77 changed files with 14970 additions and 3676 deletions
--- a/.bind.metadata
+++ b/.bind.metadata
@ -1,3 +1,2 @@
-f01eada382fb2bd4d1fcab3f6f83bd3ebc35a9ab SOURCES/bind-9.11.4-P2.tar.gz
+4b45d15edc1e3b7902129ce27baec58a50d76b5c SOURCES/bind-9.11.36.tar.gz
 1dc72fe31e4c84853ea2d016e36f0419d1885fa0 SOURCES/config-18.tar.bz2
 a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,2 @@
-SOURCES/bind-9.11.4-P2.tar.gz
+SOURCES/bind-9.11.36.tar.gz
 SOURCES/config-18.tar.bz2
 SOURCES/random.data
--- a/SOURCES/bind-9.10-dist-native-pkcs11.patch
+++ b/SOURCES/bind-9.10-dist-native-pkcs11.patch
@ -1,5 +1,5 @@
 diff --git a/bin/Makefile.in b/bin/Makefile.in
-index f0c504a..ce7a2da 100644
+index a18b222..26a7e4e 100644
 --- a/bin/Makefile.in
 +++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir =	@srcdir@
@ -14,25 +14,26 @@ index f0c504a..ce7a2da 100644
 @BIND9_MAKE_RULES@
 diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
-index 1d0c4ce..7b7f89b 100644
+index 390aa0c..e59a118 100644
 --- a/bin/dnssec-pkcs11/Makefile.in
 +++ b/bin/dnssec-pkcs11/Makefile.in
-@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
+@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 -CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
 +CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
- CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
 -		@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
 +CDEFINES =	-DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
 +		@CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
 CWARNINGS =
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 -ISCLIBS =	../../lib/isc/libisc.@A@
 -ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 +ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
 +ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
@ -43,7 +44,7 @@ index 1d0c4ce..7b7f89b 100644
 DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
-@@ -37,10 +37,10 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+@@ -35,10 +35,10 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
 # Alphabetically
@ -58,7 +59,7 @@ index 1d0c4ce..7b7f89b 100644
 OBJS =		dnssectool.@O@
-@@ -61,15 +61,15 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
+@@ -59,15 +59,15 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 @BIND9_MAKE_RULES@
@ -77,7 +78,7 @@ index 1d0c4ce..7b7f89b 100644
 	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
-@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
+@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/dnssec-signzone.c
@ -86,7 +87,7 @@ index 1d0c4ce..7b7f89b 100644
 	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
-@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c
+@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/dnssec-verify.c
@ -110,7 +111,7 @@ index 1d0c4ce..7b7f89b 100644
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 	dnssec-importkey.@O@ ${OBJS} ${LIBS}
-@@ -108,16 +108,14 @@ docclean manclean maintainer-clean::
+@@ -106,16 +106,14 @@ docclean manclean maintainer-clean::
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -121,18 +122,18 @@ index 1d0c4ce..7b7f89b 100644
 -install:: ${TARGETS} installdirs install-man8
 +install:: ${TARGETS} installdirs
- 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
+ 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
 uninstall::
-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
- 	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
+ 	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
 clean distclean::
 diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 1d0c4ce..11538cf 100644
+index 390aa0c..851a008 100644
 --- a/bin/dnssec/Makefile.in
 +++ b/bin/dnssec/Makefile.in
-@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
+@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
@ -142,10 +143,10 @@ index 1d0c4ce..11538cf 100644
 CWARNINGS =
 diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
-index d92bc9a..a8c42a4 100644
+index 277a0f5..52a6375 100644
 --- a/bin/named-pkcs11/Makefile.in
 +++ b/bin/named-pkcs11/Makefile.in
-@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
 DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
@ -153,20 +154,22 @@ index d92bc9a..a8c42a4 100644
 -		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
 +		${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
 +		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
- 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
 		@DST_OPENSSL_INC@
 -CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
-+CDEFINES =      @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@
+CDEFINES =      @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@
 CWARNINGS =
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-+DNSLIBS =  ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 -ISCLIBS =	../../lib/isc/libisc.@A@
 -ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 +ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
- ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
+ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
@ -179,7 +182,7 @@ index d92bc9a..a8c42a4 100644
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
 BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-@@ -71,15 +71,15 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+@@ -72,15 +72,15 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -197,8 +200,8 @@ index d92bc9a..a8c42a4 100644
 +TARGETS =	named-pkcs11@EXEEXT@
 GEOIPLINKOBJS = geoip.@O@
- 
+ GEOIP2LINKOBJS = geoip.@O@
-@@ -90,8 +90,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
+@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
 		zoneconf.@O@ \
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -208,7 +211,7 @@ index d92bc9a..a8c42a4 100644
 UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
-@@ -106,8 +105,7 @@ SRCS =		builtin.c client.c config.c control.c \
+@@ -113,8 +112,7 @@ SRCS =		builtin.c client.c config.c control.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -218,7 +221,7 @@ index d92bc9a..a8c42a4 100644
 MANPAGES =	named.8 lwresd.8 named.conf.5
-@@ -146,14 +144,14 @@ server.@O@: server.c
+@@ -154,14 +152,14 @@ server.@O@: server.c
 		-DPRODUCT=\"${PRODUCT}\" \
 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -236,7 +239,7 @@ index d92bc9a..a8c42a4 100644
 doc man:: ${MANOBJS}
-@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
+@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8
 install-man: install-man5 install-man8
@ -257,23 +260,23 @@ index d92bc9a..a8c42a4 100644
 @DLZ_DRIVER_RULES@
 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index d92bc9a..6d2bfd1 100644
+index 277a0f5..0e00885 100644
 --- a/bin/named/Makefile.in
 +++ b/bin/named/Makefile.in
-@@ -47,7 +47,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+@@ -48,7 +48,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
- 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
- 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ 		@DST_OPENSSL_INC@
 -CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
-+CDEFINES =      @CONTRIB_DLZ@ @CRYPTO@
+CDEFINES =      @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
 CWARNINGS =
 diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
-index a058c91..d4b689a 100644
+index 2c19e7e..8223d5e 100644
 --- a/bin/pkcs11/Makefile.in
 +++ b/bin/pkcs11/Makefile.in
-@@ -15,13 +15,13 @@ top_srcdir =	@top_srcdir@
+@@ -13,13 +13,13 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
@ -290,11 +293,11 @@ index a058c91..d4b689a 100644
 DEPLIBS =	${ISCDEPLIBS}
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 849fa94..69e6373 100644
+index 83cad4a..e1e1a32 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI)
+@@ -1178,12 +1178,14 @@ AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
 AC_SUBST(DNS_GSSAPI_LIBS)
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -309,24 +312,26 @@ index 849fa94..69e6373 100644
 #
 # was --with-randomdev specified?
-@@ -1554,11 +1556,11 @@ fi
+@@ -1556,12 +1558,12 @@ AC_ARG_ENABLE(openssl-hash,
 AC_MSG_CHECKING(for OpenSSL library)
 OPENSSL_WARNING=
- openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+ openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
 -if test "yes" = "$want_native_pkcs11"
 -then
 -	use_openssl="native_pkcs11"
 -	want_openssl_hash="no"
 -	AC_MSG_RESULT(use of native PKCS11 instead)
 -fi
-+# if test "yes" = "$want_native_pkcs11"
+#if test "yes" = "$want_native_pkcs11"
-+# then
+#then
 +#	use_openssl="native_pkcs11"
 +#	want_openssl_hash="no"
 +#	AC_MSG_RESULT(use of native PKCS11 instead)
-+# fi
+#fi
 if test "auto" = "$use_openssl"
 then
-@@ -1571,6 +1573,7 @@ then
+@@ -1574,6 +1576,7 @@ then
 		fi
 	done
 fi
@ -334,7 +339,7 @@ index 849fa94..69e6373 100644
 OPENSSL_ECDSA=""
 OPENSSL_GOST=""
 OPENSSL_ED25519=""
-@@ -1592,11 +1595,10 @@ case "$with_gost" in
+@@ -1595,11 +1598,10 @@ case "$with_gost" in
 		;;
 esac
@ -349,7 +354,7 @@ index 849fa94..69e6373 100644
 		CRYPTOLIB="pkcs11"
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
-@@ -1606,7 +1608,9 @@ case "$use_openssl" in
+@@ -1609,7 +1611,9 @@ case "$use_openssl" in
 		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
@ -360,7 +365,7 @@ index 849fa94..69e6373 100644
 	no)
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
-@@ -1638,7 +1642,7 @@ case "$use_openssl" in
+@@ -1641,7 +1645,7 @@ case "$use_openssl" in
 If you do not want OpenSSL, use --without-openssl])
 		;;
 	*)
@ -369,7 +374,7 @@ index 849fa94..69e6373 100644
 		then
 			AC_MSG_RESULT()
 			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519)
+@@ -2077,6 +2081,7 @@ AC_SUBST(OPENSSL_ED25519)
 AC_SUBST(OPENSSL_GOST)
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -377,7 +382,7 @@ index 849fa94..69e6373 100644
 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
 if test "yes" = "$with_aes"
-@@ -2384,6 +2389,7 @@ esac
+@@ -2363,6 +2368,7 @@ esac
 AC_SUBST(PKCS11LINKOBJS)
 AC_SUBST(PKCS11LINKSRCS)
 AC_SUBST(CRYPTO)
@ -385,7 +390,7 @@ index 849fa94..69e6373 100644
 AC_SUBST(PKCS11_ECDSA)
 AC_SUBST(PKCS11_GOST)
 AC_SUBST(PKCS11_ED25519)
-@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([
+@@ -5491,8 +5497,11 @@ AC_CONFIG_FILES([
 	bin/delv/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
@ -397,7 +402,7 @@ index 849fa94..69e6373 100644
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
-@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([
+@@ -5565,6 +5574,10 @@ AC_CONFIG_FILES([
 	lib/dns/include/dns/Makefile
 	lib/dns/include/dst/Makefile
 	lib/dns/tests/Makefile
@ -408,7 +413,7 @@ index 849fa94..69e6373 100644
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
-@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([
+@@ -5589,6 +5602,24 @@ AC_CONFIG_FILES([
 	lib/isc/unix/include/Makefile
 	lib/isc/unix/include/isc/Makefile
 	lib/isc/unix/include/pkcs11/Makefile
@ -434,7 +439,7 @@ index 849fa94..69e6373 100644
 	lib/isccc/include/Makefile
 	lib/isccc/include/isccc/Makefile
 diff --git a/lib/Makefile.in b/lib/Makefile.in
-index 81270a0..bcb5312 100644
+index f089bea..3ed939b 100644
 --- a/lib/Makefile.in
 +++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir =	@top_srcdir@
@ -447,20 +452,21 @@ index 81270a0..bcb5312 100644
 @BIND9_MAKE_RULES@
 diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 4a8549e..6a19906 100644
+index 1d0f5df..98c9ba0 100644
 --- a/lib/dns-pkcs11/Makefile.in
 +++ b/lib/dns-pkcs11/Makefile.in
-@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
+@@ -24,17 +24,17 @@ VERSION=@BIND9_VERSION@
- USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
+ @BIND9_MAKE_INCLUDES@
 -CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
-		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+-		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
 +CINCLUDES =	-I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
-+		${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+		${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} \
 		@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+-CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@
-+CDEFINES =	-DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES =	-DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@
 CWARNINGS =
@ -470,9 +476,9 @@ index 4a8549e..6a19906 100644
 -ISCDEPLIBS =	../../lib/isc/libisc.@A@
 +ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
- LIBS =		@LIBS@
+ LIBS =		${MAXMINDDB_LIBS} @LIBS@
-@@ -146,15 +146,15 @@ version.@O@: version.c
+@@ -148,15 +148,15 @@ version.@O@: version.c
 		-DLIBAGE=${LIBAGE} \
 		-c ${srcdir}/version.c
@ -492,13 +498,9 @@ index 4a8549e..6a19906 100644
 include: gen
 	${MAKE} include/dns/enumtype.h
-@@ -180,25 +180,25 @@ code.h:	gen
+@@ -187,22 +187,22 @@ gen: gen.c
- 	./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
+ 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
- 
+ 	${BUILD_LIBS} ${LFS_LIBS}
 gen: gen.c
 -	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
 +	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \
 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
 -timestamp: include libdns.@A@
 +timestamp: include libdns-pkcs11.@A@
@ -523,9 +525,9 @@ index 4a8549e..6a19906 100644
 +	rm -f libdns-pkcs11.@A@ timestamp
 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
 	rm -f include/dns/rdatastruct.h
- 	rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
+ 	rm -f dnstap.pb-c.c dnstap.pb-c.h
 diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
-index ba53ef1..d1f1771 100644
+index 7e3e9ce..58d7466 100644
 --- a/lib/isc-pkcs11/Makefile.in
 +++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES =	-I${srcdir}/unix/include \
@ -593,10 +595,10 @@ index ba53ef1..d1f1771 100644
 +	rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
 +	libisc-pkcs11-nosymtbl.la timestamp
 diff --git a/make/includes.in b/make/includes.in
-index fa86ad1..3cfbe9f 100644
+index 66efe68..966671f 100644
 --- a/make/includes.in
 +++ b/make/includes.in
-@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
+@@ -41,3 +41,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
 TEST_INCLUDES = \
 	-I${top_srcdir}/lib/tests/include
--- a/SOURCES/bind-9.10-sdb.patch
+++ b/SOURCES/bind-9.10-sdb.patch
@ -14,7 +14,7 @@ index ce7a2da..4e6a824 100644
 @BIND9_MAKE_RULES@
 diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
-index 6d2bfd1..d3f42e8 100644
+index 03a72d5..4c1cb6d 100644
 --- a/bin/named-sdb/Makefile.in
 +++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
@ -31,7 +31,7 @@ index 6d2bfd1..d3f42e8 100644
 DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
-@@ -79,7 +79,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+@@ -80,7 +80,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 SUBDIRS =	unix
@ -39,8 +39,8 @@ index 6d2bfd1..d3f42e8 100644
 +TARGETS =	named-sdb@EXEEXT@
 GEOIPLINKOBJS = geoip.@O@
- 
+ GEOIP2LINKOBJS = geoip.@O@
-@@ -146,7 +146,7 @@ server.@O@: server.c
+@@ -154,7 +154,7 @@ server.@O@: server.c
 		-DPRODUCT=\"${PRODUCT}\" \
 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -49,7 +49,7 @@ index 6d2bfd1..d3f42e8 100644
 	export MAKE_SYMTABLE="yes"; \
 	export BASEOBJS="${OBJS} ${UOBJS}"; \
 	${FINALBUILDCMD}
-@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h
+@@ -181,8 +181,6 @@ statschannel.@O@: bind9.xsl.h
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -58,7 +58,7 @@ index 6d2bfd1..d3f42e8 100644
 install-man5: named.conf.5
 	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
-@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
+@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8
 install-man: install-man5 install-man8
@ -79,10 +79,10 @@ index 6d2bfd1..d3f42e8 100644
 @DLZ_DRIVER_RULES@
 diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
-index bb639d9..555c4d9 100644
+index c9fc3cc..148ebb3 100644
 --- a/bin/named-sdb/main.c
 +++ b/bin/named-sdb/main.c
-@@ -91,6 +91,10 @@
+@@ -97,6 +97,10 @@
  * Include header files for database drivers here.
  */
 /* #include "xxdb.h" */
@ -93,7 +93,7 @@ index bb639d9..555c4d9 100644
 #ifdef CONTRIB_DLZ
 /*
-@@ -1061,6 +1065,11 @@ setup(void) {
+@@ -1134,6 +1138,11 @@ setup(void) {
 		ns_main_earlyfatal("isc_app_start() failed: %s",
 				   isc_result_totext(result));
@ -105,7 +105,7 @@ index bb639d9..555c4d9 100644
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
 		      ns_g_product, ns_g_version,
-@@ -1261,6 +1270,75 @@ setup(void) {
+@@ -1334,6 +1343,75 @@ setup(void) {
 				   isc_result_totext(result));
 #endif
@ -181,7 +181,7 @@ index bb639d9..555c4d9 100644
 	ns_server_create(ns_g_mctx, &ns_g_server);
 #ifdef HAVE_LIBSECCOMP
-@@ -1303,6 +1381,11 @@ cleanup(void) {
+@@ -1376,6 +1454,11 @@ cleanup(void) {
 	dns_name_destroy();
@ -194,22 +194,23 @@ index bb639d9..555c4d9 100644
 		      ISC_LOG_NOTICE, "exiting");
 	ns_log_shutdown();
 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index 6d2bfd1..86f8587 100644
+index 03a72d5..47cc046 100644
 --- a/bin/named/Makefile.in
 +++ b/bin/named/Makefile.in
-@@ -45,9 +45,9 @@ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+@@ -45,10 +45,10 @@ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
-		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+-		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
-+		@DST_OPENSSL_INC@
+		${MAXMINDDB_CFLAGS} \
 		@DST_OPENSSL_INC@
-CDEFINES =      @CONTRIB_DLZ@ @CRYPTO@
+-CDEFINES =      @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
-+CDEFINES =      @CRYPTO@
+CDEFINES =      @USE_GSSAPI@ @CRYPTO@
 CWARNINGS =
-@@ -71,11 +71,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+@@ -72,11 +72,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -223,7 +224,7 @@ index 6d2bfd1..86f8587 100644
 SUBDIRS =	unix
-@@ -90,8 +90,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
+@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
 		zoneconf.@O@ \
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -233,7 +234,7 @@ index 6d2bfd1..86f8587 100644
 UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
-@@ -106,8 +105,7 @@ SRCS =		builtin.c client.c config.c control.c \
+@@ -113,8 +112,7 @@ SRCS =		builtin.c client.c config.c control.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -243,7 +244,7 @@ index 6d2bfd1..86f8587 100644
 MANPAGES =	named.8 lwresd.8 named.conf.5
-@@ -195,7 +193,5 @@ uninstall::
+@@ -203,7 +201,5 @@ uninstall::
 	rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
@ -286,11 +287,11 @@ index c7e0868..95ab742 100644
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 62536a6..f571a4f 100644
+index f85f45f..7d28c52 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([
+@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
 	bin/named/unix/Makefile
 	bin/named-pkcs11/Makefile
 	bin/named-pkcs11/unix/Makefile
@ -299,9 +300,9 @@ index 62536a6..f571a4f 100644
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
-@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([
+@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
 	bin/python/isc/tests/dnskey_test.py
 	bin/python/isc/tests/policy_test.py
 	bin/python/isc/utils.py
 	bin/rndc/Makefile
 +	bin/sdb_tools/Makefile
 	bin/tests/Makefile
--- a/SOURCES/bind-9.11-CVE-2018-5743-atomic.patch
+++ b/SOURCES/bind-9.11-CVE-2018-5743-atomic.patch
@ -1,131 +0,0 @@
 From 94e08314024c812063bf99bd191a46265a2ba49f Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Wed, 24 Apr 2019 21:10:26 +0200
 Subject: [PATCH] Missing atomic fix to original CVE patch
 ---
 bin/named/client.c                     | 18 +++++++-----------
 bin/named/include/named/interfacemgr.h |  5 +++--
 bin/named/interfacemgr.c               |  7 +++++--
 3 files changed, 15 insertions(+), 15 deletions(-)
 diff --git a/bin/named/client.c b/bin/named/client.c
 index 3ada6e9..d3bf47d 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
@@ -405,12 +405,10 @@ tcpconn_detach(ns_client_t *client) {
 static void
 mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
 	if (active && !client->tcpactive) {
 -		isc_atomic_xadd(&client->interface->ntcpactive, 1);
 +		isc_refcount_increment0(&client->interface->ntcpactive, NULL);
 		client->tcpactive = active;
 	} else if (!active && client->tcpactive) {
 -		uint32_t old =
 -			isc_atomic_xadd(&client->interface->ntcpactive, -1);
 -		INSIST(old > 0);
 +		isc_refcount_decrement(&client->interface->ntcpactive, NULL);
 		client->tcpactive = active;
 	}
 }
@@ -557,7 +555,7 @@ exit_check(ns_client_t *client) {
 		if (client->mortal && TCP_CLIENT(client) &&
 		    client->newstate != NS_CLIENTSTATE_FREED &&
 		    !ns_g_clienttest &&
 -		    isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
 +		    isc_refcount_current(&client->interface->ntcpaccepting) == 0)
 		{
 			/* Nobody else is accepting */
 			client->mortal = ISC_FALSE;
@@ -3321,7 +3319,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
 	ns_client_t *client = event->ev_arg;
 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
 -	uint32_t old;
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
 	REQUIRE(NS_CLIENT_VALID(client));
@@ -3341,8 +3338,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	INSIST(client->naccepts == 1);
 	client->naccepts--;
 -	old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
 -	INSIST(old > 0);
 +	isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
 	/*
 	 * We must take ownership of the new socket before the exit
@@ -3473,8 +3469,8 @@ client_accept(ns_client_t *client) {
 		 * quota is tcp-clients plus the number of listening
 		 * interfaces plus 1.)
 		 */
 -		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
 -			(client->tcpactive ? 1 : 0));
 +		exit = (isc_refcount_current(&client->interface->ntcpactive) >
 +			(client->tcpactive ? 1U : 0U));
 		if (exit) {
 			client->newstate = NS_CLIENTSTATE_INACTIVE;
 			(void)exit_check(client);
@@ -3532,7 +3528,7 @@ client_accept(ns_client_t *client) {
 	 * listening for connections itself to prevent the interface
 	 * going dead.
 	 */
 -	isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
 +	isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
 }
 static void
 diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
 index d9ac90f..aa21049 100644
 --- a/bin/named/include/named/interfacemgr.h
 +++ b/bin/named/include/named/interfacemgr.h
@@ -43,6 +43,7 @@
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/socket.h>
 +#include <isc/refcount.h>
 #include <dns/result.h>
@@ -73,11 +74,11 @@ struct ns_interface {
 						/*%< UDP dispatchers. */
 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
 -	int32_t			ntcpaccepting;	/*%< Number of clients
 +	isc_refcount_t		ntcpaccepting;	/*%< Number of clients
 						     ready to accept new
 						     TCP connections on this
 						     interface */
 -	int32_t			ntcpactive;	/*%< Number of clients
 +	isc_refcount_t		ntcpactive;	/*%< Number of clients
 						     servicing TCP queries
 						     (whether accepting or
 						     connected) */
 diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
 index 96c080b..2ce97bb 100644
 --- a/bin/named/interfacemgr.c
 +++ b/bin/named/interfacemgr.c
@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	 * connections will be handled in parallel even though there is
 	 * only one client initially.
 	 */
 -	ifp->ntcpaccepting = 0;
 -	ifp->ntcpactive = 0;
 +	isc_refcount_init(&ifp->ntcpaccepting, 0);
 +	isc_refcount_init(&ifp->ntcpactive, 0);
 	ifp->nudpdispatch = 0;
@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
 	ns_interfacemgr_detach(&ifp->mgr);
 +	isc_refcount_destroy(&ifp->ntcpactive);
 +	isc_refcount_destroy(&ifp->ntcpaccepting);
 +
 	ifp->magic = 0;
 	isc_mem_put(mctx, ifp, sizeof(*ifp));
 }
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-CVE-2018-5743.patch
+++ b/SOURCES/bind-9.11-CVE-2018-5743.patch
@ -1,868 +0,0 @@
 From b2929ff50a7676563177bc52a372ddcae48cb002 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Wed, 24 Apr 2019 20:09:07 +0200
 Subject: [PATCH] 5200.   [security]      tcp-clients settings could be
 exceeded in some cases,                         which could lead to
 exhaustion of file descriptors.                         (CVE-2018-5743) [GL
 #615]
 ---
 bin/named/client.c                     | 421 +++++++++++++++++++------
 bin/named/include/named/client.h       |  13 +-
 bin/named/include/named/interfacemgr.h |  13 +-
 bin/named/interfacemgr.c               |   9 +-
 lib/isc/include/isc/quota.h            |   7 +
 lib/isc/quota.c                        |  33 +-
 6 files changed, 385 insertions(+), 111 deletions(-)
 diff --git a/bin/named/client.c b/bin/named/client.c
 index b7d8a98..e1acaf1 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
@@ -243,7 +243,7 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
 static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
 			       dns_dispatch_t *disp, isc_boolean_t tcp);
 static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
 -			       isc_socket_t *sock);
 +			       isc_socket_t *sock, ns_client_t *oldclient);
 static inline isc_boolean_t
 allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
 	isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl);
@@ -295,6 +295,119 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
 	}
 }
 +/*%
 + * Allocate a reference-counted object that will maintain a single pointer to
 + * the (also reference-counted) TCP client quota, shared between all the
 + * clients processing queries on a single TCP connection, so that all
 + * clients sharing the one socket will together consume only one slot in
 + * the 'tcp-clients' quota.
 + */
 +static isc_result_t
 +tcpconn_init(ns_client_t *client, isc_boolean_t force) {
 +	isc_result_t result;
 +	isc_quota_t *quota = NULL;
 +	ns_tcpconn_t *tconn = NULL;
 +
 +	REQUIRE(client->tcpconn == NULL);
 +
 +	/*
 +	 * Try to attach to the quota first, so we won't pointlessly
 +	 * allocate memory for a tcpconn object if we can't get one.
 +	 */
 +	if (force) {
 +		result = isc_quota_force(&ns_g_server->tcpquota, &quota);
 +	} else {
 +		result = isc_quota_attach(&ns_g_server->tcpquota, &quota);
 +	}
 +	if (result != ISC_R_SUCCESS) {
 +		return (result);
 +	}
 +
 +	/*
 +	 * A global memory context is used for the allocation as different
 +	 * client structures may have different memory contexts assigned and a
 +	 * reference counter allocated here might need to be freed by a
 +	 * different client.  The performance impact caused by memory context
 +	 * contention here is expected to be negligible, given that this code
 +	 * is only executed for TCP connections.
 +	 */
 +	tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
 +
 +	isc_refcount_init(&tconn->refs, 1);
 +	tconn->tcpquota = quota;
 +	quota = NULL;
 +	tconn->pipelined = ISC_FALSE;
 +
 +	client->tcpconn = tconn;
 +
 +	return (ISC_R_SUCCESS);
 +}
 +
 +/*%
 + * Increase the count of client structures sharing the TCP connection
 + * that 'source' is associated with; add a pointer to the same tcpconn
 + * to 'target', thus associating it with the same TCP connection.
 + */
 +static void
 +tcpconn_attach(ns_client_t *source, ns_client_t *target) {
 +	int refs;
 +
 +	REQUIRE(source->tcpconn != NULL);
 +	REQUIRE(target->tcpconn == NULL);
 +	REQUIRE(source->tcpconn->pipelined);
 +
 +	isc_refcount_increment(&source->tcpconn->refs, &refs);
 +	INSIST(refs > 1);
 +	target->tcpconn = source->tcpconn;
 +}
 +
 +/*%
 + * Decrease the count of client structures sharing the TCP connection that
 + * 'client' is associated with.  If this is the last client using this TCP
 + * connection, we detach from the TCP quota and free the tcpconn
 + * object. Either way, client->tcpconn is set to NULL.
 + */
 +static void
 +tcpconn_detach(ns_client_t *client) {
 +	ns_tcpconn_t *tconn = NULL;
 +	int refs;
 +
 +	REQUIRE(client->tcpconn != NULL);
 +
 +	tconn = client->tcpconn;
 +	client->tcpconn = NULL;
 +
 +	isc_refcount_decrement(&tconn->refs, &refs);
 +	if (refs == 0) {
 +		isc_quota_detach(&tconn->tcpquota);
 +		isc_mem_free(ns_g_mctx, tconn);
 +	}
 +}
 +
 +/*%
 + * Mark a client as active and increment the interface's 'ntcpactive'
 + * counter, as a signal that there is at least one client servicing
 + * TCP queries for the interface. If we reach the TCP client quota at
 + * some point, this will be used to determine whether a quota overrun
 + * should be permitted.
 + *
 + * Marking the client active with the 'tcpactive' flag ensures proper
 + * accounting, by preventing us from incrementing or decrementing
 + * 'ntcpactive' more than once per client.
