-max-records-per-type.patch

@@ -0,0 +1,250 @@
+From e0238189d03dc0a6b6092180ba52e74a26816422 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 10 Jul 2025 17:31:35 +0200
+Subject: [PATCH] Minimalistic support for max-records-per-type option
+
+Just propagate the number to rbtdb in addition to environment. Make
+environment preferred of both used, because default configuration value
+would override already changed default.
+
+Allow also 0 value from the environment.
+---
+ bin/named/config.c              |  1 +
+ bin/named/named.conf.docbook    |  1 +
+ bin/named/server.c              |  9 +++++++++
+ doc/arm/Bv9ARM-book.xml         | 18 ++++++++++++++++++
+ lib/dns/db.c                    |  6 +++++-
+ lib/dns/include/dns/db.h        | 10 ++++++++++
+ lib/dns/include/dns/rdataslab.h |  6 ++++++
+ lib/dns/rbtdb.c                 | 18 +++++++++++++++++-
+ lib/dns/rbtdb.h                 | 10 ++++++++++
+ lib/dns/rbtdb64.h               |  3 +++
+ lib/isccfg/namedconf.c          |  1 +
+ 11 files changed, 81 insertions(+), 2 deletions(-)
+
+diff --git a/bin/named/config.c b/bin/named/config.c
+index e3731cf..27cf9ee 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -243,6 +243,7 @@ options {\n\
+ #	max-ixfr-log-size <obsolete>\n\
+ 	max-journal-size unlimited;\n\
+ 	max-records 0;\n\
++	max-records-per-type 100;\n\
+ 	max-refresh-time 2419200; /* 4 weeks */\n\
+ 	max-retry-time 1209600; /* 2 weeks */\n\
+ 	max-transfer-idle-in 60;\n\
+diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
+index 31fac33..d7934c7 100644
+--- a/bin/named/named.conf.docbook
++++ b/bin/named/named.conf.docbook
+@@ -338,6 +338,7 @@ options {
+ 	max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
+ 	max-ncache-ttl <replaceable>integer</replaceable>;
+ 	max-records <replaceable>integer</replaceable>;
++	max-records-per-type <replaceable>integer</replaceable>;
+ 	max-recursion-depth <replaceable>integer</replaceable>;
+ 	max-recursion-queries <replaceable>integer</replaceable>;
+ 	max-refresh-time <replaceable>integer</replaceable>;
+diff --git a/bin/named/server.c b/bin/named/server.c
+index afdc4fa..2e88df7 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -4606,6 +4606,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 					cfg_obj_asuint32(obj),
+ 					max_clients_per_query);
+ 
++	/*
++	 * This is used for the cache and also as a default value
++	 * for zone databases.
++	 */
++	obj = NULL;
++	result = ns_config_get(maps, "max-records-per-type", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	dns_db_setmaxrrperset(cfg_obj_asuint32(obj));
++
+ 	obj = NULL;
+ 	result = ns_config_get(maps, "max-recursion-depth", &obj);
+ 	INSIST(result == ISC_R_SUCCESS);
+diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
+index 563dced..25acad0 100644
+--- a/doc/arm/Bv9ARM-book.xml
++++ b/doc/arm/Bv9ARM-book.xml
+@@ -8318,6 +8318,24 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
+ 	      </listitem>
+ 	    </varlistentry>
+ 
++	    <varlistentry>
++	      <term><command>max-records-per-type</command></term>
++	      <listitem>
++		<para>
++		This sets the maximum number of resource records that can be stored
++		in an RRset in a database. Can be configured in <option>options</option>,
++		only.
++		</para>
++
++		<para>
++		   If set to a positive value, any attempt to cache or to add to a zone
++		   an RRset with more than the specified number of records will result in
++		   a failure.  If set to 0, there is no cap on RRset size.  The default is
++		   <literal>100</literal>.
++		</para>
++	      </listitem>
++	    </varlistentry>
++
+ 	    <varlistentry>
+ 	      <term><command>recursive-clients</command></term>
+ 	      <listitem>
+diff --git a/lib/dns/db.c b/lib/dns/db.c
+index c581646..9e7632a 100644
+--- a/lib/dns/db.c
++++ b/lib/dns/db.c
+@@ -1130,7 +1130,6 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
+ 		return (ISC_R_NOTIMPLEMENTED);
+ 	return ((db->methods->nodefullname)(db, node, name));
+ }
+-
+ isc_result_t
+ dns_db_setservestalettl(dns_db_t *db, dns_ttl_t ttl)
+ {
+@@ -1152,3 +1151,8 @@ dns_db_getservestalettl(dns_db_t *db, dns_ttl_t *ttl)
+ 		return ((db->methods->getservestalettl)(db, ttl));