 + */
 +static void
 +mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
 +	if (active && !client->tcpactive) {
 +		isc_atomic_xadd(&client->interface->ntcpactive, 1);
 +		client->tcpactive = active;
 +	} else if (!active && client->tcpactive) {
 +		uint32_t old =
 +			isc_atomic_xadd(&client->interface->ntcpactive, -1);
 +		INSIST(old > 0);
 +		client->tcpactive = active;
 +	}
 +}
 +
 /*%
  * Check for a deactivation or shutdown request and take appropriate
  * action.  Returns ISC_TRUE if either is in progress; in this case
@@ -384,7 +497,8 @@ exit_check(ns_client_t *client) {
 		INSIST(client->recursionquota == NULL);
 		if (NS_CLIENTSTATE_READING == client->newstate) {
 -			if (!client->pipelined) {
 +			INSIST(client->tcpconn != NULL);
 +			if (!client->tcpconn->pipelined) {
 				client_read(client);
 				client->newstate = NS_CLIENTSTATE_MAX;
 				return (ISC_TRUE); /* We're done. */
@@ -402,10 +516,13 @@ exit_check(ns_client_t *client) {
 		 */
 		INSIST(client->recursionquota == NULL);
 		INSIST(client->newstate <= NS_CLIENTSTATE_READY);
 -		if (client->nreads > 0)
 +
 +		if (client->nreads > 0) {
 			dns_tcpmsg_cancelread(&client->tcpmsg);
 -		if (client->nreads != 0) {
 -			/* Still waiting for read cancel completion. */
 +		}
 +
 +		/* Still waiting for read cancel completion. */
 +		if (client->nreads > 0) {
 			return (ISC_TRUE);
 		}
@@ -413,14 +530,49 @@ exit_check(ns_client_t *client) {
 			dns_tcpmsg_invalidate(&client->tcpmsg);
 			client->tcpmsg_valid = ISC_FALSE;
 		}
 +
 +		/*
 +		 * Soon the client will be ready to accept a new TCP
 +		 * connection or UDP request, but we may have enough
 +		 * clients doing that already.  Check whether this client
 +		 * needs to remain active and allow it go inactive if
 +		 * not.
 +		 *
 +		 * UDP clients always go inactive at this point, but a TCP
 +		 * client may need to stay active and return to READY
 +		 * state if no other clients are available to listen
 +		 * for TCP requests on this interface.
 +		 *
 +		 * Regardless, if we're going to FREED state, that means
 +		 * the system is shutting down and we don't need to
 +		 * retain clients.
 +		 */
 +		if (client->mortal && TCP_CLIENT(client) &&
 +		    client->newstate != NS_CLIENTSTATE_FREED &&
 +		    !ns_g_clienttest &&
 +		    isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
 +		{
 +			/* Nobody else is accepting */
 +			client->mortal = ISC_FALSE;
 +			client->newstate = NS_CLIENTSTATE_READY;
 +		}
 +
 +		/*
 +		 * Detach from TCP connection and TCP client quota,
 +		 * if appropriate. If this is the last reference to
 +		 * the TCP connection in our pipeline group, the
 +		 * TCP quota slot will be released.
 +		 */
 +		if (client->tcpconn) {
 +			tcpconn_detach(client);
 +		}
 +
 		if (client->tcpsocket != NULL) {
 			CTRACE("closetcp");
 			isc_socket_detach(&client->tcpsocket);
 +			mark_tcp_active(client, ISC_FALSE);
 		}
 -		if (client->tcpquota != NULL)
 -			isc_quota_detach(&client->tcpquota);
 -
 		if (client->timerset) {
 			(void)isc_timer_reset(client->timer,
 					      isc_timertype_inactive,
@@ -428,45 +580,26 @@ exit_check(ns_client_t *client) {
 			client->timerset = ISC_FALSE;
 		}
 -		client->pipelined = ISC_FALSE;
 -
 		client->peeraddr_valid = ISC_FALSE;
 		client->state = NS_CLIENTSTATE_READY;
 -		INSIST(client->recursionquota == NULL);
 -
 -		/*
 -		 * Now the client is ready to accept a new TCP connection
 -		 * or UDP request, but we may have enough clients doing
 -		 * that already.  Check whether this client needs to remain
 -		 * active and force it to go inactive if not.
 -		 *
 -		 * UDP clients go inactive at this point, but TCP clients
 -		 * may remain active if we have fewer active TCP client
 -		 * objects than desired due to an earlier quota exhaustion.
 -		 */
 -		if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
 -			LOCK(&client->interface->lock);
 -			if (client->interface->ntcpcurrent <
 -				    client->interface->ntcptarget)
 -				client->mortal = ISC_FALSE;
 -			UNLOCK(&client->interface->lock);
 -		}
 		/*
 		 * We don't need the client; send it to the inactive
 		 * queue for recycling.
 		 */
 		if (client->mortal) {
 -			if (client->newstate > NS_CLIENTSTATE_INACTIVE)
 +			if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
 				client->newstate = NS_CLIENTSTATE_INACTIVE;
 +			}
 		}
 		if (NS_CLIENTSTATE_READY == client->newstate) {
 			if (TCP_CLIENT(client)) {
 				client_accept(client);
 -			} else
 +			} else {
 				client_udprecv(client);
 +			}
 			client->newstate = NS_CLIENTSTATE_MAX;
 			return (ISC_TRUE);
 		}
@@ -478,41 +611,51 @@ exit_check(ns_client_t *client) {
 		/*
 		 * We are trying to enter the inactive state.
 		 */
 -		if (client->naccepts > 0)
 +		if (client->naccepts > 0) {
 			isc_socket_cancel(client->tcplistener, client->task,
 					  ISC_SOCKCANCEL_ACCEPT);
 +		}
 		/* Still waiting for accept cancel completion. */
 -		if (! (client->naccepts == 0))
 +		if (client->naccepts > 0) {
 			return (ISC_TRUE);
 +		}
 		/* Accept cancel is complete. */
 -		if (client->nrecvs > 0)
 +		if (client->nrecvs > 0) {
 			isc_socket_cancel(client->udpsocket, client->task,
 					  ISC_SOCKCANCEL_RECV);
 +		}
 		/* Still waiting for recv cancel completion. */
 -		if (! (client->nrecvs == 0))
 +		if (client->nrecvs > 0) {
 			return (ISC_TRUE);
 +		}
 		/* Still waiting for control event to be delivered */
 -		if (client->nctls > 0)
 +		if (client->nctls > 0) {
 			return (ISC_TRUE);
 -
 -		/* Deactivate the client. */
 -		if (client->interface)
 -			ns_interface_detach(&client->interface);
 +		}
 		INSIST(client->naccepts == 0);
 		INSIST(client->recursionquota == NULL);
 -		if (client->tcplistener != NULL)
 +		if (client->tcplistener != NULL) {
 			isc_socket_detach(&client->tcplistener);
 +			mark_tcp_active(client, ISC_FALSE);
 +		}
 -		if (client->udpsocket != NULL)
 +		if (client->udpsocket != NULL) {
 			isc_socket_detach(&client->udpsocket);
 +		}
 -		if (client->dispatch != NULL)
 +		/* Deactivate the client. */
 +		if (client->interface != NULL) {
 +			ns_interface_detach(&client->interface);
 +		}
 +
 +		if (client->dispatch != NULL) {
 			dns_dispatch_detach(&client->dispatch);
 +		}
 		client->attributes = 0;
 		client->mortal = ISC_FALSE;
@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) {
 			client->newstate = NS_CLIENTSTATE_MAX;
 			if (!ns_g_clienttest && manager != NULL &&
 			    !manager->exiting)
 +			{
 				ISC_QUEUE_PUSH(manager->inactive, client,
 					       ilink);
 -			if (client->needshutdown)
 +			}
 +			if (client->needshutdown) {
 				isc_task_shutdown(client->task);
 +			}
 			return (ISC_TRUE);
 		}
 	}
@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
 		return;
 	if (TCP_CLIENT(client)) {
 -		if (client->pipelined) {
 +		if (client->tcpconn != NULL) {
 			client_read(client);
 		} else {
 			client_accept(client);
@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event_t *event) {
 	}
 }
 -
 /*%
  * The client's task has received a shutdown event.
  */
@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		client->nrecvs--;
 	} else {
 		INSIST(TCP_CLIENT(client));
 +		INSIST(client->tcpconn != NULL);
 		REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
 		REQUIRE(event->ev_sender == &client->tcpmsg);
 		buffer = &client->tcpmsg.buffer;
@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Pipeline TCP query processing.
 	 */
 -	if (client->message->opcode != dns_opcode_query)
 -		client->pipelined = ISC_FALSE;
 -	if (TCP_CLIENT(client) && client->pipelined) {
 -		result = isc_quota_reserve(&ns_g_server->tcpquota);
 -		if (result == ISC_R_SUCCESS)
 -			result = ns_client_replace(client);
 +	if (TCP_CLIENT(client) &&
 +	    client->message->opcode != dns_opcode_query)
 +	{
 +		client->tcpconn->pipelined = ISC_FALSE;
 +	}
 +	if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
 +		/*
 +		 * We're pipelining. Replace the client; the
 +		 * replacement can read the TCP socket looking
 +		 * for new messages and this one can process the
 +		 * current message asynchronously.
 +		 *
 +		 * There will now be at least three clients using this
 +		 * TCP socket - one accepting new connections,
 +		 * one reading an existing connection to get new
 +		 * messages, and one answering the message already
 +		 * received.
 +		 */
 +		result = ns_client_replace(client);
 		if (result != ISC_R_SUCCESS) {
 -			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 -				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
 -				      "no more TCP clients(read): %s",
 -				      isc_result_totext(result));
 -			client->pipelined = ISC_FALSE;
 +			client->tcpconn->pipelined = ISC_FALSE;
 		}
 	}
@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->signer = NULL;
 	dns_name_init(&client->signername, NULL);
 	client->mortal = ISC_FALSE;
 -	client->pipelined = ISC_FALSE;
 -	client->tcpquota = NULL;
 +	client->tcpconn = NULL;
 	client->recursionquota = NULL;
 	client->interface = NULL;
 	client->peeraddr_valid = ISC_FALSE;
@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->filter_aaaa = dns_aaaa_ok;
 #endif
 	client->needshutdown = ns_g_clienttest;
 +	client->tcpactive = ISC_FALSE;
 	ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
 		       NS_EVENT_CLIENTCONTROL, client_start, client, client,
@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) {
 static void
 client_newconn(isc_task_t *task, isc_event_t *event) {
 +	isc_result_t result;
 	ns_client_t *client = event->ev_arg;
 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
 -	isc_result_t result;
 +	uint32_t old;
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
 	REQUIRE(NS_CLIENT_VALID(client));
@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	INSIST(client->state == NS_CLIENTSTATE_READY);
 +	/*
 +	 * The accept() was successful and we're now establishing a new
 +	 * connection. We need to make note of it in the client and
 +	 * interface objects so client objects can do the right thing
 +	 * when going inactive in exit_check() (see comments in
 +	 * client_accept() for details).
 +	 */
 	INSIST(client->naccepts == 1);
 	client->naccepts--;
 -	LOCK(&client->interface->lock);
 -	INSIST(client->interface->ntcpcurrent > 0);
 -	client->interface->ntcpcurrent--;
 -	UNLOCK(&client->interface->lock);
 +	old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
 +	INSIST(old > 0);
 	/*
 	 * We must take ownership of the new socket before the exit
@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "accept failed: %s",
 			      isc_result_totext(nevent->result));
 +		tcpconn_detach(client);
 	}
 	if (exit_check(client))
@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 		 * telnetting to port 53 (once per CPU) will
 		 * deny service to legitimate TCP clients.
 		 */
 -		client->pipelined = ISC_FALSE;
 -		result = isc_quota_attach(&ns_g_server->tcpquota,
 -					  &client->tcpquota);
 -		if (result == ISC_R_SUCCESS)
 -			result = ns_client_replace(client);
 -		if (result != ISC_R_SUCCESS) {
 -			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 -				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
 -				      "no more TCP clients(accept): %s",
 -				      isc_result_totext(result));
 -		} else if (ns_g_server->keepresporder == NULL ||
 -			   !allowed(&netaddr, NULL, NULL, 0, NULL,
 -				    ns_g_server->keepresporder)) {
 -			client->pipelined = ISC_TRUE;
 +		result = ns_client_replace(client);
 +		if (result == ISC_R_SUCCESS &&
 +		    (ns_g_server->keepresporder == NULL ||
 +		     !allowed(&netaddr, NULL, NULL, 0, NULL,
 +			      ns_g_server->keepresporder)))
 +		{
 +			client->tcpconn->pipelined = ISC_TRUE;
 		}
 		client_read(client);
@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) {
 	CTRACE("accept");
 +	/*
 +	 * Set up a new TCP connection. This means try to attach to the
 +	 * TCP client quota (tcp-clients), but fail if we're over quota.
 +	 */
 +	result = tcpconn_init(client, ISC_FALSE);
 +	if (result != ISC_R_SUCCESS) {
 +		isc_boolean_t exit;
 +
 +		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 +			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
 +			      "TCP client quota reached: %s",
 +			      isc_result_totext(result));
 +
 +		/*
 +		 * We have exceeded the system-wide TCP client quota.  But,
 +		 * we can't just block this accept in all cases, because if
 +		 * we did, a heavy TCP load on other interfaces might cause
 +		 * this interface to be starved, with no clients able to
 +		 * accept new connections.
 +		 *
 +		 * So, we check here to see if any other clients are
 +		 * already servicing TCP queries on this interface (whether
 +		 * accepting, reading, or processing). If we find that at
 +		 * least one client other than this one is active, then
 +		 * it's okay *not* to call accept - we can let this
 +		 * client go inactive and another will take over when it's
 +		 * done.
 +		 *
 +		 * If there aren't enough active clients on the interface,
 +		 * then we can be a little bit flexible about the quota.
 +		 * We'll allow *one* extra client through to ensure we're
 +		 * listening on every interface; we do this by setting the
 +		 * 'force' option to tcpconn_init().
 +		 *
 +		 * (Note: In practice this means that the real TCP client
 +		 * quota is tcp-clients plus the number of listening
 +		 * interfaces plus 1.)
 +		 */
 +		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
 +			(client->tcpactive ? 1 : 0));
 +		if (exit) {
 +			client->newstate = NS_CLIENTSTATE_INACTIVE;
 +			(void)exit_check(client);
 +			return;
 +		}
 +
 +		result = tcpconn_init(client, ISC_TRUE);
 +		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 +	}
 +
 +	/*
 +	 * If this client was set up using get_client() or get_worker(),
 +	 * then TCP is already marked active. However, if it was restarted
 +	 * from exit_check(), it might not be, so we take care of it now.
 +	 */
 +	mark_tcp_active(client, ISC_TRUE);
 +
 	result = isc_socket_accept(client->tcplistener, client->task,
 				   client_newconn, client);
 	if (result != ISC_R_SUCCESS) {
 -		UNEXPECTED_ERROR(__FILE__, __LINE__,
 -				 "isc_socket_accept() failed: %s",
 -				 isc_result_totext(result));
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
 		 *	   it didn't work.  If we just give up, then TCP
@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) {
 		 *
 		 *	   For now, we just go idle.
 		 */
 +		UNEXPECTED_ERROR(__FILE__, __LINE__,
 +				 "isc_socket_accept() failed: %s",
 +				 isc_result_totext(result));
 +
 +		tcpconn_detach(client);
 +		mark_tcp_active(client, ISC_FALSE);
 		return;
 	}
 +
 +	/*
 +	 * The client's 'naccepts' counter indicates that this client has
 +	 * called accept() and is waiting for a new connection. It should
 +	 * never exceed 1.
 +	 */
 	INSIST(client->naccepts == 0);
 	client->naccepts++;
 -	LOCK(&client->interface->lock);
 -	client->interface->ntcpcurrent++;
 -	UNLOCK(&client->interface->lock);
 +
 +	/*
 +	 * The interface's 'ntcpaccepting' counter is incremented when
 +	 * any client calls accept(), and decremented in client_newconn()
 +	 * once the connection is established.
 +	 *
 +	 * When the client object is shutting down after handling a TCP
 +	 * request (see exit_check()), if this value is at least one, that
 +	 * means another client has called accept() and is waiting to
 +	 * establish the next connection. That means the client may be
 +	 * be free to become inactive; otherwise it may need to start
 +	 * listening for connections itself to prevent the interface
 +	 * going dead.
 +	 */
 +	isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
 }
 static void
@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) {
 	REQUIRE(client->manager != NULL);
 	tcp = TCP_CLIENT(client);
 -	if (tcp && client->pipelined) {
 +	if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
 		result = get_worker(client->manager, client->interface,
 -				    client->tcpsocket);
 +				    client->tcpsocket, client);
 	} else {
 		result = get_client(client->manager, client->interface,
 				    client->dispatch, tcp);
 +
 	}
 -	if (result != ISC_R_SUCCESS)
 +	if (result != ISC_R_SUCCESS) {
 		return (result);
 +	}
 	/*
 	 * The responsibility for listening for new requests is hereby
@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
 	client->dscp = ifp->dscp;
 	if (tcp) {
 +		mark_tcp_active(client, ISC_TRUE);
 +
 		client->attributes |= NS_CLIENTATTR_TCP;
 		isc_socket_attach(ifp->tcpsocket,
 				  &client->tcplistener);
 +
 	} else {
 		isc_socket_t *sock;
@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
 }
 static isc_result_t
 -get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
 +get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
 +	   ns_client_t *oldclient)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_event_t *ev;
@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
 	MTRACE("get worker");
 	REQUIRE(manager != NULL);
 +	REQUIRE(oldclient != NULL);
 	if (manager->exiting)
 		return (ISC_R_SHUTTINGDOWN);
@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
 	ns_interface_attach(ifp, &client->interface);
 	client->newstate = client->state = NS_CLIENTSTATE_WORKING;
 	INSIST(client->recursionquota == NULL);
 -	client->tcpquota = &ns_g_server->tcpquota;
 	client->dscp = ifp->dscp;
 	client->attributes |= NS_CLIENTATTR_TCP;
 -	client->pipelined = ISC_TRUE;
 	client->mortal = ISC_TRUE;
 +	tcpconn_attach(oldclient, client);
 +	mark_tcp_active(client, ISC_TRUE);
 +
 	isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
 	isc_socket_attach(sock, &client->tcpsocket);
 	isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
 diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
 index 262b906..0f54d22 100644
 --- a/bin/named/include/named/client.h
 +++ b/bin/named/include/named/client.h
@@ -9,8 +9,6 @@
  * information regarding copyright ownership.
  */
 -/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
 -
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -77,6 +75,13 @@
  *** Types
  ***/
 +/*% reference-counted TCP connection object */
 +typedef struct ns_tcpconn {
 +	isc_refcount_t		refs;
 +	isc_quota_t		*tcpquota;
 +	isc_boolean_t		pipelined;
 +} ns_tcpconn_t;
 +
 /*% nameserver client structure */
 struct ns_client {
 	unsigned int		magic;
@@ -91,6 +96,7 @@ struct ns_client {
 	int			nupdates;
 	int			nctls;
 	int			references;
 +	isc_boolean_t		tcpactive;
 	isc_boolean_t		needshutdown; 	/*
 						 * Used by clienttest to get
 						 * the client to go from
@@ -129,8 +135,7 @@ struct ns_client {
 	dns_name_t		signername;   /*%< [T]SIG key name */
 	dns_name_t *		signer;	      /*%< NULL if not valid sig */
 	isc_boolean_t		mortal;	      /*%< Die after handling request */
 -	isc_boolean_t		pipelined;   /*%< TCP queries not in sequence */
 -	isc_quota_t		*tcpquota;
 +	ns_tcpconn_t		*tcpconn;
 	isc_quota_t		*recursionquota;
 	ns_interface_t		*interface;
 diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
 index 36870f3..d9ac90f 100644
 --- a/bin/named/include/named/interfacemgr.h
 +++ b/bin/named/include/named/interfacemgr.h
@@ -9,8 +9,6 @@
  * information regarding copyright ownership.
  */
 -/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
 -
 #ifndef NAMED_INTERFACEMGR_H
 #define NAMED_INTERFACEMGR_H 1
@@ -75,9 +73,14 @@ struct ns_interface {
 						/*%< UDP dispatchers. */
 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
 -	int			ntcptarget;	/*%< Desired number of concurrent
 -						     TCP accepts */
 -	int			ntcpcurrent;	/*%< Current ditto, locked */
 +	int32_t			ntcpaccepting;	/*%< Number of clients
 +						     ready to accept new
 +						     TCP connections on this
 +						     interface */
 +	int32_t			ntcpactive;	/*%< Number of clients
 +						     servicing TCP queries
 +						     (whether accepting or
 +						     connected) */
 	int			nudpdispatch;	/*%< Number of UDP dispatches */
 	ns_clientmgr_t *	clientmgr;	/*%< Client manager. */
 	ISC_LINK(ns_interface_t) link;
 diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
 index d8c7188..96c080b 100644
 --- a/bin/named/interfacemgr.c
 +++ b/bin/named/interfacemgr.c
@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
 	 * connections will be handled in parallel even though there is
 	 * only one client initially.
 	 */
 -	ifp->ntcptarget = 1;
 -	ifp->ntcpcurrent = 0;
 +	ifp->ntcpaccepting = 0;
 +	ifp->ntcpactive = 0;
 +
 	ifp->nudpdispatch = 0;
 	ifp->dscp = -1;
@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
 	 */
 	(void)isc_socket_filter(ifp->tcpsocket, "dataready");
 -	result = ns_clientmgr_createclients(ifp->clientmgr,
 -					    ifp->ntcptarget, ifp,
 -					    ISC_TRUE);
 +	result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "TCP ns_clientmgr_createclients(): %s",
 diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
 index b9bf598..36c5830 100644
 --- a/lib/isc/include/isc/quota.h
 +++ b/lib/isc/include/isc/quota.h
@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
  * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
  */
 +isc_result_t
 +isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
 +/*%<
 + * Like isc_quota_attach, but will attach '*p' to the quota
 + * even if the hard quota has been exceeded.
 + */
 +
 void
 isc_quota_detach(isc_quota_t **p);
 /*%<
 diff --git a/lib/isc/quota.c b/lib/isc/quota.c
 index 3ddff0d..20976a4 100644
 --- a/lib/isc/quota.c
 +++ b/lib/isc/quota.c
@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
 	UNLOCK(&quota->lock);
 }
 -isc_result_t
 -isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
 -{
 +static isc_result_t
 +doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) {
 	isc_result_t result;
 -	INSIST(p != NULL && *p == NULL);
 +	REQUIRE(p != NULL && *p == NULL);
 +
 	result = isc_quota_reserve(quota);
 -	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
 +	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
 +		*p = quota;
 +	} else if (result == ISC_R_QUOTA && force) {
 +		/* attach anyway */
 +		LOCK(&quota->lock);
 +		quota->used++;
 +		UNLOCK(&quota->lock);
 +
 		*p = quota;
 +		result = ISC_R_SUCCESS;
 +	}
 +
 	return (result);
 }
 +isc_result_t
 +isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
 +	return (doattach(quota, p, ISC_FALSE));
 +}
 +
 +isc_result_t
 +isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
 +	return (doattach(quota, p, ISC_TRUE));
 +}
 +
 void
 -isc_quota_detach(isc_quota_t **p)
 -{
 +isc_quota_detach(isc_quota_t **p) {
 	INSIST(p != NULL && *p != NULL);
 	isc_quota_release(*p);
 	*p = NULL;
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-CVE-2018-5744-test.patch
+++ b/SOURCES/bind-9.11-CVE-2018-5744-test.patch
@ -1,44 +0,0 @@
 From 4b9bfa5c8cae6f81e94af0f582bf9686320144db Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Mon, 10 Dec 2018 13:33:54 +1100
 Subject: [PATCH] check that multiple KEY-TAG trust-anchor-telemetry options
 don't leak memory
 (cherry picked from commit 4b1dc4a5445e9561f2208f9388cf9f9e2cfcbe51)
 (cherry picked from commit f545e9dff1f0eadcdea5531ef7062324d232c716)
 (cherry picked from commit 2bda5ac2e1635ac10a595c4ff155516ded7abec2)
 ---
 bin/tests/system/dnssec/tests.sh | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)
 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
 index 3156668..b1907c7 100644
 --- a/bin/tests/system/dnssec/tests.sh
 +++ b/bin/tests/system/dnssec/tests.sh
@@ -3508,11 +3508,22 @@ status=`expr $status + $ret`
 echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
 ret=0
 -$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1
 +$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 +echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)"
 +ret=0
 +$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1
 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1
 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1
 +(cd "$SYSTEMTESTTOP" && $PERL ./stop.pl dnssec ns1) || ret=1
 +(cd "$SYSTEMTESTTOP" && $PERL ./start.pl --noclean --restart --port ${PORT} dnssec ns1) || ret=1
 +n=`expr $n + 1`
 +test "$ret" -eq 0 || echo_i "failed"
 +status=`expr $status + $ret`
 +
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-CVE-2018-5744.patch
+++ b/SOURCES/bind-9.11-CVE-2018-5744.patch
@ -1,31 +0,0 @@
 From a4e1db793d4971d87631276ea57808074ed2c1c7 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 21 Feb 2019 17:23:53 +0100
 Subject: [PATCH 1/3] Fix CVE-2018-5744
 5110.	[security]	Named leaked memory if there were multiple Key Tag
 			EDNS options present. (CVE-2018-5744) [GL #772]
 ---
 bin/named/client.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/bin/named/client.c b/bin/named/client.c
 index b9ebc93..b7d8a98 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
@@ -2112,6 +2112,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
 		return (DNS_R_OPTERR);
 	}
 +	/* Silently drop additional keytag options. */
 +	if (client->keytag != NULL) {
 +		isc_buffer_forward(buf, (unsigned int)optlen);
 +		return (ISC_R_SUCCESS);
 +	}
 +
 	client->keytag = isc_mem_get(client->mctx, optlen);
 	if (client->keytag != NULL) {
 		client->keytag_len = (isc_uint16_t)optlen;
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-CVE-2019-6471.patch
+++ b/SOURCES/bind-9.11-CVE-2019-6471.patch
@ -1,48 +0,0 @@
 From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Wed, 19 Jun 2019 12:28:08 +0200
 Subject: [PATCH] Fix CVE-2019-6471
 5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
 			that could cause an assertion failure if a
 			significant number of incoming packets were
 			rejected. (CVE-2019-6471) [GL #942]
 ---
 lib/dns/dispatch.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
 index 321459ebcb..ae5c9c0fc7 100644
 --- a/lib/dns/dispatch.c
 +++ b/lib/dns/dispatch.c
@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
 	disp = resp->disp;
 	REQUIRE(VALID_DISPATCH(disp));
 -	REQUIRE(resp->item_out == ISC_TRUE);
 -	resp->item_out = ISC_FALSE;
 -
 	ev = *sockevent;
 	*sockevent = NULL;
 	LOCK(&disp->lock);
 +
 +	REQUIRE(resp->item_out == ISC_TRUE);
 +	resp->item_out = ISC_FALSE;
 +
 	if (ev->buffer.base != NULL)
 		free_buffer(disp, ev->buffer.base, ev->buffer.length);
 	free_devent(disp, ev);
@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
 		isc_task_send(disp->task[0], &disp->ctlevent);
 }
 +/*
 + * disp must be locked.
 + */
 static void
 do_cancel(dns_dispatch_t *disp) {
 	dns_dispatchevent_t *ev;
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-CVE-2021-25220-test.patch
+++ b/SOURCES/bind-9.11-CVE-2021-25220-test.patch
--- a/SOURCES/bind-9.11-CVE-2021-25220.patch
+++ b/SOURCES/bind-9.11-CVE-2021-25220.patch
@ -0,0 +1,254 @@
 From 1f5cb247ecd20ba57c472138f94856aa83caf042 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Tue, 1 Mar 2022 09:48:05 +1100
 Subject: [PATCH] Add additional name checks when using a forwarder
 When using a forwarder, check that the owner name of response
 records are within the bailiwick of the forwarded name space.
 (cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028)
 Check that the forward declaration is unchanged and not overridden
 If we are using a fowarder, in addition to checking that names to
 be cached are subdomains of the forwarded namespace, we must also
 check that there are no subsidiary forwarded namespaces which would
 take precedence. To be safe, we don't cache any responses if the
 forwarding configuration has changed since the query was sent.
 (cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972)
 Check cached names for possible "forward only" clause
 When caching additional and glue data *not* from a forwarder, we must
 check that there is no "forward only" clause covering the owner name
 that would take precedence.  Such names would normally be allowed by
 baliwick rules, but a "forward only" zone introduces a new baliwick
 scope.
 (cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe)
 Look for zones deeper than the current domain or forward name
 When caching glue, we need to ensure that there is no closer
 source of truth for the name. If the owner name for the glue
 record would be answered by a locally configured zone, do not
 cache.
 (cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754)
 Avoid use of compound literals
 Compound literals are not used in BIND 9.11, in order to ensure backward
 compatibility with ancient compilers.  Rework the relevant parts of the
 BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals
 are not used.
 (cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15)
 ---
 lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 125 insertions(+), 5 deletions(-)
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index c912f3aea8..2c68973899 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -63,6 +63,7 @@
 #include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/validator.h>
 +#include <dns/zone.h>
 #ifdef WANT_QUERYTRACE
 #define RTRACE(m)       isc_log_write(dns_lctx, \
@@ -312,6 +313,8 @@ struct fetchctx {
 	bool			ns_ttl_ok;
 	uint32_t			ns_ttl;
 	isc_counter_t *			qc;
 +	dns_fixedname_t			fwdfname;
 +	dns_name_t			*fwdname;
 	/*%
 	 * The number of events we're waiting for.
@@ -3393,6 +3396,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 		if (result == ISC_R_SUCCESS) {
 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
 			fctx->fwdpolicy = forwarders->fwdpolicy;
 +			dns_name_copy(domain, fctx->fwdname, NULL);
 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
 			    isstrictsubdomain(domain, &fctx->domain)) {
 				fcount_decr(fctx);
@@ -4422,6 +4426,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->restarts = 0;
 	fctx->querysent = 0;
 	fctx->referrals = 0;
 +
 +	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
 +
 	TIME_NOW(&fctx->start);
 	fctx->timeouts = 0;
 	fctx->lamecount = 0;
@@ -4480,8 +4487,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 		domain = dns_fixedname_initname(&fixed);
 		result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
 					    domain, &forwarders);
 -		if (result == ISC_R_SUCCESS)
 +		if (result == ISC_R_SUCCESS) {
 			fctx->fwdpolicy = forwarders->fwdpolicy;
 +			dns_name_copy(domain, fctx->fwdname, NULL);
 +		}
 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
 			/*
@@ -6231,6 +6240,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
 		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
 }
 +/*
 + * Returns true if 'name' is external to the namespace for which
 + * the server being queried can answer, either because it's not a
 + * subdomain or because it's below a forward declaration or a
 + * locally served zone.
 + */
 +static inline bool
 +name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
 +	isc_result_t result;
 +	dns_forwarders_t *forwarders = NULL;
 +	dns_fixedname_t fixed, zfixed;
 +	dns_name_t *fname = dns_fixedname_initname(&fixed);
 +	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
 +	dns_name_t *apex = NULL;
 +	dns_name_t suffix;
 +	dns_zone_t *zone = NULL;
 +	unsigned int labels;
 +	dns_namereln_t rel;
 +	/*
 +	 * The following two variables do not influence code flow; they are
 +	 * only necessary for calling dns_name_fullcompare().
 +	 */
 +	int _orderp = 0;
 +	unsigned int _nlabelsp = 0;
 +
 +	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
 +
 +	/*
 +	 * The name is outside the queried namespace.
 +	 */
 +	rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
 +	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
 +		return (true);
 +	}
 +
 +	/*
 +	 * If the record lives in the parent zone, adjust the name so we
 +	 * look for the correct zone or forward clause.
 +	 */
 +	labels = dns_name_countlabels(name);
 +	if (dns_rdatatype_atparent(type) && labels > 1U) {
 +		dns_name_init(&suffix, NULL);
 +		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
 +		name = &suffix;
 +	} else if (rel == dns_namereln_equal) {
 +		/* If 'name' is 'apex', no further checking is needed. */
 +		return (false);
 +	}
 +
 +	/*
 +	 * If there is a locally served zone between 'apex' and 'name'
 +	 * then don't cache.
 +	 */
 +	LOCK(&fctx->res->view->lock);
 +	if (fctx->res->view->zonetable != NULL) {
 +		unsigned int options = DNS_ZTFIND_NOEXACT;
 +		result = dns_zt_find(fctx->res->view->zonetable, name, options,
 +				     zfname, &zone);
 +		if (zone != NULL) {
 +			dns_zone_detach(&zone);
 +		}
 +		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 +			if (dns_name_fullcompare(zfname, apex, &_orderp,
 +						 &_nlabelsp) ==
 +			    dns_namereln_subdomain)
 +			{
 +				UNLOCK(&fctx->res->view->lock);
 +				return (true);
 +			}
 +		}
 +	}
 +	UNLOCK(&fctx->res->view->lock);
 +
 +	/*
 +	 * Look for a forward declaration below 'name'.
 +	 */
 +	result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
 +				    &forwarders);
 +
 +	if (ISFORWARDER(fctx->addrinfo)) {
 +		/*
 +		 * See if the forwarder declaration is better.
 +		 */
 +		if (result == ISC_R_SUCCESS) {
 +			return (!dns_name_equal(fname, fctx->fwdname));
 +		}
 +
 +		/*
 +		 * If the lookup failed, the configuration must have
 +		 * changed: play it safe and don't cache.
 +		 */
 +		return (true);
 +	} else if (result == ISC_R_SUCCESS &&
 +		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
 +		   !ISC_LIST_EMPTY(forwarders->fwdrs))
 +	{
 +		/*
 +		 * If 'name' is covered by a 'forward only' clause then we
 +		 * can't cache this repsonse.
 +		 */
 +		return (true);
 +	}
 +
 +	return (false);
 +}
 +
 static isc_result_t
 check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
 	      dns_section_t section)
@@ -6259,7 +6374,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
 	result = dns_message_findname(rmessage, section, addname,
 				      dns_rdatatype_any, 0, &name, NULL);
 	if (result == ISC_R_SUCCESS) {
 -		external = !dns_name_issubdomain(name, &fctx->domain);
 +		external = name_external(name, type, fctx);
 		if (type == dns_rdatatype_a) {
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
@@ -7141,6 +7256,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
 			break;
 		case dns_namereln_subdomain:
 +			/*
 +			 * Don't accept DNAME from parent namespace.
 +			 */
 +			if (name_external(name, dns_rdatatype_dname, fctx)) {
 +				continue;
 +			}
 +
 			/*
 			 * In-scope DNAME records must have at least
 			 * as many labels as the domain being queried.
@@ -7376,11 +7498,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
 	 */
 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
 	while (!done && result == ISC_R_SUCCESS) {
 -		bool external;
 		name = NULL;
 		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
 -		external = !dns_name_issubdomain(name, &fctx->domain);
 -		if (!external) {
 +		if (!name_external(name, dns_rdatatype_ns, fctx)) {
 			/*
 			 * We expect to find NS or SIG NS rdatasets, and
 			 * nothing else.
 -- 
 2.34.1
--- a/SOURCES/bind-9.11-CVE-2022-2795.patch
+++ b/SOURCES/bind-9.11-CVE-2022-2795.patch
@ -0,0 +1,61 @@
 From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
 Date: Thu, 8 Sep 2022 11:11:30 +0200
 Subject: [PATCH] Bound the amount of work performed for delegations
 Limit the amount of database lookups that can be triggered in
 fctx_getaddresses() (i.e. when determining the name server addresses to
 query next) by setting a hard limit on the number of NS RRs processed
 for any delegation encountered.  Without any limit in place, named can
 be forced to perform large amounts of database lookups per each query
 received, which severely impacts resolver performance.
 The limit used (20) is an arbitrary value that is considered to be big
 enough for any sane DNS delegation.
 (cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
 (cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8)
 ---
 lib/dns/resolver.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index 8ae9a993bb..ac9a9ef5d0 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -180,6 +180,12 @@
  */
 #define NS_FAIL_LIMIT 4
 #define NS_RR_LIMIT   5
 +/*
 + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
 + * any NS RRset encountered, to avoid excessive resource use while processing
 + * large delegations.
 + */
 +#define NS_PROCESSING_LIMIT 20
 /* Number of hash buckets for zone counters */
 #ifndef RES_DOMAIN_BUCKETS
@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 	bool need_alternate = false;
 	bool all_spilled = true;
 	unsigned int no_addresses = 0;
 +	unsigned int ns_processed = 0;
 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 		dns_rdata_reset(&rdata);
 		dns_rdata_freestruct(&ns);
 +
 +		if (++ns_processed >= NS_PROCESSING_LIMIT) {
 +			result = ISC_R_NOMORE;
 +			break;
 +		}
 	}
 	if (result != ISC_R_NOMORE) {
 		return (result);
 -- 
 2.37.3
--- a/SOURCES/bind-9.11-CVE-2023-2828-fixup.patch
+++ b/SOURCES/bind-9.11-CVE-2023-2828-fixup.patch
@ -0,0 +1,46 @@
 From 6c26ede8edcb700caca12c501c6c129801989526 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 23 Feb 2024 10:12:47 +1100
 Subject: [PATCH] Do not use header_prev in expire_lru_headers
 dns__cacherbt_expireheader can unlink / free header_prev underneath
 it.  Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader
 instead to get the next pointer to be processed.
 (cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab)
 (cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63)
 ---
 lib/dns/rbtdb.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 index cc40eaec60..ee59c1b18b 100644
 --- a/lib/dns/rbtdb.c
 +++ b/lib/dns/rbtdb.c
@@ -10667,19 +10667,19 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
 static size_t
 expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
 		   bool tree_locked) {
 -	rdatasetheader_t *header, *header_prev;
 +	rdatasetheader_t *header;
 	size_t purged = 0;
 	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
 -	     header != NULL && purged <= purgesize; header = header_prev)
 +	     header != NULL && purged <= purgesize;
 +	     header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
 	{
 -		header_prev = ISC_LIST_PREV(header, link);
 		/*
 		 * Unlink the entry at this point to avoid checking it
 		 * again even if it's currently used someone else and
 		 * cannot be purged at this moment.  This entry won't be
 		 * referenced any more (so unlinking is safe) since the
 -		 * TTL was reset to 0.
 +		 * TTL will be reset to 0.
 		 */
 		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
 		size_t header_size = rdataset_size(header);
 -- 
 2.43.2
--- a/SOURCES/bind-9.11-CVE-2023-2828.patch
+++ b/SOURCES/bind-9.11-CVE-2023-2828.patch
@ -0,0 +1,193 @@
 From f3aa755ba5ae5148dd0567357f8c538072e2eabc Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 30 May 2023 08:46:17 +0200
 Subject: [PATCH] Improve RBT overmem cache cleaning
 When cache memory usage is over the configured cache size (overmem) and
 we are cleaning unused entries, it might not be enough to clean just two
 entries if the entries to be expired are smaller than the newly added
 rdata.  This could be abused by an attacker to cause a remote Denial of
 Service by possibly running out of the operating system memory.
 Currently, the addrdataset() tries to do a single TTL-based cleaning
 considering the serve-stale TTL and then optionally moves to overmem
 cleaning if we are in that condition.  Then the overmem_purge() tries to
 do another single TTL based cleaning from the TTL heap and then continue
 with LRU-based cleaning up to 2 entries cleaned.
 Squash the TTL-cleaning mechanism into single call from addrdataset(),
 but ignore the serve-stale TTL if we are currently overmem.
 Then instead of having a fixed number of entries to clean, pass the size
 of newly added rdatasetheader to the overmem_purge() function and
 cleanup at least the size of the newly added data.  This prevents the
 cache going over the configured memory limit (`max-cache-size`).
 Additionally, refactor the overmem_purge() function to reduce for-loop
 nesting for readability.
 ---
 lib/dns/rbtdb.c | 109 +++++++++++++++++++++++++++++-------------------
 1 file changed, 67 insertions(+), 42 deletions(-)
 diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 index 11203e4..cc40eae 100644
 --- a/lib/dns/rbtdb.c
 +++ b/lib/dns/rbtdb.c
@@ -834,7 +834,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
 static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
 			  bool tree_locked, expire_t reason);
 static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
 -			  isc_stdtime_t now, bool tree_locked);
 +			  size_t purgesize, bool tree_locked);
 static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
 				  rdatasetheader_t *newheader);
 static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
@@ -6937,6 +6937,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
 static dns_dbmethods_t zone_methods;
 +static size_t
 +rdataset_size(rdatasetheader_t *header) {
 +	if (!NONEXISTENT(header)) {
 +		return (dns_rdataslab_size((unsigned char *)header,
 +					   sizeof(*header)));
 +	}
 +
 +	return (sizeof(*header));
 +}
 +
 static isc_result_t
 addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
@@ -7091,7 +7101,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	}
 	if (cache_is_overmem)
 -		overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
 +		overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
 +			      tree_locked);
 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		  isc_rwlocktype_write);
@@ -7106,9 +7117,19 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
 		header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
 -		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
 -			expire_header(rbtdb, header, tree_locked,
 -				      expire_ttl);
 +		if (header != NULL) {
 +			dns_ttl_t rdh_ttl = header->rdh_ttl;
 +
 +			/* Only account for stale TTL if cache is not overmem */
 +			if (!cache_is_overmem) {
 +				rdh_ttl += rbtdb->serve_stale_ttl;
 +			}
 +
 +			if (rdh_ttl < now - RBTDB_VIRTUAL) {
 +				expire_header(rbtdb, header, tree_locked,
 +					      expire_ttl);
 +			}
 +		}
 		/*
 		 * If we've been holding a write lock on the tree just for
@@ -10643,54 +10664,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
 	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
 }
 +static size_t
 +expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
 +		   bool tree_locked) {
 +	rdatasetheader_t *header, *header_prev;
 +	size_t purged = 0;
 +
 +	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
 +	     header != NULL && purged <= purgesize; header = header_prev)
 +	{
 +		header_prev = ISC_LIST_PREV(header, link);
 +		/*
 +		 * Unlink the entry at this point to avoid checking it
 +		 * again even if it's currently used someone else and
 +		 * cannot be purged at this moment.  This entry won't be
 +		 * referenced any more (so unlinking is safe) since the
 +		 * TTL was reset to 0.
 +		 */
 +		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
 +		size_t header_size = rdataset_size(header);
 +		expire_header(rbtdb, header, tree_locked, expire_lru);
 +		purged += header_size;
 +	}
 +
 +	return (purged);
 +}
 +
 /*%
 - * Purge some expired and/or stale (i.e. unused for some period) cache entries
 - * under an overmem condition.  To recover from this condition quickly, up to
 - * 2 entries will be purged.  This process is triggered while adding a new
 - * entry, and we specifically avoid purging entries in the same LRU bucket as
 - * the one to which the new entry will belong.  Otherwise, we might purge
 - * entries of the same name of different RR types while adding RRsets from a
 - * single response (consider the case where we're adding A and AAAA glue records
 - * of the same NS name).
 + * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
 + * entries under the overmem condition.  To recover from this condition quickly,
 + * we cleanup entries up to the size of newly added rdata (passed as purgesize).
 + *
 + * This process is triggered while adding a new entry, and we specifically avoid
 + * purging entries in the same LRU bucket as the one to which the new entry will
 + * belong.  Otherwise, we might purge entries of the same name of different RR
 + * types while adding RRsets from a single response (consider the case where
 + * we're adding A and AAAA glue records of the same NS name).
  */
 static void
 -overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
 -	      isc_stdtime_t now, bool tree_locked)
 +overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
 +	      bool tree_locked)
 {
 -	rdatasetheader_t *header, *header_prev;
 	unsigned int locknum;
 -	int purgecount = 2;
 +	size_t purged = 0;
 	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
 -	     locknum != locknum_start && purgecount > 0;
 +	     locknum != locknum_start && purged <= purgesize;
 	     locknum = (locknum + 1) % rbtdb->node_lock_count) {
 		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
 			  isc_rwlocktype_write);
 -		header = isc_heap_element(rbtdb->heaps[locknum], 1);
 -		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
 -			expire_header(rbtdb, header, tree_locked,
 -				      expire_ttl);
 -			purgecount--;
 -		}
 -
 -		for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
 -		     header != NULL && purgecount > 0;
 -		     header = header_prev) {
 -			header_prev = ISC_LIST_PREV(header, link);
 -			/*
 -			 * Unlink the entry at this point to avoid checking it
 -			 * again even if it's currently used someone else and
 -			 * cannot be purged at this moment.  This entry won't be
 -			 * referenced any more (so unlinking is safe) since the
 -			 * TTL was reset to 0.
 -			 */
 -			ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
 -					link);
 -			expire_header(rbtdb, header, tree_locked,
 -				      expire_lru);
 -			purgecount--;
 -		}
 +		purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
 +					     tree_locked);
 		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
 				    isc_rwlocktype_write);
 -- 
 2.40.1
--- a/SOURCES/bind-9.11-CVE-2023-4408.patch
+++ b/SOURCES/bind-9.11-CVE-2023-4408.patch
--- a/SOURCES/bind-9.11-CVE-2023-50387-fixup.patch
+++ b/SOURCES/bind-9.11-CVE-2023-50387-fixup.patch
@ -0,0 +1,64 @@
 From f0fc9d7999a94da3d471c4e0a35b1f447f25eea6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Mon, 26 Feb 2024 21:08:42 +0100
 Subject: [PATCH] Add normal task queue also to non-thread version
 Non-thread builds are used by us for dhcp package. Make it working
 again.
 Related to [GL #4424] and [GL #4459].
 ---
 lib/isc/task.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
 diff --git a/lib/isc/task.c b/lib/isc/task.c
 index cc83269..5315b51 100644
 --- a/lib/isc/task.c
 +++ b/lib/isc/task.c
@@ -1115,7 +1115,7 @@ dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
 		}
 #else /* USE_WORKER_THREADS */
 		if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
 -		    empty_readyq(manager))
 +		    empty_readyq(manager, qid))
 			break;
 #endif /* USE_WORKER_THREADS */
 		XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
@@ -1318,11 +1318,11 @@ dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
 	}
 #ifndef USE_WORKER_THREADS
 -	ISC_LIST_APPENDLIST(manager->ready_tasks, new_ready_tasks, ready_link);
 -	ISC_LIST_APPENDLIST(manager->ready_priority_tasks, new_priority_tasks,
 +	ISC_LIST_APPENDLIST(manager->ready_tasks[qid], new_ready_tasks, ready_link);
 +	ISC_LIST_APPENDLIST(manager->ready_priority_tasks[qid], new_priority_tasks,
 			    ready_priority_link);
 	manager->tasks_ready += tasks_ready;
 -	if (empty_readyq(manager))
 +	if (empty_readyq(manager, qid))
 		manager->mode = isc_taskmgrmode_normal;
 #endif
@@ -1713,7 +1713,8 @@ isc__taskmgr_ready(isc_taskmgr_t *manager0) {
 		return (false);
 	LOCK(&manager->lock);
 -	is_ready = !empty_readyq(manager);
 +	is_ready = !empty_readyq(manager, isc_taskqueue_normal) ||
 +		   !empty_readyq(manager, isc_taskqueue_slow);
 	UNLOCK(&manager->lock);
 	return (is_ready);
@@ -1730,7 +1731,8 @@ isc__taskmgr_dispatch(isc_taskmgr_t *manager0) {
 	if (manager == NULL)
 		return (ISC_R_NOTFOUND);
 -	dispatch(manager);
 +	dispatch(manager, isc_taskqueue_normal);
 +	dispatch(manager, isc_taskqueue_slow);
 	return (ISC_R_SUCCESS);
 }
 -- 
 2.43.2
--- a/SOURCES/bind-9.11-CVE-2023-50387.patch
+++ b/SOURCES/bind-9.11-CVE-2023-50387.patch
@ -0,0 +1,737 @@
 From 4c20ab54ec503f65d8ee0b863cbf41103d95130a Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Wed, 22 Nov 2023 16:59:03 +1100
 Subject: [PATCH] Fail the DNSSEC validation on the first failure
 Be more strict when encountering DNSSEC validation failures - fail on
 the first failure.  This will break domains that have DNSSEC signing
 keys with duplicate key ids, but this is something that's much easier
 to fix on the authoritative side, so we are just going to be strict
 on the resolver side where it is causing performance problems.
 (cherry picked from commit 8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34)
 Add normal and slow task queues
 Split the task manager queues into normal and slow task queues, so we
 can move the tasks that blocks processing for a long time (like DNSSEC
 validation) into the slow queue which doesn't block fast
 operations (like responding from the cache).  This mitigates the whole
 class of KeyTrap-like issues.
 (cherry picked from commit db083a21726300916fa0b9fd8a433a796fedf636)
 Don't iterate from start every time we select new signing key
 Improve the selecting of the new signing key by remembering where
 we stopped the iteration and just continue from that place instead
 of iterating from the start over and over again each time.
 (cherry picked from commit 75faeefcab47e4f1e12b358525190b4be90f97de)
 Optimize selecting the signing key
 Don't parse the crypto data before parsing and matching the id and the
 algorithm.
 (cherry picked from commit b38552cca7200a72658e482f8407f57516efc5db)
 6322.	[security]	Specific DNS answers could cause a denial-of-service
 			condition due to DNS validation taking a long time.
 			(CVE-2023-50387) [GL #4424]
 			The same code change also addresses another problem:
 			preparing NSEC3 closest encloser proofs could exhaust
 			available CPU resources. (CVE-2023-50868) [GL #4459]
 ---
 lib/dns/dst_api.c               |  25 ++++--
 lib/dns/include/dns/validator.h |   1 +
 lib/dns/include/dst/dst.h       |   4 +
 lib/dns/resolver.c              |   2 +-
 lib/dns/validator.c             |  97 +++++++++-----------
 lib/dns/win32/libdns.def.in     |   1 +
 lib/isc/include/isc/task.h      |  11 ++-
 lib/isc/task.c                  | 153 ++++++++++++++++++++++----------
 8 files changed, 186 insertions(+), 108 deletions(-)
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
 index 2156384ec1..6bcd99796c 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -105,6 +105,7 @@ static isc_result_t	frombuffer(dns_name_t *name,
 				   dns_rdataclass_t rdclass,
 				   isc_buffer_t *source,
 				   isc_mem_t *mctx,
 +				   bool no_rdata,
 				   dst_key_t **keyp);
 static isc_result_t	algorithm_status(unsigned int alg);
@@ -764,6 +765,13 @@ isc_result_t
 dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
 		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
 {
 +	return (dst_key_fromdns_ex(name, rdclass, source, mctx, false, keyp));
 +}
 +
 +isc_result_t
 +dst_key_fromdns_ex(dns_name_t *name, dns_rdataclass_t rdclass,
 +		   isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
 +		   dst_key_t **keyp) {
 	uint8_t alg, proto;
 	uint32_t flags, extflags;
 	dst_key_t *key = NULL;
@@ -792,7 +800,7 @@ dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
 	}
 	result = frombuffer(name, alg, flags, proto, rdclass, source,
 -			    mctx, &key);
 +			    mctx, no_rdata, &key);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	key->key_id = id;
@@ -814,7 +822,7 @@ dst_key_frombuffer(dns_name_t *name, unsigned int alg,
 	REQUIRE(dst_initialized);
 	result = frombuffer(name, alg, flags, protocol, rdclass, source,
 -			    mctx, &key);
 +			    mctx, false, &key);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -1915,7 +1923,8 @@ computeid(dst_key_t *key) {
 static isc_result_t
 frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
 	   unsigned int protocol, dns_rdataclass_t rdclass,
 -	   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
 +	   isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
 +	   dst_key_t **keyp)
 {
 	dst_key_t *key;
 	isc_result_t ret;
@@ -1940,10 +1949,12 @@ frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
 			return (DST_R_UNSUPPORTEDALG);
 		}
 -		ret = key->func->fromdns(key, source);
 -		if (ret != ISC_R_SUCCESS) {
 -			dst_key_free(&key);
 -			return (ret);
 +		if (!no_rdata) {
 +			ret = key->func->fromdns(key, source);
 +			if (ret != ISC_R_SUCCESS) {
 +				dst_key_free(&key);
 +				return (ret);
 +			}
 		}
 	}
 diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
 index cc4478d6d4..b4bf8f29db 100644
 --- a/lib/dns/include/dns/validator.h
 +++ b/lib/dns/include/dns/validator.h
@@ -160,6 +160,7 @@ struct dns_validator {
 	unsigned int			depth;
 	unsigned int			authcount;
 	unsigned int			authfail;
 +	bool				failed;
 	isc_stdtime_t			start;
 };
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
 index 180c841307..a8be2daf67 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
@@ -435,6 +435,10 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory);
  */
 isc_result_t
 +dst_key_fromdns_ex(dns_name_t *name, dns_rdataclass_t rdclass,
 +		   isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
 +		   dst_key_t **keyp);
 +isc_result_t
 dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
 		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
 /*%<
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index 4f71f48039..487107614c 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -9267,7 +9267,7 @@ dns_resolver_create(dns_view_t *view,
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_buckets;
 		res->buckets[i].task = NULL;
 -		result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
 +		result = isc_task_create(taskmgr, ISC_TASK_QUANTUM_SLOW, &res->buckets[i].task);
 		if (result != ISC_R_SUCCESS) {
 			DESTROYLOCK(&res->buckets[i].lock);
 			goto cleanup_buckets;
 diff --git a/lib/dns/validator.c b/lib/dns/validator.c
 index 2a5c3caa6a..0b257fe874 100644
 --- a/lib/dns/validator.c
 +++ b/lib/dns/validator.c
@@ -1207,6 +1207,12 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
  * val->key at it.
  *
  * If val->key is non-NULL, this returns the next matching key.
 + * If val->key is already non-NULL, start searching from the next position in
 + * 'rdataset' to find the *next* key that could have signed 'siginfo', then
 + * set val->key to that.
 + *
 + * Returns ISC_R_SUCCESS if a possible matching key has been found,
 + * ISC_R_NOTFOUND if not. Any other value indicates error.
  */
 static isc_result_t
 get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
@@ -1216,54 +1222,59 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
 	isc_buffer_t b;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dst_key_t *oldkey = val->key;
 -	bool foundold;
 +	bool no_rdata = false;
 -	if (oldkey == NULL)
 -		foundold = true;
 -	else {
 -		foundold = false;
 +	if (oldkey == NULL) {
 +		result = dns_rdataset_first(rdataset);
 +	} else {
 +		dst_key_free(&oldkey);
 		val->key = NULL;
 +		result = dns_rdataset_next(rdataset);
 +	}
 +
 +	if (result != ISC_R_SUCCESS) {
 +		goto done;
 	}
 -	result = dns_rdataset_first(rdataset);
 -	if (result != ISC_R_SUCCESS)
 -		goto failure;
 	do {
 		dns_rdataset_current(rdataset, &rdata);
 		isc_buffer_init(&b, rdata.data, rdata.length);
 		isc_buffer_add(&b, rdata.length);
 		INSIST(val->key == NULL);
 -		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
 -					 val->view->mctx, &val->key);
 +		result = dst_key_fromdns_ex(&siginfo->signer, rdata.rdclass, &b,
 +					    val->view->mctx, no_rdata,
 +					    &val->key);
 		if (result == ISC_R_SUCCESS) {
 			if (siginfo->algorithm ==
 				    (dns_secalg_t)dst_key_alg(val->key) &&
 			    siginfo->keyid ==
 				    (dns_keytag_t)dst_key_id(val->key) &&
 +			    (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
 +				    0 &&
 			    dst_key_iszonekey(val->key))
 			{
 -				if (foundold) {
 -					/*
 -					 * This is the key we're looking for.
 -					 */
 -					return (ISC_R_SUCCESS);
 -				} else if (dst_key_compare(oldkey, val->key)) {
 -					foundold = true;
 -					dst_key_free(&oldkey);
 +				if (no_rdata) {
 +					/* Retry with full key */
 +					dns_rdata_reset(&rdata);
 +					dst_key_free(&val->key);
 +					no_rdata = false;
 +					continue;
 				}
 +				/* This is the key we're looking for. */
 +				goto done;
 			}
 			dst_key_free(&val->key);
 		}
 		dns_rdata_reset(&rdata);
 		result = dns_rdataset_next(rdataset);
 +		no_rdata = true;
 	} while (result == ISC_R_SUCCESS);
 -	if (result == ISC_R_NOMORE)
 -		result = ISC_R_NOTFOUND;
 - failure:
 -	if (oldkey != NULL)
 -		dst_key_free(&oldkey);
 +done:
 +	if (result == ISC_R_NOMORE) {
 +		result = ISC_R_NOTFOUND;
 +	}
 	return (result);
 }
@@ -1633,37 +1644,13 @@ validate(dns_validator_t *val, bool resume) {
 			continue;
 		}
 -		do {
 -			vresult = verify(val, val->key, &rdata,
 -					val->siginfo->keyid);
 -			if (vresult == ISC_R_SUCCESS)
 -				break;
 -			if (val->keynode != NULL) {
 -				dns_keynode_t *nextnode = NULL;
 -				result = dns_keytable_findnextkeynode(
 -							val->keytable,
 -							val->keynode,
 -							&nextnode);
 -				dns_keytable_detachkeynode(val->keytable,
 -							   &val->keynode);
 -				val->keynode = nextnode;
 -				if (result != ISC_R_SUCCESS) {
 -					val->key = NULL;
 -					break;
 -				}
 -				val->key = dns_keynode_key(val->keynode);
 -				if (val->key == NULL)
 -					break;
 -			} else {
 -				if (get_dst_key(val, val->siginfo, val->keyset)
 -				    != ISC_R_SUCCESS)
 -					break;
 -			}
 -		} while (1);
 -		if (vresult != ISC_R_SUCCESS)
 +		vresult = verify(val, val->key, &rdata,
 +				val->siginfo->keyid);
 +		if (vresult != ISC_R_SUCCESS) {
 +			val->failed = true;
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "failed to verify rdataset");
 -		else {
 +		} else {
 			dns_rdataset_trimttl(event->rdataset,
 					     event->sigrdataset,
 					     val->siginfo, val->start,
@@ -1700,9 +1687,13 @@ validate(dns_validator_t *val, bool resume) {
 		} else {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "verify failure: %s",
 -				      isc_result_totext(result));
 +				      isc_result_totext(vresult));
 			resume = false;
 		}
 +		if (val->failed) {
 +			result = ISC_R_NOMORE;
 +			break;
 +		}
 	}
 	if (result != ISC_R_NOMORE) {
 		validator_log(val, ISC_LOG_DEBUG(3),
 diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
 index f597049493..7320653439 100644
 --- a/lib/dns/win32/libdns.def.in
 +++ b/lib/dns/win32/libdns.def.in
@@ -1439,6 +1439,7 @@ dst_key_format
 dst_key_free
 dst_key_frombuffer
 dst_key_fromdns
 +dst_key_fromdns_ex
 dst_key_fromfile
 dst_key_fromgssapi
 dst_key_fromlabel
 diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
 index 28e5e25fc6..42f7763869 100644
 --- a/lib/isc/include/isc/task.h
 +++ b/lib/isc/include/isc/task.h
@@ -98,8 +98,15 @@ ISC_LANG_BEGINDECLS
  ***/
 typedef enum {
 -		isc_taskmgrmode_normal = 0,
 -		isc_taskmgrmode_privileged
 +	isc_taskqueue_normal = 0,
 +	isc_taskqueue_slow = 1,
 +} isc_taskqueue_t;
 +
 +#define ISC_TASK_QUANTUM_SLOW 1024
 +
 +typedef enum {
 +	isc_taskmgrmode_normal = 0,
 +	isc_taskmgrmode_privileged
 } isc_taskmgrmode_t;
 /*% Task and task manager methods */
 diff --git a/lib/isc/task.c b/lib/isc/task.c
 index 048639350b..cc83269df2 100644
 --- a/lib/isc/task.c
 +++ b/lib/isc/task.c
@@ -107,6 +107,7 @@ struct isc__task {
 	isc_eventlist_t			on_shutdown;
 	unsigned int			nevents;
 	unsigned int			quantum;
 +	unsigned int			qid;
 	unsigned int			flags;
 	isc_stdtime_t			now;
 	isc_time_t			tnow;
@@ -141,11 +142,11 @@ struct isc__taskmgr {
 	/* Locked by task manager lock. */
 	unsigned int			default_quantum;
 	LIST(isc__task_t)		tasks;
 -	isc__tasklist_t			ready_tasks;
 -	isc__tasklist_t			ready_priority_tasks;
 +	isc__tasklist_t			ready_tasks[2];
 +	isc__tasklist_t			ready_priority_tasks[2];
 	isc_taskmgrmode_t		mode;
 #ifdef ISC_PLATFORM_USETHREADS
 -	isc_condition_t			work_available;
 +	isc_condition_t			work_available[2];
 	isc_condition_t			exclusive_granted;
 	isc_condition_t			paused;
 #endif /* ISC_PLATFORM_USETHREADS */
@@ -247,13 +248,13 @@ isc_taskmgrmode_t
 isc__taskmgr_mode(isc_taskmgr_t *manager0);
 static inline bool
 -empty_readyq(isc__taskmgr_t *manager);
 +empty_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid);
 static inline isc__task_t *
 -pop_readyq(isc__taskmgr_t *manager);
 +pop_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid);
 static inline void
 -push_readyq(isc__taskmgr_t *manager, isc__task_t *task);
 +push_readyq(isc__taskmgr_t *manager, isc__task_t *task, isc_taskqueue_t qid);
 static struct isc__taskmethods {
 	isc_taskmethods_t methods;
@@ -324,7 +325,8 @@ task_finished(isc__task_t *task) {
 		 * any idle worker threads so they
 		 * can exit.