+ 	return (ISC_R_NOTIMPLEMENTED);
+ }
++void
++dns_db_setmaxrrperset(uint32_t maxrrperset) {
++	dns_rbtdb_setmaxrrperset(maxrrperset);
++	dns_rbtdb64_setmaxrrperset(maxrrperset);
++}
+diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
+index 452770f..6357bfd 100644
+--- a/lib/dns/include/dns/db.h
++++ b/lib/dns/include/dns/db.h
+@@ -1718,6 +1718,16 @@ dns_db_getservestalettl(dns_db_t *db, dns_ttl_t *ttl);
+  * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+  */
+ 
++void
++dns_db_setmaxrrperset(uint32_t maxrrperset);
++/*%<
++ *     Sets the maximum number of records per rrset permitted in a database.
++ *     0 implies unlimited.
++ *
++ * Returns:
++ *\li  void
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_DB_H */
+diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
+index f38d539..40c40a8 100644
+--- a/lib/dns/include/dns/rdataslab.h
++++ b/lib/dns/include/dns/rdataslab.h
+@@ -173,6 +173,12 @@ dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
+  *\li	true if the slabs are equal, #false otherwise.
+  */
+ 
++void
++dns_rdataslab_setmaxrrperset(uint32_t maxrrperset);
++/*%<
++ * Set global limit of max-records-per-type value.
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_RDATASLAB_H */
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index 5263e7c..388ffdf 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -981,6 +981,7 @@ static bool match_header_version(rbtdb_file_header_t *header);
+ /* Pad to 32 bytes */
+ static char FILE_VERSION[32] = "\0";
+ 
++
+ /*%
+  * 'init_count' is used to initialize 'newheader->count' which inturn
+  * is used to determine where in the cycle rrset-order cyclic starts.
+@@ -6321,6 +6322,19 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
+ #endif /* DNS_RBTDB_MAX_RTYPES */
+ 
+ static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
++static bool     dns_g_rbtdb_max_rtypes_fromenv = false;
++void
++#ifdef DNS_RBTDB_VERSION64
++dns_rbtdb64_setmaxtypepername(uint32_t maxrrperset)
++#else
++dns_rbtdb_setmaxtypepername(uint32_t maxrrperset)
++#endif
++{
++	if (!dns_g_rbtdb_max_rtypes_fromenv) {
++		/* Make environment override configuration to avoid resetting to default value. */
++		dns_g_rbtdb_max_rtypes = maxrrperset;
++	}
++}
+ 
+ static void
+ init_max_rtypes(void) {
+@@ -6329,8 +6343,10 @@ init_max_rtypes(void) {
+ 	if (max) {
+ 		char *endp = NULL;
+ 		long l = strtol(max, &endp, 10);
+-		if (max != endp && endp && !*endp && l >= 0)
++		if (max != endp && endp && !*endp) {
+ 			dns_g_rbtdb_max_rtypes = l;
++			dns_g_rbtdb_max_rtypes_fromenv = true;
++		}
+ 	}
+ }
+ 
+diff --git a/lib/dns/rbtdb.h b/lib/dns/rbtdb.h
+index cd84b5b..4f2d890 100644
+--- a/lib/dns/rbtdb.h
++++ b/lib/dns/rbtdb.h
+@@ -45,6 +45,16 @@ dns_rbtdb_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
+  * \li argc == 0 or argv[0] is a valid memory context.
+  */
+ 
++void
++dns_rbtdb_setmaxtypepername(uint32_t value);
++/*%<
++ *     Set the maximum permissible number of RR types per owner name.
++ *     0 implies unlimited.
++ *
++ * Returns:
++ *\li  void
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_RBTDB_H */
+diff --git a/lib/dns/rbtdb64.h b/lib/dns/rbtdb64.h
+index 33b0115..77ae5b0 100644
+--- a/lib/dns/rbtdb64.h
++++ b/lib/dns/rbtdb64.h
+@@ -32,6 +32,9 @@ dns_rbtdb64_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
+ 		   dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+ 		   void *driverarg, dns_db_t **dbp);
+ 
++void
++dns_rbtdb64_setmaxtypepername(uint32_t value);
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_RBTDB64_H */
+diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
+index 667111c..fc46a64 100644
+--- a/lib/isccfg/namedconf.c
++++ b/lib/isccfg/namedconf.c
+@@ -1100,6 +1100,7 @@ options_clauses[] = {
+ 	{ "lock-file", &cfg_type_qstringornone, 0 },
+ 	{ "managed-keys-directory", &cfg_type_qstring, 0 },
+ 	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
++	{ "max-records-per-type", &cfg_type_uint32, 0 },
+ 	{ "max-rsa-exponent-size", &cfg_type_uint32, 0 },
+ 	{ "memstatistics", &cfg_type_boolean, 0 },
+ 	{ "memstatistics-file", &cfg_type_qstring, 0 },
+-- 
+2.50.0
+