 		 */
 -		BROADCAST(&manager->work_available);
 +		BROADCAST(&manager->work_available[isc_taskqueue_normal]);
 +		BROADCAST(&manager->work_available[isc_taskqueue_slow]);
 	}
 #endif /* USE_WORKER_THREADS */
 	UNLOCK(&manager->lock);
@@ -364,7 +366,13 @@ isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
 	INIT_LIST(task->events);
 	INIT_LIST(task->on_shutdown);
 	task->nevents = 0;
 -	task->quantum = quantum;
 +	if (quantum >= ISC_TASK_QUANTUM_SLOW) {
 +		task->qid = isc_taskqueue_slow;
 +		task->quantum = quantum - ISC_TASK_QUANTUM_SLOW;
 +	} else {
 +		task->qid = isc_taskqueue_normal;
 +		task->quantum = quantum;
 +	}
 	task->flags = 0;
 	task->now = 0;
 	isc_time_settoepoch(&task->tnow);
@@ -476,11 +484,11 @@ task_ready(isc__task_t *task) {
 	LOCK(&manager->lock);
 	LOCK(&task->lock);
 -	push_readyq(manager, task);
 +	push_readyq(manager, task, task->qid);
 	UNLOCK(&task->lock);
 #ifdef USE_WORKER_THREADS
 	if (manager->mode == isc_taskmgrmode_normal || has_privilege)
 -		SIGNAL(&manager->work_available);
 +		SIGNAL(&manager->work_available[task->qid]);
 #endif /* USE_WORKER_THREADS */
 	UNLOCK(&manager->lock);
 }
@@ -961,13 +969,13 @@ isc__task_getcurrenttimex(isc_task_t *task0, isc_time_t *t) {
  * Caller must hold the task manager lock.
  */
 static inline bool
 -empty_readyq(isc__taskmgr_t *manager) {
 +empty_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
 	isc__tasklist_t queue;
 	if (manager->mode == isc_taskmgrmode_normal)
 -		queue = manager->ready_tasks;
 +		queue = manager->ready_tasks[qid];
 	else
 -		queue = manager->ready_priority_tasks;
 +		queue = manager->ready_priority_tasks[qid];
 	return (EMPTY(queue));
 }
@@ -981,18 +989,18 @@ empty_readyq(isc__taskmgr_t *manager) {
  * Caller must hold the task manager lock.
  */
 static inline isc__task_t *
 -pop_readyq(isc__taskmgr_t *manager) {
 +pop_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
 	isc__task_t *task;
 	if (manager->mode == isc_taskmgrmode_normal)
 -		task = HEAD(manager->ready_tasks);
 +		task = HEAD(manager->ready_tasks[qid]);
 	else
 -		task = HEAD(manager->ready_priority_tasks);
 +		task = HEAD(manager->ready_priority_tasks[qid]);
 	if (task != NULL) {
 -		DEQUEUE(manager->ready_tasks, task, ready_link);
 +		DEQUEUE(manager->ready_tasks[qid], task, ready_link);
 		if (ISC_LINK_LINKED(task, ready_priority_link))
 -			DEQUEUE(manager->ready_priority_tasks, task,
 +			DEQUEUE(manager->ready_priority_tasks[qid], task,
 				ready_priority_link);
 	}
@@ -1006,16 +1014,16 @@ pop_readyq(isc__taskmgr_t *manager) {
  * Caller must hold the task manager lock.
  */
 static inline void
 -push_readyq(isc__taskmgr_t *manager, isc__task_t *task) {
 -	ENQUEUE(manager->ready_tasks, task, ready_link);
 +push_readyq(isc__taskmgr_t *manager, isc__task_t *task, isc_taskqueue_t qid) {
 +	ENQUEUE(manager->ready_tasks[qid], task, ready_link);
 	if ((task->flags & TASK_F_PRIVILEGED) != 0)
 -		ENQUEUE(manager->ready_priority_tasks, task,
 +		ENQUEUE(manager->ready_priority_tasks[qid], task,
 			ready_priority_link);
 	manager->tasks_ready++;
 }
 static void
 -dispatch(isc__taskmgr_t *manager) {
 +dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
 	isc__task_t *task;
 #ifndef USE_WORKER_THREADS
 	unsigned int total_dispatch_count = 0;
@@ -1094,13 +1102,13 @@ dispatch(isc__taskmgr_t *manager) {
 		 * If a pause has been requested, don't do any work
 		 * until it's been released.
 		 */
 -		while ((empty_readyq(manager) || manager->pause_requested ||
 +		while ((empty_readyq(manager, qid) || manager->pause_requested ||
 			manager->exclusive_requested) && !FINISHED(manager))
 		{
 			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
 						    ISC_MSGSET_GENERAL,
 						    ISC_MSG_WAIT, "wait"));
 -			WAIT(&manager->work_available, &manager->lock);
 +			WAIT(&manager->work_available[qid], &manager->lock);
 			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
 						    ISC_MSGSET_TASK,
 						    ISC_MSG_AWAKE, "awake"));
@@ -1113,7 +1121,7 @@ dispatch(isc__taskmgr_t *manager) {
 		XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
 					    ISC_MSG_WORKING, "working"));
 -		task = pop_readyq(manager);
 +		task = pop_readyq(manager, qid);
 		if (task != NULL) {
 			unsigned int dispatch_count = 0;
 			bool done = false;
@@ -1278,7 +1286,7 @@ dispatch(isc__taskmgr_t *manager) {
 				 */
 #ifdef USE_WORKER_THREADS
 				LOCK(&task->lock);
 -				push_readyq(manager, task);
 +				push_readyq(manager, task, qid);
 				UNLOCK(&task->lock);
 #else
 				ENQUEUE(new_ready_tasks, task, ready_link);
@@ -1297,10 +1305,14 @@ dispatch(isc__taskmgr_t *manager) {
 		 * we're stuck.  Automatically drop privileges at that
 		 * point and continue with the regular ready queue.
 		 */
 -		if (manager->tasks_running == 0 && empty_readyq(manager)) {
 +		if (manager->tasks_running == 0 && empty_readyq(manager, isc_taskqueue_normal) && empty_readyq(manager, isc_taskqueue_slow)) {
 			manager->mode = isc_taskmgrmode_normal;
 -			if (!empty_readyq(manager))
 -				BROADCAST(&manager->work_available);
 +			if (!empty_readyq(manager, isc_taskqueue_normal)) {
 +				BROADCAST(&manager->work_available[isc_taskqueue_normal]);
 +			}
 +			if (!empty_readyq(manager, isc_taskqueue_slow)) {
 +				BROADCAST(&manager->work_available[isc_taskqueue_slow]);
 +			}
 		}
 #endif
 	}
@@ -1322,13 +1334,37 @@ static isc_threadresult_t
 #ifdef _WIN32
 WINAPI
 #endif
 -run(void *uap) {
 +run_normal(void *uap) {
 	isc__taskmgr_t *manager = uap;
 	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 				    ISC_MSG_STARTING, "starting"));
 -	dispatch(manager);
 +	dispatch(manager, isc_taskqueue_normal);
 +
 +	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 +				    ISC_MSG_EXITING, "exiting"));
 +
 +#ifdef OPENSSL_LEAKS
 +	ERR_remove_state(0);
 +#endif
 +
 +	return ((isc_threadresult_t)0);
 +}
 +#endif /* USE_WORKER_THREADS */
 +
 +#ifdef USE_WORKER_THREADS
 +static isc_threadresult_t
 +#ifdef _WIN32
 +WINAPI
 +#endif
 +run_slow(void *uap) {
 +	isc__taskmgr_t *manager = uap;
 +
 +	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 +				    ISC_MSG_STARTING, "starting"));
 +
 +	dispatch(manager, isc_taskqueue_slow);
 	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 				    ISC_MSG_EXITING, "exiting"));
@@ -1347,7 +1383,8 @@ manager_free(isc__taskmgr_t *manager) {
 #ifdef USE_WORKER_THREADS
 	(void)isc_condition_destroy(&manager->exclusive_granted);
 -	(void)isc_condition_destroy(&manager->work_available);
 +	(void)isc_condition_destroy(&manager->work_available[isc_taskqueue_normal]);
 +	(void)isc_condition_destroy(&manager->work_available[isc_taskqueue_slow]);
 	(void)isc_condition_destroy(&manager->paused);
 	isc_mem_free(manager->mctx, manager->threads);
 #endif /* USE_WORKER_THREADS */
@@ -1414,12 +1451,20 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 #ifdef USE_WORKER_THREADS
 	manager->workers = 0;
 	manager->threads = isc_mem_allocate(mctx,
 -					    workers * sizeof(isc_thread_t));
 +					    2 * workers * sizeof(isc_thread_t));
 	if (manager->threads == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto cleanup_lock;
 	}
 -	if (isc_condition_init(&manager->work_available) != ISC_R_SUCCESS) {
 +	if (isc_condition_init(&manager->work_available[isc_taskqueue_normal]) != ISC_R_SUCCESS) {
 +		UNEXPECTED_ERROR(__FILE__, __LINE__,
 +				 "isc_condition_init() %s",
 +				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 +						ISC_MSG_FAILED, "failed"));
 +		result = ISC_R_UNEXPECTED;
 +		goto cleanup_threads;
 +	}
 +	if (isc_condition_init(&manager->work_available[isc_taskqueue_slow]) != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_condition_init() %s",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
@@ -1448,8 +1493,10 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		default_quantum = DEFAULT_DEFAULT_QUANTUM;
 	manager->default_quantum = default_quantum;
 	INIT_LIST(manager->tasks);
 -	INIT_LIST(manager->ready_tasks);
 -	INIT_LIST(manager->ready_priority_tasks);
 +	INIT_LIST(manager->ready_tasks[isc_taskqueue_normal]);
 +	INIT_LIST(manager->ready_tasks[isc_taskqueue_slow]);
 +	INIT_LIST(manager->ready_priority_tasks[isc_taskqueue_normal]);
 +	INIT_LIST(manager->ready_priority_tasks[isc_taskqueue_slow]);
 	manager->tasks_running = 0;
 	manager->tasks_ready = 0;
 	manager->exclusive_requested = false;
@@ -1465,7 +1512,19 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 	 * Start workers.
 	 */
 	for (i = 0; i < workers; i++) {
 -		if (isc_thread_create(run, manager,
 +		if (isc_thread_create(run_normal, manager,
 +				      &manager->threads[manager->workers]) ==
 +		    ISC_R_SUCCESS) {
 +			char name[21];	/* thread name limit on Linux */
 +			snprintf(name, sizeof(name), "isc-worker%04u", i);
 +			isc_thread_setname(manager->threads[manager->workers],
 +					   name);
 +			manager->workers++;
 +			started++;
 +		}
 +	}
 +	for (; i < workers * 2; i++) {
 +		if (isc_thread_create(run_slow, manager,
 				      &manager->threads[manager->workers]) ==
 		    ISC_R_SUCCESS) {
 			char name[21];	/* thread name limit on Linux */
@@ -1482,7 +1541,7 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		manager_free(manager);
 		return (ISC_R_NOTHREADS);
 	}
 -	isc_thread_setconcurrency(workers);
 +	isc_thread_setconcurrency(workers * 2);
 #endif /* USE_WORKER_THREADS */
 #ifdef USE_SHARED_MANAGER
 	manager->refs = 1;
@@ -1497,7 +1556,8 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
  cleanup_exclusivegranted:
 	(void)isc_condition_destroy(&manager->exclusive_granted);
  cleanup_workavailable:
 -	(void)isc_condition_destroy(&manager->work_available);
 +	(void)isc_condition_destroy(&manager->work_available[isc_taskqueue_slow]);
 +	(void)isc_condition_destroy(&manager->work_available[isc_taskqueue_normal]);
  cleanup_threads:
 	isc_mem_free(mctx, manager->threads);
  cleanup_lock:
@@ -1582,7 +1642,7 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
 	     task = NEXT(task, link)) {
 		LOCK(&task->lock);
 		if (task_shutdown(task))
 -			push_readyq(manager, task);
 +			push_readyq(manager, task, task->qid);
 		UNLOCK(&task->lock);
 	}
 #ifdef USE_WORKER_THREADS
@@ -1591,7 +1651,8 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
 	 * there's work left to do, and if there are already no tasks left
 	 * it will cause the workers to see manager->exiting.
 	 */
 -	BROADCAST(&manager->work_available);
 +	BROADCAST(&manager->work_available[isc_taskqueue_normal]);
 +	BROADCAST(&manager->work_available[isc_taskqueue_slow]);
 	UNLOCK(&manager->lock);
 	/*
@@ -1693,7 +1754,8 @@ isc__taskmgr_resume(isc_taskmgr_t *manager0) {
 	LOCK(&manager->lock);
 	if (manager->pause_requested) {
 		manager->pause_requested = false;
 -		BROADCAST(&manager->work_available);
 +		BROADCAST(&manager->work_available[isc_taskqueue_normal]);
 +		BROADCAST(&manager->work_available[isc_taskqueue_slow]);
 	}
 	UNLOCK(&manager->lock);
 }
@@ -1778,7 +1840,8 @@ isc__task_endexclusive(isc_task_t *task0) {
 	LOCK(&manager->lock);
 	REQUIRE(manager->exclusive_requested);
 	manager->exclusive_requested = false;
 -	BROADCAST(&manager->work_available);
 +	BROADCAST(&manager->work_available[isc_taskqueue_normal]);
 +	BROADCAST(&manager->work_available[isc_taskqueue_slow]);
 	UNLOCK(&manager->lock);
 #else
 	UNUSED(task0);
@@ -1804,10 +1867,10 @@ isc__task_setprivilege(isc_task_t *task0, bool priv) {
 	LOCK(&manager->lock);
 	if (priv && ISC_LINK_LINKED(task, ready_link))
 -		ENQUEUE(manager->ready_priority_tasks, task,
 +		ENQUEUE(manager->ready_priority_tasks[task->qid], task,
 			ready_priority_link);
 	else if (!priv && ISC_LINK_LINKED(task, ready_priority_link))
 -		DEQUEUE(manager->ready_priority_tasks, task,
 +		DEQUEUE(manager->ready_priority_tasks[task->qid], task,
 			ready_priority_link);
 	UNLOCK(&manager->lock);
 }
 -- 
 2.43.2
--- a/SOURCES/bind-9.11-CVE-2024-1737-runtime-env.patch
+++ b/SOURCES/bind-9.11-CVE-2024-1737-runtime-env.patch
@ -0,0 +1,133 @@
 From 0a7909045f9e1bf74c1f0fd561a8ef5f55481e8f Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Mon, 29 Jul 2024 16:20:50 +0200
 Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
 Modify rbtdb to not set it only at runtime, but allow setting that also
 in runtime via environment variable. It is still possible to modify
 default during the build define. In addition to it allows runtime change
 also. Can be positive number to set limit, 0 disabled the check.
 Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
 records for a single name. This must be positive number, 0 is no accepted.
 These replaces max-records-per-type and max-types-per-name in later
 versions. But can be configured only by environment and can be
 configured only globally, not in each view or zone.
 ---
 lib/dns/rbtdb.c     | 21 +++++++++++++++++++--
 lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
 2 files changed, 41 insertions(+), 4 deletions(-)
 diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 index a3cb8dc871..0104c3ee36 100644
 --- a/lib/dns/rbtdb.c
 +++ b/lib/dns/rbtdb.c
@@ -6320,15 +6320,29 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
 #define DNS_RBTDB_MAX_RTYPES 100
 #endif /* DNS_RBTDB_MAX_RTYPES */
 +static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
 +
 +static void
 +init_max_rtypes(void) {
 +	/* Red Hat change, allow setting different max value by environment. */
 +	const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
 +	if (max) {
 +		char *endp = NULL;
 +		long l = strtol(max, &endp, 10);
 +		if (max != endp && endp && !*endp && l >= 0)
 +			dns_g_rbtdb_max_rtypes = l;
 +	}
 +}
 +
 static bool
 overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
 	UNUSED(rbtdb);
 -	if (DNS_RBTDB_MAX_RTYPES == 0) {
 +	if (dns_g_rbtdb_max_rtypes == 0) {
 		return (false);
 	}
 -	return (ntypes >= DNS_RBTDB_MAX_RTYPES);
 +	return (ntypes >= dns_g_rbtdb_max_rtypes);
 }
 static bool
@@ -8831,6 +8845,8 @@ static dns_dbmethods_t cache_methods = {
 	getservestalettl
 };
 +static isc_once_t once_db = ISC_ONCE_INIT;
 +
 isc_result_t
 #ifdef DNS_RBTDB_VERSION64
 dns_rbtdb64_create
@@ -8850,6 +8866,7 @@ dns_rbtdb_create
 	/* Keep the compiler happy. */
 	UNUSED(driverarg);
 +	RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
 	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
 	if (rbtdb == NULL)
 diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
 index 347b7d2ce8..9566f79671 100644
 --- a/lib/dns/rdataslab.c
 +++ b/lib/dns/rdataslab.c
@@ -17,6 +17,7 @@
 #include <stdlib.h>
 #include <isc/mem.h>
 +#include <isc/once.h>
 #include <isc/region.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
@@ -119,6 +120,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
 #define DNS_RDATASET_MAX_RECORDS 100
 #endif /* DNS_RDATASET_MAX_RECORDS */
 +static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
 +static isc_once_t once = ISC_ONCE_INIT;
 +
 +static void
 +init_max_records(void) {
 +	/* Red Hat change, allow setting different max value by environment. */
 +	const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
 +	if (max) {
 +		char *endp = NULL;
 +		long l = strtol(max, &endp, 10);
 +		if (max != endp && endp && !*endp && l > 0)
 +			dns_g_rdataset_max_records = l;
 +	}
 +}
 +
 +
 +
 isc_result_t
 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen)
@@ -165,7 +183,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		return (ISC_R_SUCCESS);
 	}
 -	if (nitems > DNS_RDATASET_MAX_RECORDS) {
 +	RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
 +
 +	if (nitems > dns_g_rdataset_max_records) {
 		return (DNS_R_TOOMANYRECORDS);
 	}
@@ -662,7 +682,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 #endif
 	INSIST(ocount > 0 && ncount > 0);
 -	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
 +	if (ocount + ncount > dns_g_rdataset_max_records) {
 		return (DNS_R_TOOMANYRECORDS);
 	}
 -- 
 2.45.2
--- a/SOURCES/bind-9.11-CVE-2024-1737.patch
+++ b/SOURCES/bind-9.11-CVE-2024-1737.patch
@ -0,0 +1,317 @@
 From 71df06e2bf3da31c5d542fb33dbda67b21537322 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Fri, 1 Mar 2024 08:26:07 +0100
 Subject: [PATCH] [9.11][CVE-2024-1737] Add a limit to the number of RRs in
 RRSets
 Add a limit to the number of RRs in RRSets
 Previously, the number of RRs in the RRSets were internally unlimited.
 As the data structure that holds the RRs is just a linked list, and
 there are places where we just walk through all of the RRs, adding an
 RRSet with huge number of RRs inside would slow down processing of said
 RRSets.
 The fix for end-of-life branches make the limit compile-time only for
 simplicity and the limit can be changed at the compile time by adding
 following define to CFLAGS:
    -DDNS_RDATASET_MAX_RECORDS=<limit>
 (cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
 (cherry picked from commit 7f705778af729ada7fec36ac4b456c73329bd996)
 (cherry picked from commit b9b5485b22c364fb88c27aa04bad4c8f616da3fa)
 Add a limit to the number of RR types for single name
 Previously, the number of RR types for a single owner name was limited
 only by the maximum number of the types (64k).  As the data structure
 that holds the RR types for the database node is just a linked list, and
 there are places where we just walk through the whole list (again and
 again), adding a large number of RR types for a single owner named with
 would slow down processing of such name (database node).
 Add a hard-coded limit (100) to cap the number of the RR types for a single
 owner.  The limit can be changed at the compile time by adding following
 define to CFLAGS:
    -DDNS_RBTDB_MAX_RTYPES=<limit>
 (cherry picked from commit 538b843d84f49ba5125ff545e3d0cf1c8434a8f2)
 (cherry picked from commit 3f10d6eff035702796ba82cd28b9f7cf9836e743)
 Optimize the slabheader placement for certain RRTypes
 Mark the infrastructure RRTypes as "priority" types and place them at
 the beginning of the rdataslab header data graph.  The non-priority
 types either go right after the priority types (if any).
 (cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
 (cherry picked from commit 23a4652346fb2877d6246b1eebaa967969dbde16)
 [9.11][CVE-2024-1737 (part 2)] Be smarter about refusing to add many RR types to the database
 Expand the list of the priority types
 Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
 the priority types that are put at the beginning of the slabheader list
 for faster access and to avoid eviction when there are more types than
 the max-types-per-name limit.
 (cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb)
 (cherry picked from commit 3e0a67e4bdb253dae3a03a45c1aa117239a3313d)
 Be smarter about refusing to add many RR types to the database
 Instead of outright refusing to add new RR types to the cache, be a bit
 smarter:
 1. If the new header type is in our priority list, we always add either
   positive or negative entry at the beginning of the list.
 2. If the new header type is negative entry, and we are over the limit,
   we mark it as ancient immediately, so it gets evicted from the cache
   as soon as possible.
 3. Otherwise add the new header after the priority headers (or at the
   head of the list).
 4. If we are over the limit, evict the last entry on the normal header
   list.
 (cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
 (cherry picked from commit e4d7ce686bb38428eddc7e33b40057d68eca9a6e)
 ---
 configure           |   2 +-
 configure.ac        |   2 +-
 lib/dns/rbtdb.c     | 114 +++++++++++++++++++++++++++++++++++++++++++-
 lib/dns/rdataslab.c |  12 +++++
 4 files changed, 126 insertions(+), 4 deletions(-)
 diff --git a/configure b/configure
 index e060e9d..6421c9b 100755
 --- a/configure
 +++ b/configure
@@ -12189,7 +12189,7 @@ fi
 XTARGETS=
 case "$enable_developer" in
 yes)
 -	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
 +	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
 diff --git a/configure.ac b/configure.ac
 index 83cad4a..1c35ce9 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
 XTARGETS=
 case "$enable_developer" in
 yes)
 -	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
 +	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
 diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 index ee59c1b..a2b2df7 100644
 --- a/lib/dns/rbtdb.c
 +++ b/lib/dns/rbtdb.c
@@ -1183,6 +1183,44 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
 		isc_heap_decreased(heap, header->heap_index);
 }
 +static bool
 +prio_type(rbtdb_rdatatype_t type) {
 +	switch (type) {
 +	case dns_rdatatype_soa:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
 +	case dns_rdatatype_a:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
 +	case dns_rdatatype_mx:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
 +	case dns_rdatatype_aaaa:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
 +	case dns_rdatatype_nsec:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
 +	case dns_rdatatype_nsec3:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
 +	case dns_rdatatype_ns:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
 +	case dns_rdatatype_ds:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
 +	case dns_rdatatype_cname:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
 +	case dns_rdatatype_dname:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
 +	case dns_rdatatype_dnskey:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
 +	case dns_rdatatype_srv:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
 +	case dns_rdatatype_txt:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
 +	case dns_rdatatype_ptr:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
 +	case dns_rdatatype_naptr:
 +	case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
 +		return (true);
 +	}
 +	return (false);
 +}
 +
 /*%
  * These functions allow the heap code to rank the priority of each
  * element.  It returns true if v1 happens "sooner" than v2.
@@ -6278,6 +6316,30 @@ update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
 	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
 }
 +#ifndef DNS_RBTDB_MAX_RTYPES
 +#define DNS_RBTDB_MAX_RTYPES 100
 +#endif /* DNS_RBTDB_MAX_RTYPES */
 +
 +static bool
 +overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
 +	UNUSED(rbtdb);
 +
 +	if (DNS_RBTDB_MAX_RTYPES == 0) {
 +		return (false);
 +	}
 +
 +	return (ntypes >= DNS_RBTDB_MAX_RTYPES);
 +}
 +
 +static bool
 +prio_header(rdatasetheader_t *header) {
 +	if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
 +		return (true);
 +	}
 +
 +	return (prio_type(header->type));
 +}
 +
 /*
  * write lock on rbtnode must be held.
  */
@@ -6288,6 +6350,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 {
 	rbtdb_changed_t *changed = NULL;
 	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
 +	rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
 	unsigned char *merged;
 	isc_result_t result;
 	bool header_nx;
@@ -6297,6 +6360,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	rbtdb_rdatatype_t negtype, sigtype;
 	dns_trust_t trust;
 	int idx;
 +	uint32_t ntypes = 0;
 	/*
 	 * Add an rdatasetheader_t to a node.
@@ -6429,6 +6493,15 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	for (topheader = rbtnode->data;
 	     topheader != NULL;
 	     topheader = topheader->next) {
 +		if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
 +			++ntypes;
 +			expireheader = topheader;
 +		} else if (!IS_CACHE(rbtdb)) {
 +			++ntypes;
 +		}
 +		if (prio_header(topheader)) {
 +			prioheader = topheader;
 +		}
 		if (topheader->type == newheader->type ||
 		    topheader->type == negtype)
 			break;
@@ -6792,9 +6865,46 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			/*
 			 * No rdatasets of the given type exist at the node.
 			 */
 -			newheader->next = rbtnode->data;
 +			if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
 +				free_rdataset(rbtdb, rbtdb->common.mctx,
 +					      newheader);
 +				return (ISC_R_QUOTA);
 +			}
 +
 			newheader->down = NULL;
 -			rbtnode->data = newheader;
 +
 +			if (prio_header(newheader)) {
 +				/* This is a priority type, prepend it */
 +				newheader->next = rbtnode->data;
 +				rbtnode->data = newheader;
 +			} else if (prioheader != NULL) {
 +				/* Append after the priority headers */
 +				newheader->next = prioheader->next;
 +				prioheader->next = newheader;
 +			} else {
 +				/* There were no priority headers */
 +				newheader->next = rbtnode->data;
 +				rbtnode->data = newheader;
 +			}
 +
 +			if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
 +				if (expireheader == NULL) {
 +					expireheader = newheader;
 +				}
 +				if (NEGATIVE(newheader) &&
 +				    !prio_header(newheader))
 +				{
 +					/*
 +					 * Add the new non-priority negative
 +					 * header to the database only
 +					 * temporarily.
 +					 */
 +					expireheader = newheader;
 +				}
 +
 +				set_ttl(rbtdb, expireheader, 0);
 +				mark_header_ancient(rbtdb, expireheader);
 +			}
 		}
 	}
 diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
 index b0f77b1..347b7d2 100644
 --- a/lib/dns/rdataslab.c
 +++ b/lib/dns/rdataslab.c
@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
 }
 #endif
 +#ifndef DNS_RDATASET_MAX_RECORDS
 +#define DNS_RDATASET_MAX_RECORDS 100
 +#endif /* DNS_RDATASET_MAX_RECORDS */
 +
 isc_result_t
 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen)
@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		return (ISC_R_SUCCESS);
 	}
 +	if (nitems > DNS_RDATASET_MAX_RECORDS) {
 +		return (DNS_R_TOOMANYRECORDS);
 +	}
 +
 	if (nitems > 0xffff)
 		return (ISC_R_NOSPACE);
@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 #endif
 	INSIST(ocount > 0 && ncount > 0);
 +	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
 +		return (DNS_R_TOOMANYRECORDS);
 +	}
 +
 #if DNS_RDATASET_FIXED
 	oncount = ncount;
 #endif
 -- 
 2.45.2
--- a/SOURCES/bind-9.11-CVE-2024-1975.patch
+++ b/SOURCES/bind-9.11-CVE-2024-1975.patch
@ -0,0 +1,322 @@
 From 5ff88892e43c049659a8a5aef8dfd56c3712daf0 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Tue, 16 Jul 2024 19:49:09 +0200
 Subject: [PATCH] Resolve CVE-2024-1975
 6404.	[security]	Remove SIG(0) support from named as a countermeasure
 			for CVE-2024-1975. [GL #4480]
 Resolves: CVE-2024-1975
 ---
 bin/named/client.c                   |  7 +++
 bin/tests/system/tsiggss/authsock.pl |  5 ++
 bin/tests/system/tsiggss/tests.sh    | 12 ++--
 bin/tests/system/upforwd/tests.sh    | 21 ++++---
 doc/arm/Bv9ARM-book.xml              | 22 +++----
 lib/dns/message.c                    | 94 +++-------------------------
 6 files changed, 49 insertions(+), 112 deletions(-)
 diff --git a/bin/named/client.c b/bin/named/client.c
 index 368bc94..ea121b3 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
@@ -3013,6 +3013,13 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "request is signed by a nonauthoritative key");
 +	} else if (result == DNS_R_NOTVERIFIEDYET &&
 +		   client->message->sig0 != NULL)
 +	{
 +		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 +			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 +			      "request has a SIG(0) signature but its support "
 +			      "was removed (CVE-2024-1975)");
 	} else {
 		char tsigrcode[64];
 		isc_buffer_t b;
 diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
 index ab3833d..0b231ee 100644
 --- a/bin/tests/system/tsiggss/authsock.pl
 +++ b/bin/tests/system/tsiggss/authsock.pl
@@ -31,6 +31,10 @@ if (!defined($path)) {
 	exit(1);
 }
 +# Enable output autoflush so that it's not lost when the parent sends TERM.
 +select STDOUT;
 +$| = 1;
 +
 unlink($path);
 my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
     die "unable to create socket $path";
@@ -53,6 +57,7 @@ if ($timeout != 0) {
 }
 while (my $client = $server->accept()) {
 +	printf("accept()\n");
 	$client->recv(my $buf, 8, 0);
 	my ($version, $req_len) = unpack('N N', $buf);
 diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
 index 456ce61..d0db388 100644
 --- a/bin/tests/system/tsiggss/tests.sh
 +++ b/bin/tests/system/tsiggss/tests.sh
@@ -116,7 +116,7 @@ status=$((status+ret))
 echo_i "testing external update policy (CNAME) with auth sock ($n)"
 ret=0
 -$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
 +$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 &
 sleep 1
 test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
 n=$((n+1))
@@ -130,17 +130,19 @@ n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 -echo_i "testing external policy with SIG(0) key ($n)"
 +echo_i "testing external policy with unsupported SIG(0) key ($n)"
 ret=0
 -$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
 +$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
 +debug
 server 10.53.0.1 ${PORT}
 zone example.nil
 update add fred.example.nil 120 cname foo.bar.
 send
 END
 +# update must have failed - SIG(0) signer is not supported
 output=`$DIG $DIGOPTS +short cname fred.example.nil.`
 -[ -n "$output" ] || ret=1
 -[ $ret -eq 0 ] || echo_i "failed"
 +[ -n "$output" ] && ret=1
 +grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
 n=$((n+1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
 index ebc9ded..f5b89d4 100644
 --- a/bin/tests/system/upforwd/tests.sh
 +++ b/bin/tests/system/upforwd/tests.sh
@@ -181,19 +181,22 @@ n=`expr $n + 1`
 if test -f keyname
 then
 -	echo_i "checking update forwarding to with sig0 ($n)"
 +	echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
 	ret=0
 	keyname=`cat keyname`
 -	$NSUPDATE -k $keyname.private -- - <<EOF
 -	local 10.53.0.1
 -	server 10.53.0.3 ${PORT}
 -	zone example2
 -	update add unsigned.example2. 600 A 10.10.10.1
 -	update add unsigned.example2. 600 TXT Foo
 -	send
 +	# SIG(0) is removed, update is expected to fail.
 +	{
 +	  $NSUPDATE -k $keyname.private -- - <<EOF
 +	  local 10.53.0.1
 +	  server 10.53.0.3 ${PORT}
 +	  zone example2
 +	  update add unsigned.example2. 600 A 10.10.10.1
 +	  update add unsigned.example2. 600 TXT Foo
 +	  send
 EOF
 +	} >nsupdate.out.$n 2>&1 && ret=1
 	$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
 -	grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
 +	grep "status: NOERROR" dig.out.ns1.test$n >/dev/null && ret=1
 	if [ $ret != 0 ] ; then echo_i "failed"; fi
 	status=`expr $status + $ret`
 	n=`expr $n + 1`
 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
 index acf772b..563dced 100644
 --- a/doc/arm/Bv9ARM-book.xml
 +++ b/doc/arm/Bv9ARM-book.xml
@@ -2027,7 +2027,7 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
 	The TKEY process is initiated by a client or server by sending
 	a query of type TKEY to a TKEY-aware server.  The query must include
 	an appropriate KEY record in the additional section, and
 -	must be signed using either TSIG or SIG(0) with a previously
 +	must be signed using TSIG with a previously
 	established key.  The server's response, if successful,
 	contains a TKEY record in its answer section.  After this transaction,
 	both participants have enough information to calculate a
@@ -2050,24 +2050,24 @@ allow-update { !{ !localnets; any; }; key host1-host2. ;};
     <section xml:id="sig0"><info><title>SIG(0)</title></info>
       <para>
 -	<acronym>BIND</acronym> partially supports DNSSEC SIG(0)
 +	<acronym>BIND</acronym> partially supported DNSSEC SIG(0)
 	transaction signatures as specified in RFC 2535 and RFC 2931.
 	SIG(0) uses public/private keys to authenticate messages.  Access control
 -	is performed in the same manner as with TSIG keys; privileges can be
 +	were performed in the same manner as with TSIG keys; privileges can be
 	granted or denied in ACL directives based on the key name.
       </para>
       <para>
 -	When a SIG(0) signed message is received, it is only
 +	When a SIG(0) signed message were received, it were only
 	verified if the key is known and trusted by the server. The
 -	server does not attempt to recursively fetch or validate the
 +	server did not attempt to recursively fetch or validate the
 	key.
       </para>
       <para>
 -	SIG(0) signing of multiple-message TCP streams is not supported.
 +	SIG(0) signing of multiple-message TCP streams were not supported.
       </para>
       <para>
 -	The only tool shipped with <acronym>BIND</acronym> 9 that
 -	generates SIG(0) signed messages is <command>nsupdate</command>.
 +	Support for SIG(0) message verification was removed
 +	as part of the mitigation of CVE-2024-1975.
       </para>
     </section>
@@ -12655,7 +12655,7 @@ example.com. NS ns2.example.net.
 	      either grants or denies permission for one or more
 	      names in the zone to be updated by one or more
 	      identities. Identity is determined by the key that
 -	      signed the update request, using either TSIG or SIG(0).
 +	      signed the update request, using TSIG.
 	      In most cases, <command>update-policy</command> rules
 	      only apply to key-based identities.  There is no way
 	      to specify update permissions based on client source
@@ -12742,7 +12742,7 @@ example.com. NS ns2.example.net.
 	    <para>
 	      The <command>identity</command> field must be set to
 	      a fully qualified domain name.  In most cases, this
 -	      represents the name of the TSIG or SIG(0) key that must be
 +	      represents the name of the TSIG key that must be
 	      used to sign the update request.  If the specified name is a
 	      wildcard, it is subject to DNS wildcard expansion, and the
 	      rule may apply to multiple identities.  When a TKEY exchange
@@ -15952,7 +15952,7 @@ HOST-127.EXAMPLE. MX 0 .
 	</para>
 	<para>
 	  ACLs match clients on the basis of up to three characteristics:
 -	  1) The client's IP address; 2) the TSIG or SIG(0) key that was
 +	  1) The client's IP address; 2) the TSIG key that was
 	  used to sign the request, if any; and 3) an address prefix
 	  encoded in an EDNS Client-Subnet option, if any.
 	</para>
 diff --git a/lib/dns/message.c b/lib/dns/message.c
 index a44eb2d..9ea2b9e 100644
 --- a/lib/dns/message.c
 +++ b/lib/dns/message.c
@@ -3373,103 +3373,23 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
 isc_result_t
 dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 -	isc_buffer_t b, msgb;
 +	isc_buffer_t msgb;
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 -	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
 +	if (msg->tsigkey == NULL && msg->tsig == NULL)
 		return (ISC_R_SUCCESS);
 	INSIST(msg->saved.base != NULL);
 	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
 	isc_buffer_add(&msgb, msg->saved.length);
 -	if (msg->tsigkey != NULL || msg->tsig != NULL) {
 #ifdef SKAN_MSG_DEBUG
 -		dns_message_dumpsig(msg, "dns_message_checksig#1");
 +	dns_message_dumpsig(msg, "dns_message_checksig#1");
 #endif
 -		if (view != NULL)
 -			return (dns_view_checksig(view, &msgb, msg));
 -		else
 -			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
 -	} else {
 -		dns_rdata_t rdata = DNS_RDATA_INIT;
 -		dns_rdata_sig_t sig;
 -		dns_rdataset_t keyset;
 -		isc_result_t result;
 -
 -		result = dns_rdataset_first(msg->sig0);
 -		INSIST(result == ISC_R_SUCCESS);
 -		dns_rdataset_current(msg->sig0, &rdata);
 -
 -		/*
 -		 * This can occur when the message is a dynamic update, since
 -		 * the rdata length checking is relaxed.  This should not
 -		 * happen in a well-formed message, since the SIG(0) is only
 -		 * looked for in the additional section, and the dynamic update
 -		 * meta-records are in the prerequisite and update sections.
 -		 */
 -		if (rdata.length == 0)
 -			return (ISC_R_UNEXPECTEDEND);
 -
 -		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
 -		if (result != ISC_R_SUCCESS)
 -			return (result);
 -
 -		dns_rdataset_init(&keyset);
 -		if (view == NULL)
 -			return (DNS_R_KEYUNAUTHORIZED);
 -		result = dns_view_simplefind(view, &sig.signer,
 -					     dns_rdatatype_key /* SIG(0) */,
 -					     0, 0, false, &keyset, NULL);
 -
 -		if (result != ISC_R_SUCCESS) {
 -			/* XXXBEW Should possibly create a fetch here */
 -			result = DNS_R_KEYUNAUTHORIZED;
 -			goto freesig;
 -		} else if (keyset.trust < dns_trust_secure) {
 -			/* XXXBEW Should call a validator here */
 -			result = DNS_R_KEYUNAUTHORIZED;
 -			goto freesig;
 -		}
 -		result = dns_rdataset_first(&keyset);
 -		INSIST(result == ISC_R_SUCCESS);
 -		for (;
 -		     result == ISC_R_SUCCESS;
 -		     result = dns_rdataset_next(&keyset))
 -		{
 -			dst_key_t *key = NULL;
 -
 -			dns_rdata_reset(&rdata);
 -			dns_rdataset_current(&keyset, &rdata);
 -			isc_buffer_init(&b, rdata.data, rdata.length);
 -			isc_buffer_add(&b, rdata.length);
 -
 -			result = dst_key_fromdns(&sig.signer, rdata.rdclass,
 -						 &b, view->mctx, &key);
 -			if (result != ISC_R_SUCCESS)
 -				continue;
 -			if (dst_key_alg(key) != sig.algorithm ||
 -			    dst_key_id(key) != sig.keyid ||
 -			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
 -			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
 -			{
 -				dst_key_free(&key);
 -				continue;
 -			}
 -			result = dns_dnssec_verifymessage(&msgb, msg, key);
 -			dst_key_free(&key);
 -			if (result == ISC_R_SUCCESS)
 -				break;
 -		}
 -		if (result == ISC_R_NOMORE)
 -			result = DNS_R_KEYUNAUTHORIZED;
 -
 - freesig:
 -		if (dns_rdataset_isassociated(&keyset))
 -			dns_rdataset_disassociate(&keyset);
 -		dns_rdata_freestruct(&sig);
 -		return (result);
 -	}
 +	if (view != NULL)
 +		return (dns_view_checksig(view, &msgb, msg));
 +	else
 +		return (dns_tsig_verify(&msgb, msg, NULL, NULL));
 }
 #define INDENT(sp) \
 -- 
 2.45.2
--- a/SOURCES/bind-9.11-dhcp-time-monotonic.patch
+++ b/SOURCES/bind-9.11-dhcp-time-monotonic.patch
@ -0,0 +1,171 @@
 diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
 index 0389efa..149cde5 100644
 --- a/lib/isc/include/isc/result.h
 +++ b/lib/isc/include/isc/result.h
@@ -89,7 +89,8 @@
 #define ISC_R_DISCFULL			67	/*%< disc full */
 #define ISC_R_DEFAULT			68	/*%< default */
 #define ISC_R_IPV4PREFIX		69	/*%< IPv4 prefix */
 -#define ISC_R_NRESULTS 			70
 +#define ISC_R_TIMESHIFTED               70      /*%< system time changed */
 +#define ISC_R_NRESULTS 			71
 ISC_LANG_BEGINDECLS
 diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
 index 973c348..cceeb5e 100644
 --- a/lib/isc/include/isc/util.h
 +++ b/lib/isc/include/isc/util.h
@@ -289,6 +289,10 @@ extern void mock_assert(const int result, const char* const expression,
  * Time
  */
 #define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
 +#ifdef CLOCK_BOOTTIME
 +#define TIME_MONOTONIC(tp) 	RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
 +#endif
 +
 /*%
  * Alignment
 diff --git a/lib/isc/result.c b/lib/isc/result.c
 index a9db132..f33fc6b 100644
 --- a/lib/isc/result.c
 +++ b/lib/isc/result.c
@@ -105,6 +105,7 @@ static const char *description[ISC_R_NRESULTS] = {
 	"disc full",				/*%< 67 */
 	"default",				/*%< 68 */
 	"IPv4 prefix",				/*%< 69 */
 +	"time changed",                         /*%< 70 */
 };
 static const char *identifier[ISC_R_NRESULTS] = {
@@ -178,6 +179,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
 	"ISC_R_DISCFULL",
 	"ISC_R_DEFAULT",
 	"ISC_R_IPV4PREFIX",
 +	"ISC_R_TIMESHIFTED",
 };
 #define ISC_RESULT_RESULTSET			2
 diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
 index a6e9882..286fe95 100644
 --- a/lib/isc/unix/app.c
 +++ b/lib/isc/unix/app.c
@@ -442,15 +442,47 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
 static isc_result_t
 evloop(isc__appctx_t *ctx) {
 	isc_result_t result;
 +        isc_time_t now;
 +#ifdef CLOCK_BOOTTIME
 +        isc_time_t monotonic;
 +        isc_uint64_t diff  = 0;
 +#else
 +        isc_time_t prev;
 +        TIME_NOW(&prev);
 +#endif
 	while (!ctx->want_shutdown) {
 		int n;
 -		isc_time_t when, now;
 +		isc_time_t when;
 		struct timeval tv, *tvp;
 		isc_socketwait_t *swait;
 		bool readytasks;
 		bool call_timer_dispatch = false;
 +                uint64_t us; 
 +
 +#ifdef CLOCK_BOOTTIME
 +                // TBD macros for following three lines
 +                TIME_NOW(&now);
 +                TIME_MONOTONIC(&monotonic);
 +                INSIST(now.seconds > monotonic.seconds)
 +                us = isc_time_microdiff (&now, &monotonic);
 +                if (us < diff){
 +                  us = diff - us;
 +                  if (us > 1000000){ // ignoring shifts less than one second
 +                    return ISC_R_TIMESHIFTED;
 +                  };
 +                  diff = isc_time_microdiff (&now, &monotonic);
 +                } else {
 +                  diff = isc_time_microdiff (&now, &monotonic);
 +                  // not implemented
 +                }
 +#else
 +                TIME_NOW(&now);
 +                if (isc_time_compare (&now, &prev) < 0)
 +                  return ISC_R_TIMESHIFTED;
 +                TIME_NOW(&prev);
 +#endif
 		/*
 		 * Check the reload (or suspend) case first for exiting the
 		 * loop as fast as possible in case:
@@ -475,7 +507,6 @@ evloop(isc__appctx_t *ctx) {
 			if (result != ISC_R_SUCCESS)
 				tvp = NULL;
 			else {
 -				uint64_t us;
 				TIME_NOW(&now);
 				us = isc_time_microdiff(&when, &now);
 diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
 index b864c29..5dd43c9 100644
 --- a/lib/isc/unix/include/isc/time.h
 +++ b/lib/isc/unix/include/isc/time.h
@@ -132,6 +132,26 @@ isc_time_isepoch(const isc_time_t *t);
  *\li	't' is a valid pointer.
  */
 +#ifdef CLOCK_BOOTTIME
 +isc_result_t
 +isc_time_boottime(isc_time_t *t);
 +/*%<
 + * Set 't' to monotonic time from previous boot
 + * it's not affected by system time change. It also
 + * includes the time system was suspended
 + *
 + * Requires:
 + *\li	't' is a valid pointer.
 + *
 + * Returns:
 + *
 + *\li	Success
 + *\li	Unexpected error
 + *		Getting the time from the system failed.
 + */
 +#endif /* CLOCK_BOOTTIME */
 + 
 +
 isc_result_t
 isc_time_now(isc_time_t *t);
 /*%<
 diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
 index 8edc9df..fe0bb91 100644
 --- a/lib/isc/unix/time.c
 +++ b/lib/isc/unix/time.c
@@ -498,3 +498,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
 			 t->nanoseconds / NS_PER_MS);
 	}
 }
 +
 +
 +#ifdef CLOCK_BOOTTIME
 +isc_result_t
 +isc_time_boottime(isc_time_t *t) {
 +  struct timespec ts;
 +  
 +  char strbuf[ISC_STRERRORSIZE];
 +
 +  if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){
 +    isc__strerror(errno, strbuf, sizeof(strbuf));
 +    UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
 +    return (ISC_R_UNEXPECTED);    
 +  }
 +
 +  t->seconds = ts.tv_sec;
 +  t->nanoseconds = ts.tv_nsec;
 +
 +  return (ISC_R_SUCCESS);
 +  
 +};
 +#endif
--- a/SOURCES/bind-9.11-engine-pkcs11.patch
+++ b/SOURCES/bind-9.11-engine-pkcs11.patch
@ -0,0 +1,27 @@
 From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Tue, 27 Aug 2019 20:39:59 +0200
 Subject: [PATCH] Do not set engine for native PKCS11
 It resets already set lib_path to pkcs11, which is invalid in native
 pkcs11 crypto. Engine has to be path to PKCS#11 module.
 ---
 bin/named/include/named/globals.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
 index eda2214..2a611d5 100644
 --- a/bin/named/include/named/globals.h
 +++ b/bin/named/include/named/globals.h
@@ -160,7 +160,7 @@ EXTERN const char *		ns_g_defaultdnstap	INIT(NULL);
 EXTERN const char *		ns_g_username		INIT(NULL);
 -#if defined(USE_PKCS11)
 +#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO)
 EXTERN const char *		ns_g_engine		INIT(PKCS11_ENGINE);
 #else
 EXTERN const char *		ns_g_engine		INIT(NULL);
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-export-isc-config.patch
+++ b/SOURCES/bind-9.11-export-isc-config.patch
@ -1,35 +0,0 @@
 diff --git a/export-libs/Makefile b/export-libs/Makefile
 index df15ea8..13f416b 100644
 --- a/export-libs/Makefile
 +++ b/export-libs/Makefile
@@ -404,20 +404,18 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
 install:: isc-config.sh installdirs
 -	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
 -	rm -f ${DESTDIR}${bindir}/bind9-config
 -	ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
 -	${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
 -	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
 -	ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
 -	${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
 +	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
 +	rm -f ${DESTDIR}${bindir}/bind9-export-config
 +	ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
 +	${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
 +	rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
 +	ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
 uninstall::
 -	rm -f ${DESTDIR}${sysconfdir}/bind.keys
 -	rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
 -	rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
 -	rm -f ${DESTDIR}${bindir}/bind9-config
 -	rm -f ${DESTDIR}${bindir}/isc-config.sh
 +	rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
 +	rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
 +	rm -f ${DESTDIR}${bindir}/bind9-export-config
 +	rm -f ${DESTDIR}${bindir}/isc-export-config.sh
 tags:
 	rm -f TAGS
--- a/SOURCES/bind-9.11-export-suffix.patch
+++ b/SOURCES/bind-9.11-export-suffix.patch
@ -1,8 +1,8 @@
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index e6cd6a4..988b0a7 100644
+index c1bfd62..7c5ad51 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
+@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
 AC_SUBST(BUILD_LDFLAGS)
 AC_SUBST(BUILD_LIBS)
@ -12,10 +12,10 @@ index e6cd6a4..988b0a7 100644
 # Commands to run at the end of config.status.
 # Don't just put these into configure, it won't work right if somebody
 diff --git a/isc-config.sh.in b/isc-config.sh.in
-index 110191a..5a64004 100644
+index b5e94ed..d2857e0 100644
 --- a/isc-config.sh.in
 +++ b/isc-config.sh.in
-@@ -12,16 +12,17 @@ prefix=@prefix@
+@@ -13,16 +13,17 @@ prefix=@prefix@
 exec_prefix=@exec_prefix@
 exec_prefix_set=
 includedir=@includedir@
--- a/SOURCES/bind-9.11-fips-code-includes.patch
+++ b/SOURCES/bind-9.11-fips-code-includes.patch
@ -1,4 +1,4 @@
-From 68baeb7211ba2fcd4eff53d987e9b70ba38294cb Mon Sep 17 00:00:00 2001
+From c928591eb2a3b17c5be0cad56c8e061ebba11a95 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 20 Dec 2018 11:52:12 +0100
 Subject: [PATCH] Fix implicit declaration warning
@ -11,7 +11,7 @@ header providing it in files that use it.
 2 files changed, 2 insertions(+)
 diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
-index 36ee6c7..6051cd2 100644
+index 4b5b901..a3dd450 100644
 --- a/bin/tests/system/tkey/keydelete.c
 +++ b/bin/tests/system/tkey/keydelete.c
@@ -21,6 +21,7 @@
@ -23,7 +23,7 @@ index 36ee6c7..6051cd2 100644
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
 diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index 70805bb..33870f3 100644
+index c37b235..7786801 100644
 --- a/lib/dns/tsig.c
 +++ b/lib/dns/tsig.c
@@ -18,6 +18,7 @@
@ -31,9 +31,9 @@ index 70805bb..33870f3 100644
 #include <isc/buffer.h>
 #include <isc/mem.h>
 +#include <isc/md5.h>
 #include <isc/print.h>
 #include <isc/print.h>
 #include <isc/refcount.h>
 #include <isc/serial.h>
 -- 
-2.14.5
+2.26.2
--- a/SOURCES/bind-9.11-fips-code.patch
+++ b/SOURCES/bind-9.11-fips-code.patch
--- a/SOURCES/bind-9.11-fips-disable.patch
+++ b/SOURCES/bind-9.11-fips-disable.patch
@ -0,0 +1,121 @@
 From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Mon, 5 Aug 2019 11:54:03 +0200
 Subject: [PATCH] Allow explicit disabling of autodisabled MD5
 Default security policy might include explicitly disabled RSAMD5
 algorithm. Current FIPS code automatically disables in FIPS mode. But if
 RSAMD5 is included in security policy, it fails to start, because that
 algorithm is not recognized. Allow it disabled, but fail on any
 other usage.
 ---
 bin/named/server.c |  4 ++--
 lib/bind9/check.c  |  4 ++++
 lib/dns/rcode.c    | 33 +++++++++++++++------------------
 3 files changed, 21 insertions(+), 20 deletions(-)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index 5b57371..51702ab 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
 		r.length = strlen(r.base);
 		result = dns_secalg_fromtext(&alg, &r);
 -		if (result != ISC_R_SUCCESS) {
 +		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
 			uint8_t ui;
 			result = isc_parse_uint8(&ui, r.base, 10);
 			alg = ui;
 		}
 -		if (result != ISC_R_SUCCESS) {
 +		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
 			cfg_obj_log(cfg_listelt_value(element),
 				    ns_g_lctx, ISC_LOG_ERROR,
 				    "invalid algorithm");
 diff --git a/lib/bind9/check.c b/lib/bind9/check.c
 index e0803d4..8023784 100644
 --- a/lib/bind9/check.c
 +++ b/lib/bind9/check.c
@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
 		r.length = strlen(r.base);
 		tresult = dns_secalg_fromtext(&alg, &r);
 +		if (tresult == ISC_R_DISABLED) {
 +			// Recognize disabled algorithms, disable it explicitly
 +			tresult = ISC_R_SUCCESS;
 +		}
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(cfg_listelt_value(element), logctx,
 				    ISC_LOG_ERROR, "invalid algorithm '%s'",
 diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
 index f51d548..c49b8d1 100644
 --- a/lib/dns/rcode.c
 +++ b/lib/dns/rcode.c
@@ -126,7 +126,6 @@
 #endif
 #define SECALGNAMES \
 -	MD5_SECALGNAMES \
 	DH_SECALGNAMES \
 	DSA_SECALGNAMES \
 	{ DNS_KEYALG_ECC, "ECC", 0 }, \
@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
 static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
 static struct tbl certs[] = { CERTNAMES };
 static struct tbl secalgs[] = { SECALGNAMES };
 +static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
 static struct tbl secprotos[] = { SECPROTONAMES };
 static struct tbl hashalgs[] = { HASHALGNAMES };
 static struct tbl dsdigests[] = { DSDIGESTNAMES };
@@ -358,33 +358,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
 	return (dns_mnemonic_totext(cert, target, certs));
 }
 -static inline struct tbl *
 -secalgs_tbl_start() {
 -	struct tbl *algs = secalgs;
 -
 -#ifndef PK11_MD5_DISABLE
 -	if (!isc_md5_available()) {
 -		while (algs->name != NULL &&
 -		       algs->value == DNS_KEYALG_RSAMD5)
 -			++algs;
 -	}
 -#endif
 -	return algs;
 -}
 -
 isc_result_t
 dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
 	unsigned int value;
 +	isc_result_t result;
 -	RETERR(dns_mnemonic_fromtext(&value, source,
 -	                             secalgs_tbl_start(), 0xff));
 +	result = dns_mnemonic_fromtext(&value, source,
 +	                               secalgs, 0xff);
 +	if (result != ISC_R_SUCCESS) {
 +		result = dns_mnemonic_fromtext(&value, source,
 +	                                       md5_secalgs, 0xff);
 +		if (result != ISC_R_SUCCESS) {
 +			return (result);
 +		} else if (!isc_md5_available()) {
 +			*secalgp = value;
 +			return (ISC_R_DISABLED);
 +		}
 +	}
 	*secalgp = value;
 	return (ISC_R_SUCCESS);
 }
 isc_result_t
 dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
 -	return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
 +	return (dns_mnemonic_totext(secalg, target, secalgs));
 }
 void
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-fips-tests.patch
+++ b/SOURCES/bind-9.11-fips-tests.patch
--- a/SOURCES/bind-9.11-host-idn-disable.patch
+++ b/SOURCES/bind-9.11-host-idn-disable.patch
@ -1,4 +1,4 @@
-From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001
+From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 25 Sep 2018 18:08:46 +0200
 Subject: [PATCH] Disable IDN from environment as documented
@ -12,16 +12,16 @@ Support variable CHARSET=ASCII to disable IDN, supported in downstream
 RH patch since RHEL 5.