bind-9.11-d-max-types-per-name.patch

@@ -0,0 +1,196 @@
+From ba30ef9b8dbe3dacced19d80a8b27854a794b334 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Sat, 25 May 2024 11:46:56 +0200
+Subject: [PATCH] Minimalistic support for max-types-per-name option
+
+Just add support for parsing of value from options to environment
+settable number. Keep environment value preferred, overriding
+configuration file value if present. Should avoid overriding environment
+set value by just default config value.
+
+Allow also value 0 from environment.
+---
+ bin/named/config.c           |  1 +
+ bin/named/named.conf.docbook |  1 +
+ bin/named/server.c           |  9 +++++++++
+ doc/arm/Bv9ARM-book.xml      | 19 +++++++++++++++++++
+ lib/dns/db.c                 | 12 ++++++++++--
+ lib/dns/include/dns/db.h     |  9 +++++++++
+ lib/dns/rdataslab.c          | 14 +++++++++++++-
+ lib/isccfg/namedconf.c       |  1 +
+ 8 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/bin/named/config.c b/bin/named/config.c
+index 27cf9ee..c4d44ef 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -246,6 +246,7 @@ options {\n\
+ 	max-records-per-type 100;\n\
+ 	max-refresh-time 2419200; /* 4 weeks */\n\
+ 	max-retry-time 1209600; /* 2 weeks */\n\
++	max-types-per-name 100;\n\
+ 	max-transfer-idle-in 60;\n\
+ 	max-transfer-idle-out 60;\n\
+ 	max-transfer-time-in 120;\n\
+diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
+index d7934c7..a4b1d76 100644
+--- a/bin/named/named.conf.docbook
++++ b/bin/named/named.conf.docbook
+@@ -348,6 +348,7 @@ options {
+ 	max-transfer-idle-out <replaceable>integer</replaceable>;
+ 	max-transfer-time-in <replaceable>integer</replaceable>;
+ 	max-transfer-time-out <replaceable>integer</replaceable>;
++	max-types-per-name <replaceable>integer</replaceable>;
+ 	max-udp-size <replaceable>integer</replaceable>;
+ 	max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
+ 	memstatistics <replaceable>boolean</replaceable>;
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 2e88df7..2086e41 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -4615,6 +4615,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
+ 	INSIST(result == ISC_R_SUCCESS);
+ 	dns_db_setmaxrrperset(cfg_obj_asuint32(obj));
+ 
++	/*
++	 * This is used for the cache and also as a default value
++	 * for zone databases.
++	 */
++	obj = NULL;
++	result = ns_config_get(maps, "max-types-per-name", &obj);
++	INSIST(result == ISC_R_SUCCESS);
++	dns_db_setmaxtypepername(cfg_obj_asuint32(obj));
++
+ 	obj = NULL;
+ 	result = ns_config_get(maps, "max-recursion-depth", &obj);
+ 	INSIST(result == ISC_R_SUCCESS);
+diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
+index 25acad0..70fd769 100644
+--- a/doc/arm/Bv9ARM-book.xml
++++ b/doc/arm/Bv9ARM-book.xml
+@@ -8336,6 +8336,25 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
+ 	      </listitem>
+ 	    </varlistentry>
+ 
++	    <varlistentry>
++	      <term><command>max-types-per-name</command></term>
++	      <listitem>
++		<para>
++		   This sets the maximum number of resource record types that can be stored
++		   for a single owner name in a database. Can be configured in <option>options</option>
++		   only.
++		</para>
++
++		<para>
++		   If set to a positive value, any attempt to cache or to add to a zone an owner
++		   name with more than the specified number of resource record types will result
++		   in a failure.  If set to 0, there is no cap on RR types number.  The default is
++		   <literal>100</literal>.
++		</para>
++	      </listitem>
++	    </varlistentry>
++   
++
+ 	    <varlistentry>
+ 	      <term><command>recursive-clients</command></term>
+ 	      <listitem>
+diff --git a/lib/dns/db.c b/lib/dns/db.c
+index 9e7632a..b0f8960 100644
+--- a/lib/dns/db.c
++++ b/lib/dns/db.c
+@@ -35,6 +35,7 @@
+ #include <dns/master.h>
+ #include <dns/rdata.h>
+ #include <dns/rdataset.h>
++#include <dns/rdataslab.h>
+ #include <dns/rdatasetiter.h>
+ #include <dns/result.h>
+ 
+@@ -1151,8 +1152,15 @@ dns_db_getservestalettl(dns_db_t *db, dns_ttl_t *ttl)
+ 		return ((db->methods->getservestalettl)(db, ttl));
+ 	return (ISC_R_NOTIMPLEMENTED);
+ }
++
++/* Emulation of more complex changes later. */
+ void
+ dns_db_setmaxrrperset(uint32_t maxrrperset) {
+-	dns_rbtdb_setmaxrrperset(maxrrperset);
+-	dns_rbtdb64_setmaxrrperset(maxrrperset);
++	dns_rdataslab_setmaxrrperset(maxrrperset);
++}
++
++void
++dns_db_setmaxtypepername(uint32_t value) {
++	dns_rbtdb_setmaxtypepername(value);
++	dns_rbtdb64_setmaxtypepername(value);
+ }
+diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
+index 6357bfd..f6eae9b 100644
+--- a/lib/dns/include/dns/db.h
++++ b/lib/dns/include/dns/db.h
+@@ -1728,6 +1728,15 @@ dns_db_setmaxrrperset(uint32_t maxrrperset);
+  *\li  void
+  */
+ 
++void
++dns_db_setmaxtypepername(uint32_t value);
++/*%<
++ * Set the maximum permissible number of RR types per owner name.
++ *
++ * If 'value' is nonzero, then any subsequent attempt to add an rdataset with a
++ * RR type that would exceed the number of already stored RR types will return
++ * ISC_R_NOSPACE.
++ */
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_DB_H */
+diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
+index 9566f79..8ea9ef4 100644
+--- a/lib/dns/rdataslab.c
++++ b/lib/dns/rdataslab.c
+@@ -121,8 +121,18 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+ #endif /* DNS_RDATASET_MAX_RECORDS */
+ 
+ static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
++static bool dns_g_rdataset_max_records_fromenv = false;
+ static isc_once_t once = ISC_ONCE_INIT;
+ 
++void
++dns_rdataslab_setmaxrrperset(uint32_t maxrrperset)
++{
++	if (!dns_g_rdataset_max_records_fromenv) {
++		/* Make environment override configuration to avoid resetting to default value. */
++		dns_g_rdataset_max_records = maxrrperset;
++	}
++}
++
+ static void
+ init_max_records(void) {
+ 	/* Red Hat change, allow setting different max value by environment. */
+@@ -130,8 +140,10 @@ init_max_records(void) {
+ 	if (max) {
+ 		char *endp = NULL;
+ 		long l = strtol(max, &endp, 10);
+-		if (max != endp && endp && !*endp && l > 0)
++		if (max != endp && endp && !*endp) {
+ 			dns_g_rdataset_max_records = l;
++			dns_g_rdataset_max_records_fromenv = true;
++		}
+ 	}
+ }
+ 
+diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
+index fc46a64..b80bb9c 100644
+--- a/lib/isccfg/namedconf.c
++++ b/lib/isccfg/namedconf.c
+@@ -1102,6 +1102,7 @@ options_clauses[] = {
+ 	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
+ 	{ "max-records-per-type", &cfg_type_uint32, 0 },
+ 	{ "max-rsa-exponent-size", &cfg_type_uint32, 0 },
++	{ "max-types-per-name", &cfg_type_uint32, 0 },
+ 	{ "memstatistics", &cfg_type_boolean, 0 },
+ 	{ "memstatistics-file", &cfg_type_qstring, 0 },
+ 	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+-- 
+2.50.0
+