 ---
 bin/dig/dig.docbook      |  4 +++-
- bin/dig/dighost.c        |  9 +++++++--
+ bin/dig/dighost.c        |  5 +++++
 bin/dig/host.docbook     |  2 +-
 bin/dig/nslookup.docbook | 15 +++++++++++++++
- 4 files changed, 26 insertions(+), 4 deletions(-)
+ 4 files changed, 24 insertions(+), 2 deletions(-)
 diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
-index fedd288..d5dba72 100644
+index 5d19301..933af79 100644
 --- a/bin/dig/dig.docbook
 +++ b/bin/dig/dig.docbook
-@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       reply from the server.
       If you'd like to turn off the IDN support for some reason, use
       parameters <parameter>+noidnin</parameter> and
@ -33,34 +33,26 @@ index fedd288..d5dba72 100644
   </refsection>
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 7408193..d46379d 100644
+index 5eabc1f..73aaab8 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
-@@ -822,12 +822,17 @@ make_empty_lookup(void) {
+@@ -826,6 +826,11 @@ make_empty_lookup(void) {
- 	looknew->seenbadcookie = ISC_FALSE;
+ 	looknew->badcookie = true;
 	looknew->badcookie = ISC_TRUE;
 #ifdef WITH_IDN_SUPPORT
-	looknew->idnin = ISC_TRUE;
+ 	looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
 +	looknew->idnin = (getenv("IDN_DISABLE") == NULL);
 +	if (looknew->idnin) {
 +		const char *charset = getenv("CHARSET");
 +		if (charset && !strcmp(charset, "ASCII"))
-+			looknew->idnin = ISC_FALSE;
+			looknew->idnin = false;
 +	}
 #else
- 	looknew->idnin = ISC_FALSE;
+ 	looknew->idnin = false;
 #endif
 #ifdef WITH_IDN_OUT_SUPPORT
 -	looknew->idnout = ISC_TRUE;
 +	looknew->idnout = looknew->idnin;
 #else
 	looknew->idnout = ISC_FALSE;
 #endif
 diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
-index 9c3aeaa..42cbbf9 100644
+index da0f8fb..9689b5a 100644
 --- a/bin/dig/host.docbook
 +++ b/bin/dig/host.docbook
-@@ -378,7 +378,7 @@
+@@ -379,7 +379,7 @@
       <command>host</command> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
@ -70,10 +62,10 @@ index 9c3aeaa..42cbbf9 100644
       The IDN support is disabled if the variable is set when
       <command>host</command> runs.
 diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
-index 3aff4e9..86a09c6 100644
+index d46fc2d..6d7d181 100644
 --- a/bin/dig/nslookup.docbook
 +++ b/bin/dig/nslookup.docbook
-@@ -478,6 +478,21 @@ nslookup -query=hinfo  -timeout=10
+@@ -495,6 +495,21 @@ nslookup -query=hinfo  -timeout=10
     </para>
   </refsection>
@ -96,5 +88,5 @@ index 3aff4e9..86a09c6 100644
     <para><filename>/etc/resolv.conf</filename>
 -- 
-2.14.4
+2.20.1
--- a/SOURCES/bind-9.11-json-c.patch
+++ b/SOURCES/bind-9.11-json-c.patch
@ -0,0 +1,50 @@
 From cb6d2019766a6c8c5516fd8859cedf0052f03293 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 25 Jul 2019 11:37:57 +0200
 Subject: [PATCH] Skip support of jsoncpp
 Bind cannot be compiled when jsoncpp-devel is installed. Remove support
 for jsoncpp, use only json-c-devel. Bind 9.15 has already support for
 --with-json-c, do not yet introduce it.
 ---
 configure.ac | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 6d05337..5ce83b5 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -2594,15 +2594,7 @@ case "$use_libjson" in
 	auto|yes)
 		for d in /usr /usr/local /opt/local
 		do
 -			if test -f "${d}/include/json/json.h"
 -			then
 -				if test ${d} != /usr
 -				then
 -					libjson_cflags="-I ${d}/include"
 -					LIBS="$LIBS -L${d}/lib"
 -				fi
 -				have_libjson="yes"
 -			elif test -f "${d}/include/json-c/json.h"
 +			if test -f "${d}/include/json-c/json.h"
 			then
 				if test ${d} != /usr
 				then
@@ -2615,12 +2607,7 @@ case "$use_libjson" in
 		done
 		;;
 	*)
 -		if test -f "${use_libjson}/include/json/json.h"
 -		then
 -			libjson_cflags="-I${use_libjson}/include"
 -			LIBS="$LIBS -L${use_libjson}/lib"
 -			have_libjson="yes"
 -		elif test -f "${use_libjson}/include/json-c/json.h"
 +		if test -f "${use_libjson}/include/json-c/json.h"
 		then
 			libjson_cflags="-I${use_libjson}/include"
 			LIBS="$LIBS -L${use_libjson}/lib"
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-kyua-pkcs11.patch
+++ b/SOURCES/bind-9.11-kyua-pkcs11.patch
@ -1,4 +1,4 @@
-From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001
+From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 2 Jan 2018 18:13:07 +0100
 Subject: [PATCH] Fix pkcs11 variants atf tests
@ -7,20 +7,19 @@ Add dns-pkcs11 tests Makefile to configure
 Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
 ---
- configure.in                     |  1 +
+ configure.ac                     |  1 +
 lib/Atffile                      |  2 ++
 lib/Kyuafile                     |  2 ++
 lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
 lib/dns-pkcs11/tests/dh_test.c   |  3 ++-
 lib/isc-pkcs11/tests/Makefile.in |  6 +++---
 lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
- 7 files changed, 40 insertions(+), 16 deletions(-)
+ 6 files changed, 38 insertions(+), 16 deletions(-)
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 67b3aab..4767eeb 100644
+index 62ecf56..0940a7d 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([
+@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
 	lib/dns-pkcs11/include/Makefile
 	lib/dns-pkcs11/include/dns/Makefile
 	lib/dns-pkcs11/include/dst/Makefile
@ -28,25 +27,11 @@ index 67b3aab..4767eeb 100644
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
 diff --git a/lib/Atffile b/lib/Atffile
 index 93bbb01..4db3dce 100644
 --- a/lib/Atffile
 +++ b/lib/Atffile
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
 prop: test-suite = bind9
 tp: dns
 +tp: dns-pkcs11
 tp: irs
 tp: isc
 +tp: isc-pkcs11
 tp: isccfg
 tp: lwres
 diff --git a/lib/Kyuafile b/lib/Kyuafile
-index ff9fc56..eaaf0dc 100644
+index 7c8bab0..eec9564 100644
 --- a/lib/Kyuafile
 +++ b/lib/Kyuafile
-@@ -2,7 +2,9 @@ syntax(2)
+@@ -2,8 +2,10 @@ syntax(2)
 test_suite('bind9')
 include('dns/Kyuafile')
@ -54,67 +39,68 @@ index ff9fc56..eaaf0dc 100644
 include('irs/Kyuafile')
 include('isc/Kyuafile')
 +include('isc-pkcs11/Kyuafile')
 include('isccc/Kyuafile')
 include('isccfg/Kyuafile')
 include('lwres/Kyuafile')
 diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
-index 2a6571b..f25a784 100644
+index 22a06a8..5df5b15 100644
 --- a/lib/dns-pkcs11/tests/Makefile.in
 +++ b/lib/dns-pkcs11/tests/Makefile.in
-@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@
+@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
- 		@DST_OPENSSL_INC@
+ 		@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
 -CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
-+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
+CDEFINES =	@CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
 -ISCLIBS =	../../isc/libisc.@A@
 -ISCDEPLIBS =	../../isc/libisc.@A@
-DNSLIBS =	../libdns.@A@ @DNS_CRYPTO_LIBS@
+-DNSLIBS =	../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 -DNSDEPLIBS =	../libdns.@A@
 +ISCLIBS =	../../isc-pkcs11/libisc-pkcs11.@A@
 +ISCDEPLIBS =	../../isc-pkcs11/libisc-pkcs11.@A@
-+DNSLIBS =	../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS =	../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 +DNSDEPLIBS =	../libdns-pkcs11.@A@
- LIBS =		@LIBS@ @ATFLIBS@
+ LIBS =		@LIBS@ @CMOCKA_LIBS@
- 
+ CFLAGS =	@CFLAGS@ @CMOCKA_CFLAGS@
 diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
-index 036d27a..eb6554f 100644
+index a5bf46c..9ff2b76 100644
 --- a/lib/dns-pkcs11/tests/dh_test.c
 +++ b/lib/dns-pkcs11/tests/dh_test.c
-@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
+@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
- 	ret = dst_key_computesecret(key, key, &buf);
+ 	result = dst_key_computesecret(key, key, &buf);
- 	ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
+ 	assert_int_equal(result, DST_R_NOTPRIVATEKEY);
- 	ret = key->func->computesecret(key, key, &buf);
+ 	result = key->func->computesecret(key, key, &buf);
-	ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
+-	assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
 +	/* PKCS11 variant gives different result, accept both */
-+	ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
+	assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
 	dst_key_free(&key);
- 	dns_test_end();
+ }
 diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
-index f7fa538..818dae4 100644
+index 36d2207..00dfbc9 100644
 --- a/lib/isc-pkcs11/tests/Makefile.in
 +++ b/lib/isc-pkcs11/tests/Makefile.in
-@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@
+@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 CINCLUDES =	-I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
 -CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
-+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
+CDEFINES =	@CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
 -ISCLIBS =	../libisc.@A@ @ISC_OPENSSL_LIBS@
 -ISCDEPLIBS =	../libisc.@A@
 +ISCLIBS =	../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
 +ISCDEPLIBS =	../libisc-pkcs11.@A@
- LIBS =		@LIBS@ @ATFLIBS@
+ LIBS =		@LIBS@ @CMOCKA_LIBS@
- 
+ CFLAGS =	@CFLAGS@ @CMOCKA_CFLAGS@
 diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
-index 5b8a374..c1891c2 100644
+index 4fafc38..5eb2be2 100644
 --- a/lib/isc-pkcs11/tests/hash_test.c
 +++ b/lib/isc-pkcs11/tests/hash_test.c
-@@ -74,7 +74,7 @@ typedef struct hash_testcase {
+@@ -84,7 +84,7 @@ typedef struct hash_testcase {
 typedef struct hash_test_key {
 	const char *key;
@ -123,7 +109,7 @@ index 5b8a374..c1891c2 100644
 } hash_test_key_t;
 /* non-hmac tests */
-@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
+@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -134,9 +120,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
 +		isc_hmacsha1_init(&hmacsha1, buffer, len);
 		isc_hmacsha1_update(&hmacsha1,
- 				    (const isc_uint8_t *) testcase->input,
+ 				    (const uint8_t *) testcase->input,
 				    testcase->input_len);
-@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
+@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -147,9 +133,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
 +		isc_hmacsha224_init(&hmacsha224, buffer, len);
 		isc_hmacsha224_update(&hmacsha224,
- 				      (const isc_uint8_t *) testcase->input,
+ 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
+@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -160,9 +146,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
 +		isc_hmacsha256_init(&hmacsha256, buffer, len);
 		isc_hmacsha256_update(&hmacsha256,
- 				      (const isc_uint8_t *) testcase->input,
+ 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
+@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -173,9 +159,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
 +		isc_hmacsha384_init(&hmacsha384, buffer, len);
 		isc_hmacsha384_update(&hmacsha384,
- 				      (const isc_uint8_t *) testcase->input,
+ 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
+@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -186,9 +172,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
 +		isc_hmacsha512_init(&hmacsha512, buffer, len);
 		isc_hmacsha512_update(&hmacsha512,
- 				      (const isc_uint8_t *) testcase->input,
+ 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
+@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -199,8 +185,8 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
 +		isc_hmacmd5_init(&hmacmd5, buffer, len);
 		isc_hmacmd5_update(&hmacmd5,
- 				   (const isc_uint8_t *) testcase->input,
+ 				   (const uint8_t *) testcase->input,
 				   testcase->input_len);
 -- 
-2.14.3
+2.21.1
--- a/SOURCES/bind-9.11-oot-manual.patch
+++ b/SOURCES/bind-9.11-oot-manual.patch
@ -1,4 +1,4 @@
-From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001
+From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 25 Jul 2018 12:24:16 +0200
 Subject: [PATCH] Use make automatic variables to install updated manuals
@ -19,7 +19,7 @@ Install all files in single command instead of iterating on each of them.
 9 files changed, 54 insertions(+), 38 deletions(-)
 diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
-index 12f48d2d23..d8eac4c714 100644
+index c124e80..1174f8d 100644
 --- a/bin/check/Makefile.in
 +++ b/bin/check/Makefile.in
@@ -83,12 +83,14 @@ installdirs:
@ -35,13 +35,13 @@ index 12f48d2d23..d8eac4c714 100644
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
 	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
 -	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
-index 87f13dda4b..7865c0c73e 100644
+index 87f13dd..7865c0c 100644
 --- a/bin/confgen/Makefile.in
 +++ b/bin/confgen/Makefile.in
@@ -95,13 +95,14 @@ installdirs:
@ -64,7 +64,7 @@ index 87f13dda4b..7865c0c73e 100644
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
 diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
-index e2d2802262..19361a83ea 100644
+index e2d2802..19361a8 100644
 --- a/bin/delv/Makefile.in
 +++ b/bin/delv/Makefile.in
@@ -63,10 +63,12 @@ installdirs:
@ -83,7 +83,7 @@ index e2d2802262..19361a83ea 100644
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man1/delv.1
 diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
-index 773ac46395..3edd951e7e 100644
+index a9830a9..d7ac0b6 100644
 --- a/bin/dig/Makefile.in
 +++ b/bin/dig/Makefile.in
@@ -91,16 +91,16 @@ installdirs:
@ -102,13 +102,13 @@ index 773ac46395..3edd951e7e 100644
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
 		nslookup@EXEEXT@ ${DESTDIR}${bindir}
 -	for m in ${MANPAGES}; do \
-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
+-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
 -	done
 uninstall::
 	for m in ${MANPAGES}; do \
 diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 1be1d5ffc6..1d0c4ce5c1 100644
+index 2239ad1..ce0a177 100644
 --- a/bin/dnssec/Makefile.in
 +++ b/bin/dnssec/Makefile.in
@@ -110,9 +110,11 @@ installdirs:
@ -120,16 +120,16 @@ index 1be1d5ffc6..1d0c4ce5c1 100644
 +	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
 +
 +install:: ${TARGETS} installdirs install-man8
- 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
+ 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
 uninstall::
- 	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+ 	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index 1c413973d0..03e4cb849b 100644
+index e1f85a9..d92bc9a 100644
 --- a/bin/named/Makefile.in
 +++ b/bin/named/Makefile.in
-@@ -172,12 +172,17 @@ installdirs:
+@@ -176,12 +176,17 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
@ -152,7 +152,7 @@ index 1c413973d0..03e4cb849b 100644
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man5/named.conf.5
 diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
-index ae9061626c..a058c91214 100644
+index ae90616..a058c91 100644
 --- a/bin/pkcs11/Makefile.in
 +++ b/bin/pkcs11/Makefile.in
@@ -71,7 +71,10 @@ installdirs:
@ -179,7 +179,7 @@ index ae9061626c..a058c91214 100644
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
 diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
-index aa678d47ab..064c404e2f 100644
+index aa678d4..064c404 100644
 --- a/bin/python/Makefile.in
 +++ b/bin/python/Makefile.in
@@ -47,13 +47,13 @@ installdirs:
@ -201,7 +201,7 @@ index aa678d47ab..064c404e2f 100644
 		if test -n "${DESTDIR}" ; then \
 			${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
 diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
-index 7bf2af4cea..c395bc7462 100644
+index 7bf2af4..c395bc7 100644
 --- a/bin/tools/Makefile.in
 +++ b/bin/tools/Makefile.in
@@ -119,17 +119,27 @@ installdirs:
--- a/SOURCES/bind-9.11-rh1410433.patch
+++ b/SOURCES/bind-9.11-rh1410433.patch
@ -1,14 +1,16 @@
 diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
-index 0ce5e42..556d920 100644
+index 15561ce..e4449b0 100644
 --- a/lib/dns/dyndb.c
 +++ b/lib/dns/dyndb.c
-@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
 		      instname, filename);
 	flags = RTLD_NOW|RTLD_LOCAL;
-#ifdef RTLD_DEEPBIND
+#if 0
-	flags |= RTLD_DEEPBIND;
+	/* Shared global namespace is required for dns-pkcs11 library */
-#endif
+ #if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
 	flags |= RTLD_DEEPBIND;
 +#endif
 #endif
 	handle = dlopen(filename, flags);
 	if (handle == NULL)
--- a/SOURCES/bind-9.11-rh1624100.patch
+++ b/SOURCES/bind-9.11-rh1624100.patch
@ -1,288 +0,0 @@
 From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
 Date: Wed, 25 Apr 2018 14:04:31 +0200
 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
 (cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
 Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
 (cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
 Fix the isc_safe_memwipe() usage with (NULL, >0)
 (cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
 ---
 bin/dnssec/dnssec-signzone.c |  2 +-
 lib/dns/nsec3.c              |  4 +--
 lib/dns/spnego.c             |  4 +--
 lib/isc/Makefile.in          |  8 ++---
 lib/isc/include/isc/safe.h   | 18 ++++------
 lib/isc/safe.c               | 81 --------------------------------------------
 lib/isc/tests/safe_test.c    | 20 -----------
 7 files changed, 13 insertions(+), 124 deletions(-)
 delete mode 100644 lib/isc/safe.c
 diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
 index 53be1f5c60..351296a356 100644
 --- a/bin/dnssec/dnssec-signzone.c
 +++ b/bin/dnssec/dnssec-signzone.c
@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
 static int
 hashlist_comp(const void *a, const void *b) {
 -	return (isc_safe_memcompare(a, b, hash_length + 1));
 +	return (memcmp(a, b, hash_length + 1));
 }
 static void
 diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
 index d364308aaf..37b6a8a7fe 100644
 --- a/lib/dns/nsec3.c
 +++ b/lib/dns/nsec3.c
@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 	 * Work out what this NSEC3 covers.
 	 * Inside (<0) or outside (>=0).
 	 */
 -	scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
 +	scope = memcmp(owner, nsec3.next, nsec3.next_length);
 	/*
 	 * Prepare to compute all the hashes.
@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 			return (ISC_R_IGNORE);
 		}
 -		order = isc_safe_memcompare(hash, owner, length);
 +		order = memcmp(hash, owner, length);
 		if (first && order == 0) {
 			/*
 			 * The hashes are the same.
 diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
 index ce3e42d650..079d4c1b4a 100644
 --- a/lib/dns/spnego.c
 +++ b/lib/dns/spnego.c
@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
 /* mod_auth_kerb.c */
 -static int
 +static isc_boolean_t
 cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
 {
 	unsigned char *p;
@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
 	if (((OM_uint32) *p++) != gssoid->length)
 		return (GSS_S_DEFECTIVE_TOKEN);
 -	return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
 +	return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
 }
 /* accept_sec_context.c */
 diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
 index ba53ef1091..98acffffc9 100644
 --- a/lib/isc/Makefile.in
 +++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS =		@ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
 		parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
 		ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
 		rwlock.@O@ \
 -		safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
 +		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
 		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
 		tm.@O@ timer.@O@ version.@O@ \
 		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS =		@ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
 		netaddr.c netscope.c pool.c ondestroy.c \
 		parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
 		ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
 -		safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
 +		serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
 		strtoul.c symtab.c task.c taskpool.c timer.c \
 		tm.c version.c
@@ -95,10 +95,6 @@ TESTDIRS =	@UNITTESTS@
 @BIND9_MAKE_RULES@
 -safe.@O@: safe.c
 -	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
 -		-c ${srcdir}/safe.c
 -
 version.@O@: version.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-DVERSION=\"${VERSION}\" \
 diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
 index f29f00bac6..b8a0b2290c 100644
 --- a/lib/isc/include/isc/safe.h
 +++ b/lib/isc/include/isc/safe.h
@@ -15,27 +15,21 @@
 /*! \file isc/safe.h */
 -#include <isc/types.h>
 -#include <stdlib.h>
 +#include <isc/boolean.h>
 +#include <isc/lang.h>
 +
 +#include <openssl/crypto.h>
 ISC_LANG_BEGINDECLS
 -isc_boolean_t
 -isc_safe_memequal(const void *s1, const void *s2, size_t n);
 +#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n))
 /*%<
  * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
  * ISC_FALSE.
  *
  */
 -int
 -isc_safe_memcompare(const void *b1, const void *b2, size_t len);
 -/*%<
 - * Clone of libc memcmp() which is safe to differential timing attacks.
 - */
 -
 -void
 -isc_safe_memwipe(void *ptr, size_t len);
 +#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
 /*%<
  * Clear the memory of length `len` pointed to by `ptr`.
  *
 diff --git a/lib/isc/safe.c b/lib/isc/safe.c
 deleted file mode 100644
 index 5c9e1e2d13..0000000000
 --- a/lib/isc/safe.c
 +++ /dev/null
@@ -1,81 +0,0 @@
 -/*
 - * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 - *
 - * This Source Code Form is subject to the terms of the Mozilla Public
 - * License, v. 2.0. If a copy of the MPL was not distributed with this
 - * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 - *
 - * See the COPYRIGHT file distributed with this work for additional
 - * information regarding copyright ownership.
 - */
 -
 -/*! \file */
 -
 -#include <config.h>
 -
 -#include <isc/safe.h>
 -#include <isc/string.h>
 -#include <isc/util.h>
 -
 -#ifdef WIN32
 -#include <windows.h>
 -#endif
 -
 -#ifdef _MSC_VER
 -#pragma optimize("", off)
 -#endif
 -
 -isc_boolean_t
 -isc_safe_memequal(const void *s1, const void *s2, size_t n) {
 -	isc_uint8_t acc = 0;
 -
 -	if (n != 0U) {
 -		const isc_uint8_t *p1 = s1, *p2 = s2;
 -
 -		do {
 -			acc |= *p1++ ^ *p2++;
 -		} while (--n != 0U);
 -	}
 -	return (ISC_TF(acc == 0));
 -}
 -
 -
 -int
 -isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
 -	const unsigned char *p1 = b1, *p2 = b2;
 -	size_t i;
 -	int res = 0, done = 0;
 -
 -	for (i = 0; i < len; i++) {
 -		/* lt is -1 if p1[i] < p2[i]; else 0. */
 -		int lt = (p1[i] - p2[i]) >> CHAR_BIT;
 -
 -		/* gt is -1 if p1[i] > p2[i]; else 0. */
 -		int gt = (p2[i] - p1[i]) >> CHAR_BIT;
 -
 -		/* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
 -		int cmp = lt - gt;
 -
 -		/* set res = cmp if !done. */
 -		res |= cmp & ~done;
 -
 -		/* set done if p1[i] != p2[i]. */
 -		done |= lt | gt;
 -	}
 -
 -	return (res);
 -}
 -
 -void
 -isc_safe_memwipe(void *ptr, size_t len) {
 -	if (ISC_UNLIKELY(ptr == NULL || len == 0))
 -		return;
 -
 -#ifdef WIN32
 -	SecureZeroMemory(ptr, len);
 -#elif HAVE_EXPLICIT_BZERO
 -	explicit_bzero(ptr, len);
 -#else
 -	memset(ptr, 0, len);
 -#endif
 -}
 diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
 index f721cd1096..ea3e61f98d 100644
 --- a/lib/isc/tests/safe_test.c
 +++ b/lib/isc/tests/safe_test.c
@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
 				     "\x00\x00\x00\x00", 4));
 }
 -ATF_TC(isc_safe_memcompare);
 -ATF_TC_HEAD(isc_safe_memcompare, tc) {
 -	atf_tc_set_md_var(tc, "descr", "safe memcompare()");
 -}
 -ATF_TC_BODY(isc_safe_memcompare, tc) {
 -	UNUSED(tc);
 -
 -	ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
 -	ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
 -	ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
 -	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
 -				      "\x00\x00\x00\x00", 4) == 0);
 -	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
 -				      "\x00\x00\x00\x01", 4) < 0);
 -	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
 -				      "\x00\x00\x00\x00", 4) > 0);
 -}
 -
 ATF_TC(isc_safe_memwipe);
 ATF_TC_HEAD(isc_safe_memwipe, tc) {
 	atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
 	/* These should pass. */
 	isc_safe_memwipe(NULL, 0);
 	isc_safe_memwipe((void *) -1, 0);
 -	isc_safe_memwipe(NULL, 42);
 	/*
 	 * isc_safe_memwipe(ptr, size) should function same as
@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
  */
 ATF_TP_ADD_TCS(tp) {
 	ATF_TP_ADD_TC(tp, isc_safe_memequal);
 -	ATF_TP_ADD_TC(tp, isc_safe_memcompare);
 	ATF_TP_ADD_TC(tp, isc_safe_memwipe);
 	return (atf_no_error());
 }
 -- 
 2.14.4
--- a/SOURCES/bind-9.11-rh1668682.patch
+++ b/SOURCES/bind-9.11-rh1668682.patch
@ -0,0 +1,37 @@
 From 16c1bd61384e993fef13d7be88fdd34551a2b3ce Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 23 Jan 2019 20:12:51 +0100
 Subject: [PATCH] Use custom random generator only for bind build
 Do not test random entropy on startup when used by DHCP. On most cases
 random entropy is not even used by DHCP. In cases it is (LDAP SSL), fail
 whenever it is not available.
 Resolves: rhbz#1668682
 ---
 lib/dns/openssl_link.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
 index 91e87d0..2551b0a 100644
 --- a/lib/dns/openssl_link.c
 +++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
 #endif
 #endif /* !defined(OPENSSL_NO_ENGINE) */
 +#ifdef ISC_PLATFORM_USETHREADS
 	/* Protect ourselves against unseeded PRNG */
 	if (RAND_status() != 1) {
 		FATAL_ERROR(__FILE__, __LINE__,
@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
 			    "cannot be initialized (see the `PRNG not "
 			    "seeded' message in the OpenSSL FAQ)");
 	}
 +#endif /* ISC_PLATFORM_USETHREADS */
 	return (ISC_R_SUCCESS);
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-rh1980757.patch
+++ b/SOURCES/bind-9.11-rh1980757.patch
@ -0,0 +1,32 @@
 From a503519533eb375a5ce1f7566bfc153aac980d87 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 9 Jul 2021 20:52:21 +0200
 Subject: [PATCH] Use proper entropy to initialize tsig keyname
 Random names used on GSS backed nsupdate can conflict in specific
 situations. That might include starting a lot of machines from
 containers, where they took all similar time to start. PID and timestamp
 would be similar and therefore randomness is quite low. Use entropy to
 generate more random identifier and reduce chance of conflict.
 ---
 bin/nsupdate/nsupdate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
 index 458aa76..d9e5a2b 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
@@ -2941,7 +2941,9 @@ start_gssrequest(dns_name_t *master) {
 	keyname = dns_fixedname_initname(&fkname);
 -	isc_random_get(&val);
 +	result = isc_entropy_getdata(entropy, &val, sizeof(val), NULL, 0);
 +	if (result != ISC_R_SUCCESS)
 +		isc_random_get(&val);
 	result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s",
 				   val, namestr);
 	if (result != ISC_R_SUCCESS)
 -- 
 2.31.1
--- a/SOURCES/bind-9.11-rh2101712.patch
+++ b/SOURCES/bind-9.11-rh2101712.patch
@ -0,0 +1,232 @@
 From fff2960981a3294ac641968a17558c8d7eecf74d Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Wed, 24 Aug 2022 12:21:50 +1000
 Subject: [PATCH] Have dns_zt_apply lock the zone table
 There where a number of places where the zone table should have
 been locked, but wasn't, when dns_zt_apply was called.
 Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
 all calls to using it.  Removed locks in callers.
 Modified upstream commit for v9_11
 ---
 bin/named/server.c       | 11 ++++++-----
 bin/named/statschannel.c |  8 ++++----
 lib/dns/include/dns/zt.h |  4 ++--
 lib/dns/tests/zt_test.c  |  3 ++-
 lib/dns/view.c           |  3 ++-
 lib/dns/zt.c             | 34 +++++++++++++++++++---------------
 6 files changed, 35 insertions(+), 28 deletions(-)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index 9826588e6d..0b4b309461 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -8723,8 +8723,8 @@ load_configuration(const char *filename, ns_server_t *server,
 		    strcmp(view->name, "_bind") != 0)
 		{
 			dns_view_setviewrevert(view);
 -			(void)dns_zt_apply(view->zonetable, false,
 -					   removed, view);
 +			(void)dns_zt_apply(view->zonetable, isc_rwlocktype_read,
 +					   false, removed, view);
 		}
 		dns_view_detach(&view);
 	}
@@ -10090,8 +10090,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
 	ISC_LIST_INIT(vle->zonelist);
 	ISC_LIST_APPEND(dctx->viewlist, vle, link);
 	if (dctx->dumpzones)
 -		result = dns_zt_apply(view->zonetable, true,
 -				      add_zone_tolist, dctx);
 +		result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
 +				      true, add_zone_tolist, dctx);
 	return (result);
 }
@@ -11367,7 +11367,8 @@ ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
 		for (view = ISC_LIST_HEAD(server->viewlist);
 		     view != NULL;
 		     view = ISC_LIST_NEXT(view, link)) {
 -			result = dns_zt_apply(view->zonetable, false,
 +			result = dns_zt_apply(view->zonetable,
 +					      isc_rwlocktype_none, false,
 					      synczone, &cleanup);
 			if (result != ISC_R_SUCCESS &&
 			    tresult == ISC_R_SUCCESS)
 diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
 index 12ab048469..9828df0f4e 100644
 --- a/bin/named/statschannel.c
 +++ b/bin/named/statschannel.c
@@ -1833,8 +1833,8 @@ generatexml(ns_server_t *server, uint32_t flags,
 		if ((flags & STATS_XML_ZONES) != 0) {
 			TRY0(xmlTextWriterStartElement(writer,
 						       ISC_XMLCHAR "zones"));
 -			result = dns_zt_apply(view->zonetable, true,
 -					      zone_xmlrender, writer);
 +			result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
 +					      true, zone_xmlrender, writer);
 			if (result != ISC_R_SUCCESS)
 				goto error;
 			TRY0(xmlTextWriterEndElement(writer)); /* /zones */
@@ -2489,8 +2489,8 @@ generatejson(ns_server_t *server, size_t *msglen,
 			CHECKMEM(za);
 			if ((flags & STATS_JSON_ZONES) != 0) {
 -				result = dns_zt_apply(view->zonetable, true,
 -						      zone_jsonrender, za);
 +				result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
 +						      true, zone_jsonrender, za);
 				if (result != ISC_R_SUCCESS) {
 					goto error;
 				}
 diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
 index e658e5bb67..94212250da 100644
 --- a/lib/dns/include/dns/zt.h
 +++ b/lib/dns/include/dns/zt.h
@@ -177,11 +177,11 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze);
  */
 isc_result_t
 -dns_zt_apply(dns_zt_t *zt, bool stop,
 +dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
 isc_result_t
 -dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
 +dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
 	      isc_result_t (*action)(dns_zone_t *, void *), void *uap);
 /*%<
  * Apply a given 'action' to all zone zones in the table.
 diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
 index 3f1e812d60..ee75303a50 100644
 --- a/lib/dns/tests/zt_test.c
 +++ b/lib/dns/tests/zt_test.c
@@ -145,7 +145,8 @@ apply(void **state) {
 	assert_non_null(view->zonetable);
 	assert_int_equal(nzones, 0);
 -	result = dns_zt_apply(view->zonetable, false, count_zone, &nzones);
 +	result = dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
 +			      count_zone, &nzones);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_int_equal(nzones, 1);
 diff --git a/lib/dns/view.c b/lib/dns/view.c
 index f01b4dea0f..bd1ced2863 100644
 --- a/lib/dns/view.c
 +++ b/lib/dns/view.c
@@ -676,7 +676,8 @@ dns_view_dialup(dns_view_t *view) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(view->zonetable != NULL);
 -	(void)dns_zt_apply(view->zonetable, false, dialup, NULL);
 +	(void)dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
 +			   dialup, NULL);
 }
 void
 diff --git a/lib/dns/zt.c b/lib/dns/zt.c
 index 3f12e247e0..af65740325 100644
 --- a/lib/dns/zt.c
 +++ b/lib/dns/zt.c
@@ -202,7 +202,8 @@ flush(dns_zone_t *zone, void *uap) {
 static void
 zt_destroy(dns_zt_t *zt) {
 	if (zt->flush) {
 -		(void)dns_zt_apply(zt, false, flush, NULL);
 +		(void)dns_zt_apply(zt, isc_rwlocktype_none,
 +				   false, flush, NULL);
 	}
 	isc_refcount_destroy(&zt->references);
 	dns_rbt_destroy(&zt->table);
@@ -249,9 +250,7 @@ dns_zt_load(dns_zt_t *zt, bool stop) {
 	REQUIRE(VALID_ZT(zt));
 -	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
 -	result = dns_zt_apply(zt, stop, load, NULL);
 -	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
 +	result = dns_zt_apply2(zt, isc_rwlocktype_read, stop, NULL, load, NULL);
 	return (result);
 }
@@ -293,7 +292,7 @@ dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg,
 	 * Prevent loads_pending going to zero while kicking off the loads.
 	 */
 	zt->loads_pending++;
 -	result = dns_zt_apply2(zt, false, NULL, asyncload, &params);
 +	result = dns_zt_apply2(zt, isc_rwlocktype_none, false, NULL, asyncload, &params);
 	pending = --zt->loads_pending;
 	if (pending != 0) {
 		zt->loaddone = alldone;
@@ -342,9 +341,7 @@ dns_zt_loadnew(dns_zt_t *zt, bool stop) {
 	REQUIRE(VALID_ZT(zt));
 -	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
 -	result = dns_zt_apply(zt, stop, loadnew, NULL);
 -	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
 +	result = dns_zt_apply(zt, isc_rwlocktype_read, stop, loadnew, NULL);
 	return (result);
 }
@@ -366,9 +363,7 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze) {
 	REQUIRE(VALID_ZT(zt));
 -	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
 -	result = dns_zt_apply2(zt, false, &tresult, freezezones, &freeze);
 -	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
 +	result = dns_zt_apply2(zt, isc_rwlocktype_read, false, &tresult, freezezones, &freeze);
 	if (tresult == ISC_R_NOTFOUND)
 		tresult = ISC_R_SUCCESS;
 	return ((result == ISC_R_SUCCESS) ? tresult : result);
@@ -490,14 +485,14 @@ dns_zt_setviewrevert(dns_zt_t *zt) {
 }
 isc_result_t
 -dns_zt_apply(dns_zt_t *zt, bool stop,
 +dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap)
 {
 -	return (dns_zt_apply2(zt, stop, NULL, action, uap));
 +	return (dns_zt_apply2(zt, lock, stop, NULL, action, uap));
 }
 isc_result_t
 -dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
 +dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
 	      isc_result_t (*action)(dns_zone_t *, void *), void *uap)
 {
 	dns_rbtnode_t *node;
@@ -508,6 +503,10 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
 	REQUIRE(VALID_ZT(zt));
 	REQUIRE(action != NULL);
 +	if (lock != isc_rwlocktype_none) {
 +		RWLOCK(&zt->rwlock, lock);
 +	}
 +
 	dns_rbtnodechain_init(&chain, zt->mctx);
 	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
 	if (result == ISC_R_NOTFOUND) {
@@ -538,8 +537,13 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
  cleanup:
 	dns_rbtnodechain_invalidate(&chain);
 -	if (sub != NULL)
 +	if (sub != NULL) {
 		*sub = tresult;
 +	}
 +
 +	if (lock != isc_rwlocktype_none) {
 +		RWUNLOCK(&zt->rwlock, lock);
 +	}
 	return (result);
 }
 -- 
 2.37.2
--- a/SOURCES/bind-9.11-rh2133889.patch
+++ b/SOURCES/bind-9.11-rh2133889.patch
@ -0,0 +1,26 @@
 From c8f5b31f0637315c1c45d0287f05fcad2250f40f Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 13 Oct 2022 15:35:46 +0200
 Subject: [PATCH] Add include to rwlocktype_t to dns/zt.h
 It got broken as part of bug #2101712 fix. Introduced new definition,
 which passes during bind build, but breaks bind-dyndb-ldap build.
 ---
 lib/dns/include/dns/zt.h | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
 index 9421225..64c24d6 100644
 --- a/lib/dns/include/dns/zt.h
 +++ b/lib/dns/include/dns/zt.h
@@ -18,6 +18,7 @@
 #include <stdbool.h>
 #include <isc/lang.h>
 +#include <isc/rwlock.h>
 #include <dns/types.h>
 -- 
 2.37.3
--- a/SOURCES/bind-9.11-rt31459.patch
+++ b/SOURCES/bind-9.11-rt31459.patch
--- a/SOURCES/bind-9.11-rt46047-2.patch
+++ b/SOURCES/bind-9.11-rt46047-2.patch
@ -1,91 +0,0 @@
 From c79ff443ba029eaf7da8781aef0b1ddbed467781 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 14 Jun 2019 12:30:01 +0200
 Subject: [PATCH] Fix OpenSSL random generator warnings Squashed commit of the
 following:
 commit 70492c6361e55309dae0e48ae031e295f0a46a5e
 Author: Evan Hunt <each@isc.org>
 Date:   Sat Sep 16 21:01:06 2017 -0700
    [master] silence compiler warning
    (cherry picked from commit 6e5ae91479408540f04337c9dc27c3f3fffae6c7)
 commit 4d8c2767b584d993eb898d2210c85ffce214d1dc
 Author: Mark Andrews <marka@isc.org>
 Date:   Fri Dec 22 08:48:38 2017 +1100
    add POST(argc);
    (cherry picked from commit be5a0eaa7adafc454658e09672d865eb453baeab)
    (cherry picked from commit 0163c3b8130cbed705c3267948ab49eebe26286d)
 commit c64b5b10a3a175482b89eddbe63d8b5107a2fbf3
 Author: Petr Mensik <pemensik@redhat.com>
 Date:   Thu Jun 13 22:23:14 2019 +0200
    fixup! completed and corrected the crypto-random change
 ---
 bin/named/server.c                | 3 +++
 bin/tests/system/tkey/keydelete.c | 1 +
 lib/dns/tests/dstrandom_test.c    | 3 +--
 3 files changed, 5 insertions(+), 2 deletions(-)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index db0270900f..1afb461226 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -8100,6 +8100,8 @@ load_configuration(const char *filename, ns_server_t *server,
 			}
 #endif
 		} else {
 +			result = isc_entropy_createfilesource(ns_g_entropy,
 +			                                      randomdev);
 #ifdef PATH_RANDOMDEV
 			if (ns_g_fallbackentropy != NULL) {
 				level = ISC_LOG_INFO;
@@ -8893,6 +8895,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->in_roothints = NULL;
 	server->blackholeacl = NULL;
 	server->keepresporder = NULL;
 +	server->rngctx = NULL;
 	/* Must be first. */
 	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
 diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
 index 3d5ac74486..55ebb66a60 100644
 --- a/bin/tests/system/tkey/keydelete.c
 +++ b/bin/tests/system/tkey/keydelete.c
@@ -172,6 +172,7 @@ main(int argc, char **argv) {
 		randomfile = argv[2];
 		argv += 2;
 		argc -= 2;
 +		POST(argc);
 	}
 	keyname = argv[1];
 diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
 index d2c72e7685..56738d14a4 100644
 --- a/lib/dns/tests/dstrandom_test.c
 +++ b/lib/dns/tests/dstrandom_test.c
@@ -14,8 +14,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 -/* $Id$ */
 -
 /*! \file */
 #include <config.h>
@@ -24,6 +22,7 @@
 #include <stdio.h>
 #include <string.h>
 +#include <unistd.h>
 #include <isc/entropy.h>
 #include <isc/mem.h>
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-rt46047.patch
+++ b/SOURCES/bind-9.11-rt46047.patch
@ -1,4 +1,4 @@
-From dc861636b6bcb4a028b2392347a57a61bb5ece6e Mon Sep 17 00:00:00 2001
+From af3b530773231f8cff6548e36962ad1f25e38c5d Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 28 Sep 2017 10:09:22 -0700
 Subject: [PATCH] completed and corrected the crypto-random change
@ -33,23 +33,25 @@ Subject: [PATCH] completed and corrected the crypto-random change
 bin/named/include/named/server.h         |  2 +
 bin/named/interfacemgr.c                 |  1 +
 bin/named/query.c                        |  1 +
- bin/named/server.c                       | 52 +++++++++++++---------
+ bin/named/server.c                       | 52 ++++++++++++++--------
 bin/nsupdate/nsupdate.c                  |  4 +-
 bin/tests/system/pipelined/pipequeries.c |  4 +-
 bin/tests/system/tkey/keycreate.c        |  4 +-
- bin/tests/system/tkey/keydelete.c        |  4 +-
+ bin/tests/system/tkey/keydelete.c        |  5 +--
 doc/arm/Bv9ARM-book.xml                  | 55 +++++++++++++++++-------
- doc/arm/notes.xml                        | 23 +++++++++-
+ doc/arm/notes-rh-changes.xml             | 42 ++++++++++++++++++
- lib/dns/dst_api.c                        |  7 ++-
+ doc/arm/notes.xml                        |  1 +
 lib/dns/dst_api.c                        |  4 +-
 lib/dns/include/dst/dst.h                | 14 +++++-
 lib/dns/openssl_link.c                   |  3 +-
- lib/isc/include/isc/entropy.h            | 50 +++++++++++++++------
+ lib/isc/include/isc/entropy.h            | 48 +++++++++++++++------
- lib/isc/include/isc/random.h             | 28 +++++++-----
+ lib/isc/include/isc/random.h             | 26 +++++++----
 lib/isccfg/namedconf.c                   |  2 +-
- 22 files changed, 218 insertions(+), 110 deletions(-)
+ 23 files changed, 240 insertions(+), 102 deletions(-)
 create mode 100644 doc/arm/notes-rh-changes.xml
 diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
-index fa439cc..a7ad417 100644
+index bd269e7..1ac775f 100644
 --- a/bin/confgen/keygen.c
 +++ b/bin/confgen/keygen.c
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
@ -65,7 +67,7 @@ index fa439cc..a7ad417 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(ectx, ISC_TRUE);
+ 		isc_entropy_usehook(ectx, true);
 	}
 #endif
 +	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@ -76,7 +78,7 @@ index fa439cc..a7ad417 100644
 							     &entropy_source,
 							     randomfile,
 diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
-index 96dfef6..1c84b06 100644
+index bd19e1d..2c09b30 100644
 --- a/bin/dnssec/dnssec-keygen.docbook
 +++ b/bin/dnssec/dnssec-keygen.docbook
@@ -349,15 +349,23 @@
@ -112,16 +114,16 @@ index 96dfef6..1c84b06 100644
 	</listitem>
       </varlistentry>
 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
-index 4ea9eaf..5dd9475 100644
+index 2a0f9c6..6fcd411 100644
 --- a/bin/dnssec/dnssectool.c
 +++ b/bin/dnssec/dnssectool.c
-@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
+@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 		ISC_LIST_INIT(sources);
 	}
 +#ifdef ISC_PLATFORM_CRYPTORANDOM
 +	if (randomfile == NULL) {
-+		isc_entropy_usehook(*ectx, ISC_TRUE);
+		isc_entropy_usehook(*ectx, true);
 +	}
 +#endif
 	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@ -133,17 +135,17 @@ index 4ea9eaf..5dd9475 100644
 -	if (randomfile != NULL &&
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
-		isc_entropy_usehook(*ectx, ISC_TRUE);
+-		isc_entropy_usehook(*ectx, true);
 -	}
 -#endif
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
 					   usekeyboard);
 diff --git a/bin/named/client.c b/bin/named/client.c
-index b7d8a98..56d475c 100644
+index 4a50ad9..4d140e8 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
-@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+@@ -1768,7 +1768,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
 		isc_buffer_init(&buf, cookie, sizeof(cookie));
 		isc_stdtime_get(&now);
@ -154,10 +156,10 @@ index b7d8a98..56d475c 100644
 		compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
 diff --git a/bin/named/config.c b/bin/named/config.c
-index c50f759..c1e72ef 100644
+index 9b343fa..5e663c6 100644
 --- a/bin/named/config.c
 +++ b/bin/named/config.c
-@@ -92,7 +92,9 @@ options {\n\
+@@ -98,7 +98,9 @@ options {\n\
 #	pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
 	port 53;\n\
 	prefetch 2 9;\n"
@ -169,10 +171,10 @@ index c50f759..c1e72ef 100644
 #endif
 "	recursing-file \"named.recursing\";\n\
 diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
-index 237e8dc..b905475 100644
+index 9fdf49b..42128dc 100644
 --- a/bin/named/controlconf.c
 +++ b/bin/named/controlconf.c
-@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
+@@ -327,9 +327,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
 static void
 control_recvmessage(isc_task_t *task, isc_event_t *event) {
@ -185,8 +187,8 @@ index 237e8dc..b905475 100644
 +	controlkey_t *key = NULL;
 	isccc_sexpr_t *request = NULL;
 	isccc_sexpr_t *response = NULL;
- 	isc_uint32_t algorithm;
+ 	uint32_t algorithm;
-@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+@@ -340,16 +341,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t *text;
 	isc_result_t result;
 	isc_result_t eresult;
@ -194,7 +196,7 @@ index 237e8dc..b905475 100644
 +	isccc_sexpr_t *_ctrl = NULL;
 	isccc_time_t sent;
 	isccc_time_t exp;
- 	isc_uint32_t nonce;
+ 	uint32_t nonce;
 -	isccc_sexpr_t *data;
 +	isccc_sexpr_t *data = NULL;
@ -206,25 +208,25 @@ index 237e8dc..b905475 100644
 	algorithm = DST_ALG_UNKNOWN;
 	secret.rstart = NULL;
 	text = NULL;
-@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+@@ -462,8 +464,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	 * Establish nonce.
 	 */
 	if (conn->nonce == 0) {
 -		while (conn->nonce == 0)
 -			isc_random_get(&conn->nonce);
 +		while (conn->nonce == 0) {
-+			isc_uint16_t r1 = isc_rng_random(server->rngctx);
+			uint16_t r1 = isc_rng_random(server->rngctx);
-+			isc_uint16_t r2 = isc_rng_random(server->rngctx);
+			uint16_t r2 = isc_rng_random(server->rngctx);
 +			conn->nonce = (r1 << 16) | r2;
 +		}
 		eresult = ISC_R_SUCCESS;
 	} else
 		eresult = ns_control_docommand(request, listener->readonly, &text);
 diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
-index d8179a6..e03d24d 100644
+index 4fd0194..0ba2627 100644
 --- a/bin/named/include/named/server.h
 +++ b/bin/named/include/named/server.h
-@@ -17,6 +17,7 @@
+@@ -20,6 +20,7 @@
 #include <isc/log.h>
 #include <isc/magic.h>
 #include <isc/quota.h>
@ -232,19 +234,19 @@ index d8179a6..e03d24d 100644
 #include <isc/sockaddr.h>
 #include <isc/types.h>
 #include <isc/xml.h>
-@@ -131,6 +132,7 @@ struct ns_server {
+@@ -135,6 +136,7 @@ struct ns_server {
 	char *			lockfile;
- 	isc_uint16_t		transfer_tcp_message_size;
+ 	uint16_t		transfer_tcp_message_size;
 +	isc_rng_t *		rngctx;
 };
 struct ns_altsecret {
 diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index d8c7188..50f924e 100644
+index 93aac31..e12fad9 100644
 --- a/bin/named/interfacemgr.c
 +++ b/bin/named/interfacemgr.c
-@@ -15,6 +15,7 @@
+@@ -17,6 +17,7 @@
 #include <isc/interfaceiter.h>
 #include <isc/os.h>
@ -253,22 +255,22 @@ index d8c7188..50f924e 100644
 #include <isc/task.h>
 #include <isc/util.h>
 diff --git a/bin/named/query.c b/bin/named/query.c
-index accbf3b..d89622d 100644
+index 58b5914..edf42d2 100644
 --- a/bin/named/query.c
 +++ b/bin/named/query.c
-@@ -18,6 +18,7 @@
+@@ -20,6 +20,7 @@
 #include <isc/hex.h>
 #include <isc/mem.h>
 #include <isc/platform.h>
 #include <isc/print.h>
 +#include <isc/random.h>
 #include <isc/rwlock.h>
 #include <isc/serial.h>
 #include <isc/stats.h>
 diff --git a/bin/named/server.c b/bin/named/server.c
-index ca789e5..db02709 100644
+index b2ae57c..cca7fe8 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
-@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8279,21 +8279,32 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Open the source of entropy.
 	 */
 	if (first_time) {
@ -277,11 +279,6 @@ index ca789e5..db02709 100644
 		obj = NULL;
 		result = ns_config_get(maps, "random-device", &obj);
 -		if (result != ISC_R_SUCCESS) {
 -			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 -				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 -				      "no source of entropy found");
 -		} else {
 -			const char *randomdev = cfg_obj_asstring(obj);
 +		if (result == ISC_R_SUCCESS) {
 +			if (!cfg_obj_isvoid(obj)) {
 +				level = ISC_LOG_INFO;
@ -289,28 +286,33 @@ index ca789e5..db02709 100644
 +			}
 +		}
 +		if (randomdev == NULL) {
- #ifdef ISC_PLATFORM_CRYPTORANDOM
+#ifdef ISC_PLATFORM_CRYPTORANDOM
-			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
+			isc_entropy_usehook(ns_g_entropy, true);
-				isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
+#else
 +			isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
 #else
 -			int level = ISC_LOG_ERROR;
 -			result = isc_entropy_createfilesource(ns_g_entropy,
 -							      randomdev);
 +			if ((obj != NULL) && !cfg_obj_isvoid(obj))
 +				level = ISC_LOG_INFO;
-+			isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL,
+ 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 -				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 +				      NS_LOGMODULE_SERVER, level,
-+				      "no source of entropy found");
+ 				      "no source of entropy found");
 +			if ((obj == NULL) || cfg_obj_isvoid(obj)) {
 +				CHECK(ISC_R_FAILURE);
 +			}
 +#endif
-+		} else {
+ 		} else {
 -			const char *randomdev = cfg_obj_asstring(obj);
 -#ifdef ISC_PLATFORM_CRYPTORANDOM
 -			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
 -				isc_entropy_usehook(ns_g_entropy, true);
 -#else
 -			int level = ISC_LOG_ERROR;
 			result = isc_entropy_createfilesource(ns_g_entropy,
 -							      randomdev);
 +			                                      randomdev);
 #ifdef PATH_RANDOMDEV
 			if (ns_g_fallbackentropy != NULL) {
 				level = ISC_LOG_INFO;
-@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8304,8 +8315,8 @@ load_configuration(const char *filename, ns_server_t *server,
 					      NS_LOGCATEGORY_GENERAL,
 					      NS_LOGMODULE_SERVER,
 					      level,
@ -321,24 +323,33 @@ index ca789e5..db02709 100644
 					      randomdev,
 					      isc_result_totext(result));
 			}
-@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8325,7 +8336,6 @@ load_configuration(const char *filename, ns_server_t *server,
 				}
 				isc_entropy_detach(&ns_g_fallbackentropy);
 			}
 -#endif
 #endif
 		}
- 	}
+ 
-@@ -8911,6 +8919,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -9097,6 +9107,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->in_roothints = NULL;
 	server->blackholeacl = NULL;
 	server->keepresporder = NULL;
 +	server->rngctx = NULL;
 	/* Must be first. */
 	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
@@ -9123,6 +9134,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
 				      &server->tkeyctx),
 		   "creating TKEY context");
 +	server->rngctx = NULL;
 +	CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx),
 +	           "creating random numbers context");
 	/*
 	 * Setup the server task, which is responsible for coordinating
-@@ -9117,7 +9127,8 @@ ns_server_destroy(ns_server_t **serverp) {
+@@ -9329,7 +9343,8 @@ ns_server_destroy(ns_server_t **serverp) {
 	if (server->zonemgr != NULL)
 		dns_zonemgr_detach(&server->zonemgr);
@ -348,7 +359,7 @@ index ca789e5..db02709 100644
 	if (server->tkeyctx != NULL)
 		dns_tkeyctx_destroy(&server->tkeyctx);
-@@ -13018,10 +13029,10 @@ newzone_cfgctx_destroy(void **cfgp) {
+@@ -13366,10 +13381,10 @@ newzone_cfgctx_destroy(void **cfgp) {
 static isc_result_t
 generate_salt(unsigned char *salt, size_t saltlen) {
@ -356,19 +367,19 @@ index ca789e5..db02709 100644
 +	size_t i, n;
 	union {
 		unsigned char rnd[256];
-		isc_uint32_t rnd32[64];
+-		uint32_t rnd32[64];
-+		isc_uint16_t rnd16[128];
+		uint16_t rnd16[128];
 	} rnd;
 	unsigned char text[512 + 1];
 	isc_region_t r;
-@@ -13031,9 +13042,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
+@@ -13379,9 +13394,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
 	if (saltlen > 256U)
 		return (ISC_R_RANGE);
-	n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
+-	n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t);
 -	for (i = 0; i < n; i++)
 -		isc_random_get(&rnd.rnd32[i]);
-+	n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t);
+	n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t);
 +	for (i = 0; i < n; i++) {
 +		rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
 +	}
@ -376,10 +387,10 @@ index ca789e5..db02709 100644
 	memmove(salt, rnd.rnd, saltlen);
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 46c7acf..a0d0278 100644
+index 7f15cbc..458aa76 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
-@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
+@@ -289,9 +289,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 	}
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -387,14 +398,14 @@ index 46c7acf..a0d0278 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(*ectx, ISC_TRUE);
+ 		isc_entropy_usehook(*ectx, true);
 	}
 #endif
 diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
-index 810d99e..d7d10e2 100644
+index 95b65bf..7a81d4e 100644
 --- a/bin/tests/system/pipelined/pipequeries.c
 +++ b/bin/tests/system/pipelined/pipequeries.c
-@@ -279,9 +279,7 @@ main(int argc, char *argv[]) {
+@@ -280,9 +280,7 @@ main(int argc, char *argv[]) {
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -402,11 +413,11 @@ index 810d99e..d7d10e2 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(ectx, ISC_TRUE);
+ 		isc_entropy_usehook(ectx, true);
 	}
 #endif
 diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
-index 4f2f5b4..0894db7 100644
+index 3236968..4fa77b6 100644
 --- a/bin/tests/system/tkey/keycreate.c
 +++ b/bin/tests/system/tkey/keycreate.c
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
@ -417,14 +428,22 @@ index 4f2f5b4..0894db7 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(ectx, ISC_TRUE);
+ 		isc_entropy_usehook(ectx, true);
 	}
 #endif
 diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
-index 0975bbe..5b8a470 100644
+index 43fb6b0..105e151 100644
 --- a/bin/tests/system/tkey/keydelete.c
 +++ b/bin/tests/system/tkey/keydelete.c
-@@ -182,9 +182,7 @@ main(int argc, char **argv) {
+@@ -171,6 +171,7 @@ main(int argc, char **argv) {
 		randomfile = argv[2];
 		argv += 2;
 		argc -= 2;
 +		POST(argc);
 	}
 	keyname = argv[1];
@@ -182,9 +183,7 @@ main(int argc, char **argv) {
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -432,26 +451,26 @@ index 0975bbe..5b8a470 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(ectx, ISC_TRUE);
+ 		isc_entropy_usehook(ectx, true);
 	}
 #endif
 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index a5d9e2e..2a96f71 100644
+index ca98726..1f9df2c 100644
 --- a/doc/arm/Bv9ARM-book.xml
 +++ b/doc/arm/Bv9ARM-book.xml
-@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -5034,22 +5034,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>random-device</command></term>
 	    <listitem>
 	      <para>
-		The source of entropy to be used by the server.  Entropy is
+-		This specifies a source of entropy to be used by the server.  Entropy is
 -		primarily needed
 -		for DNSSEC operations, such as TKEY transactions and dynamic
 -		update of signed
-		zones.  This options specifies the device (or file) from which
+-		zones.  This option specifies the device (or file) from which
 -		to read
-		entropy.  If this is a file, operations requiring entropy will
+-		entropy.  If it is a file, operations requiring entropy will
 -		fail when the
-		file has been exhausted.  If not specified, the default value
+-		file has been exhausted.  If <command>random-device</command> is not specified, the default value
 -		is
 -		<filename>/dev/random</filename>
 -		(or equivalent) when present, and none otherwise.  The
@ -501,15 +520,27 @@ index a5d9e2e..2a96f71 100644
 	      </para>
 	    </listitem>
 	  </varlistentry>
-diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
+diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
-index d3fdb5e..fbc78a0 100644
+new file mode 100644
--- a/doc/arm/notes.xml
+index 0000000..89a4961
-+++ b/doc/arm/notes.xml
+--- /dev/null
-@@ -115,7 +115,28 @@
+++ b/doc/arm/notes-rh-changes.xml
-     <itemizedlist>
+@@ -0,0 +1,42 @@
-       <listitem>
+<!--
- 	<para>
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-	  None.
+ -
 + - This Source Code Form is subject to the terms of the Mozilla Public
 + - License, v. 2.0. If a copy of the MPL was not distributed with this
 + - file, You can obtain one at http://mozilla.org/MPL/2.0/.
 + -
 + - See the COPYRIGHT file distributed with this work for additional
 + - information regarding copyright ownership.