bind.spec

@@ -68,7 +68,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.36
-Release:  16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.4
+Release:  16%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.5
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -200,6 +200,10 @@ Patch208: bind-9.11-CVE-2024-1737-runtime-env.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
 Patch209: bind-9.18-CVE-2024-11187-pre-test.patch
 Patch210: bind-9.18-CVE-2024-11187.patch
+# RH downstream, adds limits configurable from file
+Patch211: bind-9.11-d-max-records-per-type.patch
+Patch212: bind-9.11-d-max-types-per-name.patch
+Patch213: bind-9.11-d-max-records-checkconf.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -625,6 +629,9 @@ are used for building ISC DHCP.
 %patch -P 208 -p1 -b .CVE-2024-1737-env
 %patch -P 209 -p1 -b .CVE-2024-11187-pre-test
 %patch -P 210 -p1 -b .CVE-2024-11187
+%patch -P 211 -p1 -b .records-per-type
+%patch -P 212 -p1 -b .types-per-name
+%patch -P 213 -p1 -b .records-checkconf
 
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1677,6 +1684,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Thu Jul 10 2025 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.5
+- Add support for max-records-per-type and max-types-per-name options
+  (RHEL-61936)
+- Support reading of new options also in named-checkconf -z, v2
+
 * Thu Feb 06 2025 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-16.4
 - Change patches applying to use -P parameter
 

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -0,0 +1,7 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}