 +-->
 +
 +<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
 +  <itemizedlist>
 +     <listitem>
 +      <para>
 +        By default, BIND now uses the random number generation functions
 +        in the cryptographic library (i.e., OpenSSL or a PKCS#11
 +        provider) as a source of high-quality randomness rather than
@ -532,25 +563,28 @@ index d3fdb5e..fbc78a0 100644
 +        <command>configure --disable-crypto-rand</command>, in which
 +        case <filename>/dev/random</filename> will be the default
 +        entropy source.  [RT #31459] [RT #46047]
- 	</para>
+      </para>
-       </listitem>
+    </listitem>
-     </itemizedlist>
+  </itemizedlist>
 +</section>
 +
 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
 index a5e42c0..f8cb1f9 100644
 --- a/doc/arm/notes.xml
 +++ b/doc/arm/notes.xml
@@ -47,6 +47,7 @@
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
 +  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-rh-changes.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
 </section>
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 803e7b3..29a4fef 100644
+index aa54afc..2156384 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
-@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
 #endif
 #if defined(OPENSSL) || defined(PKCS11CRYPTO)
 #ifdef ISC_PLATFORM_CRYPTORANDOM
 -	if (dst_entropy_pool != NULL)
 +	if (dst_entropy_pool != NULL) {
 		isc_entropy_sethook(dst_random_getdata);
 +	}
 #endif
 #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
 	dst_initialized = ISC_TRUE;
@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 	else
 		flags |= ISC_ENTROPY_BLOCKING;
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -565,10 +599,10 @@ index 803e7b3..29a4fef 100644
 }
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index d9b6ab6..e8c1a3c 100644
+index 3aba028..180c841 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
-@@ -161,8 +161,18 @@ isc_result_t
+@@ -163,8 +163,18 @@ isc_result_t
 dst_random_getdata(void *data, unsigned int length,
 		   unsigned int *returned, unsigned int flags);
 /*%<
@ -588,12 +622,12 @@ index d9b6ab6..e8c1a3c 100644
 + * \li	DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
  */
- isc_boolean_t
+ bool
 diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index c1e1bde..91e87d0 100644
+index 3f4f822..cfdc757 100644
 --- a/lib/dns/openssl_link.c
 +++ b/lib/dns/openssl_link.c
-@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
+@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
 isc_result_t
 dst_random_getdata(void *data, unsigned int length,
@ -604,19 +638,10 @@ index c1e1bde..91e87d0 100644
 #ifndef DONT_REQUIRE_DST_LIB_INIT
 	INSIST(dst__memory_pool != NULL);
 diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
-index d9deb8a..2d37363 100644
+index f32c9dc..bed276b 100644
 --- a/lib/isc/include/isc/entropy.h
 +++ b/lib/isc/include/isc/entropy.h
-@@ -9,8 +9,6 @@
+@@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
  * information regarding copyright ownership.
  */
 -/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
 -
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
 /*!<
  * \brief Create an entropy source that is polled via a callback.
  *
@ -628,18 +653,23 @@ index d9deb8a..2d37363 100644
  *
  * Samples are added via isc_entropy_addcallbacksample(), below.
  * _addcallbacksample() is the only function which may be called from
-@@ -233,15 +230,32 @@ isc_result_t
+@@ -232,15 +231,32 @@ isc_result_t
 isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
 		    unsigned int *returned, unsigned int flags);
 /*!<
 - * \brief Extract data from the entropy pool.  This may load the pool from various
 - * sources.
 + * \brief Get random data from entropy pool 'ent'.
-+ *
+  *
 - * Do this by stirring the pool and returning a part of hash as randomness.
 - * Note that no secrets are given away here since parts of the hash are
 - * xored together before returned.
 + * If a hook has been set up using isc_entropy_sethook() and
 + * isc_entropy_usehook(), then the hook function will be called to get
 + * random data.
-+ *
+  *
 - * Honor the request from the caller to only return good data, any data,
 - * etc.
 + * Otherwise, randomness is extracted from the entropy pool set up in BIND.
 + * This may cause the pool to be loaded from various sources. Ths is done
 + * by stirring the pool and returning a part of hash as randomness.
@ -650,17 +680,12 @@ index d9deb8a..2d37363 100644
 + * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
 + * not in use. If it is, the flags will be passed to the hook function
 + * but it may ignore them.
-  *
+ *
 - * Do this by stiring the pool and returning a part of hash as randomness.
 - * Note that no secrets are given away here since parts of the hash are
 - * xored together before returned.
 + * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
 + * (If 'returned' is not NULL, and the number of bytes copied is less than
 + * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
 + * number of bytes copied will be stored in *returned.)
-  *
+ *
 - * Honor the request from the caller to only return good data, any data,
 - * etc.
 + * Returns:
 + * \li	ISC_R_SUCCESS on success
 + * \li	ISC_R_NOENTROPY if entropy pool is empty
@ -668,9 +693,9 @@ index d9deb8a..2d37363 100644
  */
 void
-@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
+@@ -305,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
 void
- isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
+ isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
 /*!<
 - * \brief Mark/unmark the given entropy structure as being hooked.
 + * \brief Configure entropy context 'ectx' to use the hook function
@ -693,26 +718,21 @@ index d9deb8a..2d37363 100644
 ISC_LANG_ENDDECLS
 diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
-index ba53ebf..b575728 100644
+index f38e80d..3cb1c56 100644
 --- a/lib/isc/include/isc/random.h
 +++ b/lib/isc/include/isc/random.h
-@@ -9,8 +9,6 @@
+@@ -19,13 +19,23 @@
  * information regarding copyright ownership.
  */
 -/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
 -
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
@@ -21,13 +19,23 @@
 #include <isc/mutex.h>
 /*! \file isc/random.h
 - * \brief Implements a random state pool which will let the caller return a
 - * series of possibly non-reproducible random values.
 + * \brief Implements pseudo random number generators.
-+ *
+  *
 - * Note that the
 - * strength of these numbers is not all that high, and should not be
 - * used in cryptography functions.  It is useful for jittering values
 - * a bit here and there, such as timeouts, etc.
 + * Two pseudo-random number generators are implemented, in isc_random_*
 + * and isc_rng_*. Neither one is very strong; they should not be used
 + * in cryptography functions.
@ -722,11 +742,7 @@ index ba53ebf..b575728 100644
 + * It is useful for jittering values a bit here and there, such as
 + * timeouts, etc, but should not be relied upon to generate
 + * unpredictable sequences (for example, when choosing transaction IDs).
-  *
+  *
 - * Note that the
 - * strength of these numbers is not all that high, and should not be
 - * used in cryptography functions.  It is useful for jittering values
 - * a bit here and there, such as timeouts, etc.
 + * isc_rng_* is based on ChaCha20, and is seeded and stirred from the
 + * system entropy source. It is stronger than isc_random_* and can
 + * be used for generating unpredictable sequences. It is still not as
@ -735,9 +751,9 @@ index ba53ebf..b575728 100644
  */
 ISC_LANG_BEGINDECLS
-@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
+@@ -113,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
- isc_uint16_t
+ uint16_t
- isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound);
+ isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
 /*%<
 - * Returns a uniformly distributed pseudo random 16-bit unsigned
 - * integer.
@ -747,10 +763,10 @@ index ba53ebf..b575728 100644
 ISC_LANG_ENDDECLS
 diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index 8d496ff..dd08187 100644
+index e74c93b..212194e 100644
 --- a/lib/isccfg/namedconf.c
 +++ b/lib/isccfg/namedconf.c
-@@ -1106,7 +1106,7 @@ options_clauses[] = {
+@@ -1109,7 +1109,7 @@ options_clauses[] = {
 	{ "pid-file", &cfg_type_qstringornone, 0 },
 	{ "port", &cfg_type_uint32, 0 },
 	{ "querylog", &cfg_type_boolean, 0 },
@ -760,5 +776,5 @@ index 8d496ff..dd08187 100644
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reserved-sockets", &cfg_type_uint32, 0 },
 -- 
-2.20.1
+2.26.2
--- a/SOURCES/bind-9.11-serve-stale.patch
+++ b/SOURCES/bind-9.11-serve-stale.patch
--- a/SOURCES/bind-9.11-stale-cache.patch
+++ b/SOURCES/bind-9.11-stale-cache.patch
@ -0,0 +1,65 @@
 From 8a7bff93037432fcfe8532752e89f150ea3030a4 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Mon, 9 Oct 2023 19:00:12 +0200
 Subject: [PATCH] Do not keep stale records by default
 By default set max-stale-ttl to 0, unless stale-answer-enable yes. This
 were enabled by mistake when backporting fix for CVE-2023-2828. It
 causes increased cache usage on servers not wanting to serve stale
 records. Fix that by setting smart defaults based on stale answers
 enabled with possible manual tuning.
 ---
 bin/named/server.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index 7af90d0..afdc4fa 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -3295,7 +3295,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	size_t max_acache_size;
 	size_t max_adb_size;
 	uint32_t lame_ttl, fail_ttl;
 -	uint32_t max_stale_ttl;
 +	uint32_t max_stale_ttl = 0;
 	dns_tsig_keyring_t *ring = NULL;
 	dns_view_t *pview = NULL;	/* Production view */
 	isc_mem_t *cmctx = NULL, *hmctx = NULL;
@@ -3739,16 +3739,29 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	if (view->maxncachettl > 7 * 24 * 3600)
 		view->maxncachettl = 7 * 24 * 3600;
 -	obj = NULL;
 -	result = ns_config_get(maps, "max-stale-ttl", &obj);
 -	INSIST(result == ISC_R_SUCCESS);
 -	max_stale_ttl = cfg_obj_asuint32(obj);
 -
 	obj = NULL;
 	result = ns_config_get(maps, "stale-answer-enable", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->staleanswersenable = cfg_obj_asboolean(obj);
 +	// RHEL-11785 -- set the stale-ttl to non-zero value only if enabled
 +	obj = NULL;
 +	if (view->staleanswersenable) {
 +		result = ns_config_get(maps, "max-stale-ttl", &obj);
 +		INSIST(result == ISC_R_SUCCESS);
 +		max_stale_ttl = cfg_obj_asuint32(obj);
 +		/*
 +		 * If 'stale-answer-enable' is false, max_stale_ttl is set
 +		 * to 0, meaning keeping stale RRsets in cache is disabled.
 +		 */
 +	} else {
 +		/* Do not use default value if stale is disabled,
 +		 * but allow manual overriding, like 'stale-cache-enable' */
 +		result = ns_config_get(optionmaps, "max-stale-ttl", &obj);
 +		if (result == ISC_R_SUCCESS)
 +			max_stale_ttl = cfg_obj_asuint32(obj);
 +	}
 +
 	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
 				   view->rdclass, &pview);
 	if (result == ISC_R_SUCCESS) {
 -- 
 2.41.0
--- a/SOURCES/bind-9.11-unit-disable-random.patch
+++ b/SOURCES/bind-9.11-unit-disable-random.patch
@ -1,4 +1,4 @@
-From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001
+From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 21 Feb 2019 22:42:27 +0100
 Subject: [PATCH] Disable random_test
@ -9,37 +9,22 @@ subtests can occasionally fail, stop it.
 It can be used again by defining 'unstable' variable in Kyuafile.
 ---
 lib/isc/tests/Atffile  | 3 ++-
 lib/isc/tests/Kyuafile | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile
 index 8681844..74a4a77 100644
 --- a/lib/isc/tests/Atffile
 +++ b/lib/isc/tests/Atffile
@@ -20,7 +20,8 @@ tp: pool_test
 tp: print_test
 tp: queue_test
 tp: radix_test
 -tp: random_test
 +# random test fails too often
 +#tp: random_test
 tp: regex_test
 tp: result_test
 tp: safe_test
 diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
-index 1c510c1..a86824a 100644
+index 4cd2574..9df2340 100644
 --- a/lib/isc/tests/Kyuafile
 +++ b/lib/isc/tests/Kyuafile
-@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'}
+@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'}
- atf_test_program{name='print_test'}
+ tap_test_program{name='print_test'}
- atf_test_program{name='queue_test'}
+ tap_test_program{name='queue_test'}
- atf_test_program{name='radix_test'}
+ tap_test_program{name='radix_test'}
-atf_test_program{name='random_test'}
+-tap_test_program{name='random_test'}
-+atf_test_program{name='random_test', required_configs='unstable'}
+tap_test_program{name='random_test', required_configs='unstable'}
- atf_test_program{name='regex_test'}
+ tap_test_program{name='regex_test'}
- atf_test_program{name='result_test'}
+ tap_test_program{name='result_test'}
- atf_test_program{name='safe_test'}
+ tap_test_program{name='safe_test'}
 -- 
 2.20.1
--- a/SOURCES/bind-9.11-zone2ldap.patch
+++ b/SOURCES/bind-9.11-zone2ldap.patch
@ -1,18 +1,18 @@
-From 738d12594972ad816e8cff9821f760aa0682fd08 Mon Sep 17 00:00:00 2001
+From 9683a4d2524b870c4cee09259cb5eb7b8075a507 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 18 Dec 2018 16:06:26 +0100
 Subject: [PATCH] Make absolute hostname by dns API instead of strings
 Duplicate all strings in dc_list. Free allocated memory on each record.
 ---
- bin/sdb_tools/zone2ldap.c | 72 +++++++++++++++++++++++++++++------------------
+ bin/sdb_tools/zone2ldap.c | 70 +++++++++++++++++++++++++--------------
- 1 file changed, 45 insertions(+), 27 deletions(-)
+ 1 file changed, 45 insertions(+), 25 deletions(-)
 diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
-index acf160b..cc482dc 100644
+index d59936c..9ba73b8 100644
 --- a/bin/sdb_tools/zone2ldap.c
 +++ b/bin/sdb_tools/zone2ldap.c
-@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp);
+@@ -84,6 +84,10 @@ int get_attr_list_size (char **tmp);
 /* Get a DN */
 char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
@ -23,7 +23,7 @@ index acf160b..cc482dc 100644
 /* Add to RR list */
 void add_to_rr_list (char *dn, char *name, char *type, char *data,
 		     unsigned int ttl, unsigned int flags);
-@@ -123,6 +127,7 @@ static char dNSTTL            []="dNSTTL";
+@@ -120,6 +124,7 @@ static char dNSTTL            []="dNSTTL";
 static char zoneName          []="zoneName";
 static char dc                []="dc";
 static char sameZone          []="@";
@ -31,7 +31,7 @@ index acf160b..cc482dc 100644
 /* LDAPMod mod_values: */
 static char *objectClasses    []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
 static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
-@@ -396,6 +401,8 @@ main (int argc, char **argv)
+@@ -391,6 +396,8 @@ main (int argc, char **argv)
 	    }
 	}
@ -40,26 +40,26 @@ index acf160b..cc482dc 100644
     }
   else
     {
-@@ -451,12 +458,17 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
+@@ -446,12 +453,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
   char data[2048];
   char **dc_list;
   char *dn;
 +  size_t argzone_len;
-+  isc_boolean_t omit_dot;
+  bool omit_dot;
   isc_buffer_t buff;
   isc_result_t result;
   isc_buffer_init (&buff, name, sizeof (name));
-  result = dns_name_totext (dnsname, ISC_TRUE, &buff);
+   result = dns_name_totext (dnsname, true, &buff);
 +  argzone_len = strlen(argzone);
 +  /* If argzone is absolute, output absolute name too */
-+  omit_dot = ISC_TF(!(argzone_len > 0 && argzone[argzone_len-1] == '.'));
+  omit_dot = (!(argzone_len > 0 && argzone[argzone_len-1] == '.'));
 +  result = dns_name_totext (dnsname, omit_dot, &buff);
   isc_result_check (result, "dns_name_totext");
   name[isc_buffer_usedlength (&buff)] = 0;
-@@ -478,6 +490,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
+@@ -473,6 +486,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
     printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
   add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
@ -67,7 +67,7 @@ index acf160b..cc482dc 100644
 }
-@@ -538,12 +551,9 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -533,12 +547,9 @@ add_to_rr_list (char *dn, char *name, char *type,
       if (tmp->attrs == (LDAPMod **) NULL)
 	fatal("calloc");
@ -83,7 +83,7 @@ index acf160b..cc482dc 100644
       tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
       tmp->attrs[0]->mod_type = objectClass;
-@@ -559,9 +569,18 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -554,9 +565,18 @@ add_to_rr_list (char *dn, char *name, char *type,
 	  return;
 	}
@ -103,12 +103,11 @@ index acf160b..cc482dc 100644
       if (tmp->attrs[1]->mod_values == (char **)NULL)
 	fatal("calloc");
-@@ -705,25 +724,16 @@ char **
+@@ -701,24 +721,16 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
 hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
 {
   char *tmp;
-  int i = 0;
+   int i = 0;
-+  int i = 0, j = 0;
+  int j = 0;
   char *hname=0L, *last=0L;
   int hlen=strlen(hostname), zlen=(strlen(zone));
@ -127,11 +126,11 @@ index acf160b..cc482dc 100644
       {
 -	  if( hname == 0 )
 -	      hname=strdup(hostname);
-+	  hname=strdup(hostname);
+	  hname= strdup(hostname);
 	  last = strdup(sameZone);
       }else
       {
-@@ -731,8 +741,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -726,8 +738,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
 	     ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
 	    )
 	  {
@ -140,7 +139,7 @@ index acf160b..cc482dc 100644
 	      hname=(char*)malloc( hlen + zlen + 1);
 	      if( *zone == '.' )
 		  sprintf(hname, "%s%s", hostname, zone);
-@@ -740,8 +748,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -735,8 +745,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
 		  sprintf(hname,"%s",zone);
 	  }else
 	  {
@ -150,7 +149,7 @@ index acf160b..cc482dc 100644
 	  }
 	  last = hname;
       }
-@@ -754,18 +761,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -749,18 +758,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
   for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
        tmp = strrchr (hname, '.'))
   {
@ -176,7 +175,7 @@ index acf160b..cc482dc 100644
   if( ( last != hname ) && (tmp != hname) )
       dn_buffer[i++] = hname;
   dn_buffer[i++] = last;
-@@ -825,6 +835,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
+@@ -820,6 +832,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
   return dn;
 }
@ -192,5 +191,5 @@ index acf160b..cc482dc 100644
 /* Initialize LDAP Conn */
 void
 -- 
-2.14.5
+2.21.1
--- a/SOURCES/bind-9.15-resolver-ntasks.patch
+++ b/SOURCES/bind-9.15-resolver-ntasks.patch
@ -0,0 +1,58 @@
 From 6d6acf236841da5c2511f8afcd3e4a89af4c5658 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
 Date: Fri, 14 Feb 2020 09:18:48 +0100
 Subject: [PATCH] Use RESOLVER_NTASKS_PERCPU - 32 for regular tuning, 8 for
 small
 Modify original upstream commit 0d80266f7e3, add high limit of used
 tasks. Minimum would be lower on machines with few cpus, but maximum
 would stay unchanged. Should prevent negatives of this change.
 Signed-off-by: Petr Mensik <pemensik@redhat.com>
 ---
 bin/named/server.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index 39b1124..94b4daa 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -148,11 +148,13 @@
 #endif
 #ifdef TUNE_LARGE
 -#define RESOLVER_NTASKS 523
 +#define RESOLVER_NTASKS_MAX 523
 +#define RESOLVER_NTASKS_PERCPU 32
 #define UDPBUFFERS 32768
 #define EXCLBUFFERS 32768
 #else
 -#define RESOLVER_NTASKS 31
 +#define RESOLVER_NTASKS_MAX 31
 +#define RESOLVER_NTASKS_PERCPU 8
 #define UDPBUFFERS 1000
 #define EXCLBUFFERS 4096
 #endif /* TUNE_LARGE */
@@ -3318,7 +3320,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	ns_cache_t *nsc;
 	bool zero_no_soattl;
 	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
 -	unsigned int query_timeout, ndisp;
 +	unsigned int query_timeout, ndisp, ntasks;
 	bool old_rpz_ok = false;
 	isc_dscp_t dscp4 = -1, dscp6 = -1;
 	dns_dyndbctx_t *dctx = NULL;
@@ -3926,7 +3928,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	dns_view_setresquerystats(view, resquerystats);
 	ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
 -	CHECK(dns_view_createresolver(view, ns_g_taskmgr, RESOLVER_NTASKS,
 +	ntasks = ISC_MIN(RESOLVER_NTASKS_PERCPU * ns_g_cpus,
 +		         RESOLVER_NTASKS_MAX);
 +	CHECK(dns_view_createresolver(view, ns_g_taskmgr, ntasks,
 				      ndisp, ns_g_socketmgr, ns_g_timermgr,
 				      resopts, ns_g_dispatchmgr,
 				      dispatch4, dispatch6));
 -- 
 2.34.1
--- a/SOURCES/bind-9.16-CVE-2022-3094-1.patch
+++ b/SOURCES/bind-9.16-CVE-2022-3094-1.patch
@ -0,0 +1,240 @@
 From 128b3b676eb9413b4d25fb29c560895cfbbfa92e Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 1 Sep 2022 16:05:04 -0700
 Subject: [PATCH] add an update quota
 limit the number of simultaneous DNS UPDATE events that can be
 processed by adding a quota for update and update forwarding.
 this quota currently, arbitrarily, defaults to 100.
 also add a statistics counter to record when the update quota
 has been exceeded.
 (cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826)
 ---
 bin/named/bind9.xsl              |  2 +-
 bin/named/bind9.xsl.h            |  8 +++++++-
 bin/named/include/named/server.h |  7 ++++++-
 bin/named/server.c               |  3 +++
 bin/named/statschannel.c         |  5 +++--
 bin/named/update.c               | 34 +++++++++++++++++++++++++++++++-
 doc/arm/Bv9ARM-book.xml          | 15 ++++++++++++++
 7 files changed, 68 insertions(+), 6 deletions(-)
 diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
 index 9a1c6ff..85fd4c4 100644
 --- a/bin/named/bind9.xsl
 +++ b/bin/named/bind9.xsl
@@ -12,7 +12,7 @@
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
   <xsl:output method="html" indent="yes" version="4.0"/>
 -  <xsl:template match="statistics[@version=&quot;3.8&quot;]">
 +  <xsl:template match="statistics[@version=&quot;3.8.1&quot;]">
     <html>
       <head>
         <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
 diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
 index 9ce8cd7..5e0a892 100644
 --- a/bin/named/bind9.xsl.h
 +++ b/bin/named/bind9.xsl.h
@@ -17,7 +17,13 @@ static char xslmsg[] =
 	"\n"
 	"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
 	" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
 -	" <xsl:template match=\"statistics[@version=&quot;3.8&quot;]\">\n"
 +#if 0
 +	" <!-- the version number **below** must match version in "
 +	"bin/named/statschannel.c -->\n"
 +	" <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in "
 +	"the HTTP endpoints listed below -->\n"
 +#endif
 +	" <xsl:template match=\"statistics[@version=&quot;3.8.1&quot;]\">\n"
 	" <html>\n"
 	" <head>\n"
 	" <script type=\"text/javascript\" src=\"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js\"></script>\n"
 diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
 index 08a02dc..259acc7 100644
 --- a/bin/named/include/named/server.h
 +++ b/bin/named/include/named/server.h
@@ -137,6 +137,9 @@ struct ns_server {
 	uint16_t		transfer_tcp_message_size;
 	isc_rng_t *		rngctx;
 +
 +/* CVE-2022-3094 */
 +	isc_quota_t		updquota;
 };
 struct ns_altsecret {
@@ -230,7 +233,9 @@ enum {
 	dns_nsstatscounter_trystale = 59,
 	dns_nsstatscounter_usedstale = 60,
 -	dns_nsstatscounter_max = 61
 +	dns_nsstatscounter_updatequota = 61,
 +
 +	dns_nsstatscounter_max = 62
 };
 /*%
 diff --git a/bin/named/server.c b/bin/named/server.c
 index 2d2fa0e..f09b895 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -9143,6 +9143,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	result = isc_quota_init(&server->recursionquota, 100);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 +	result = isc_quota_init(&server->updquota, 100);
 +	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	result = dns_aclenv_init(mctx, &server->aclenv);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
@@ -9410,6 +9412,7 @@ ns_server_destroy(ns_server_t **serverp) {
 	dns_aclenv_destroy(&server->aclenv);
 +	isc_quota_destroy(&server->updquota);
 	isc_quota_destroy(&server->recursionquota);
 	isc_quota_destroy(&server->tcpquota);
 	isc_quota_destroy(&server->xfroutquota);
 diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
 index 56a9c21..1e8723c 100644
 --- a/bin/named/statschannel.c
 +++ b/bin/named/statschannel.c
@@ -300,6 +300,7 @@ init_desc(void) {
 	SET_NSSTATDESC(reclimitdropped,
 		       "queries dropped due to recursive client limit",
 		       "RecLimitDropped");
 +	SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
 	SET_NSSTATDESC(trystale,
 		       "attempts to use stale cache data after lookup failure",
 		       "QryTryStale");
@@ -1546,7 +1547,7 @@ generatexml(ns_server_t *server, uint32_t flags,
 			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
 -					 ISC_XMLCHAR "3.8"));
 +					 ISC_XMLCHAR "3.8.1"));
 	/* Set common fields for statistics dump */
 	dumparg.type = isc_statsformat_xml;
@@ -2303,7 +2304,7 @@ generatejson(ns_server_t *server, size_t *msglen,
 	/*
 	 * These statistics are included no matter which URL we use.
 	 */
 -	obj = json_object_new_string("1.2");
 +	obj = json_object_new_string("1.2.1");
 	CHECKMEM(obj);
 	json_object_object_add(bindstats, "json-stats-version", obj);
 diff --git a/bin/named/update.c b/bin/named/update.c
 index 6ad7d27..dccc543 100644
 --- a/bin/named/update.c
 +++ b/bin/named/update.c
@@ -1526,6 +1526,17 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
 	isc_task_t *zonetask = NULL;
 	ns_client_t *evclient;
 +	result = isc_quota_attach(&ns_g_server->updquota,
 +				  &(isc_quota_t *){ NULL });
 +	if (result != ISC_R_SUCCESS) {
 +		update_log(client, zone, LOGLEVEL_PROTOCOL,
 +			   "update failed: too many DNS UPDATEs queued (%s)",
 +			   isc_result_totext(result));
 +		isc_stats_increment(ns_g_server->nsstats,
 +				    dns_nsstatscounter_updatequota);
 +		CHECK(DNS_R_DROP);
 +	}
 +
 	event = (update_event_t *)
 		isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
 				   update_action, NULL, sizeof(*event));
@@ -1652,7 +1663,12 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 	 * We are still in the client task context, so we can
 	 * simply give an error response without switching tasks.
 	 */
 -	respond(client, result);
 +	if (result == DNS_R_DROP) {
 +		ns_client_next(client, result);
 +	} else {
 +		respond(client, result);
 +	}
 +
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 }
@@ -3385,6 +3401,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
 		dns_zone_detach(&uev->zone);
 	client->nupdates--;
 	respond(client, uev->result);
 +	isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
 	isc_event_free(&event);
 	ns_client_detach(&client);
 }
@@ -3402,6 +3419,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
 	INSIST(client->nupdates > 0);
 	client->nupdates--;
 	respond(client, DNS_R_SERVFAIL);
 +
 +	isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
 	isc_event_free(&event);
 	ns_client_detach(&client);
 }
@@ -3439,6 +3458,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
 	client->nupdates--;
 	ns_client_sendraw(client, uev->answer);
 	dns_message_detach(&uev->answer);
 +
 +	isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
 	isc_event_free(&event);
 	ns_client_detach(&client);
 }
@@ -3472,6 +3493,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
 	isc_task_t *zonetask = NULL;
 	ns_client_t *evclient;
 +	result = isc_quota_attach(&ns_g_server->updquota,
 +				  &(isc_quota_t *){ NULL });
 +	if (result != ISC_R_SUCCESS) {
 +		update_log(client, zone, LOGLEVEL_PROTOCOL,
 +			   "update failed: too many DNS UPDATEs queued (%s)",
 +			   isc_result_totext(result));
 +		isc_stats_increment(ns_g_server->nsstats,
 +				    dns_nsstatscounter_updatequota);
 +		return (DNS_R_DROP);
 +	}
 +
 	/*
 	 * This may take some time so replace this client.
 	 */
 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
 index c17f168..9aca6d7 100644
 --- a/doc/arm/Bv9ARM-book.xml
 +++ b/doc/arm/Bv9ARM-book.xml
@@ -15105,6 +15105,21 @@ HOST-127.EXAMPLE. MX 0 .
 		      </para>
 		    </entry>
 		  </row>
 +		  <row rowsep="0">
 +		    <entry colname="1">
 +		      <para><command>UpdateQuota</command></para>
 +		    </entry>
 +		    <entry colname="2">
 +		      <para><command/></para>
 +		    </entry>
 +		    <entry colname="3">
 +		      <para>
 +			This indicates the number of times a dynamic update or update
 +			forwarding request was rejected because the number of pending
 +			requests exceeded the update quota.
 +		      </para>
 +		    </entry>
 +		  </row>
 		  <row rowsep="0">
 		    <entry colname="1">
 		      <para><command>RateDropped</command></para>
 -- 
 2.39.2
--- a/SOURCES/bind-9.16-CVE-2022-3094-2.patch
+++ b/SOURCES/bind-9.16-CVE-2022-3094-2.patch
@ -0,0 +1,136 @@
 From d9a03233c6ea11f20c2fbeca87b763673859f8b2 Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 1 Sep 2022 16:22:46 -0700
 Subject: [PATCH] add a configuration option for the update quota
 add an "update-quota" option to configure the update quota.
 (cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19)
 ---
 bin/named/config.c                   |  1 +
 bin/named/named.conf.docbook         |  2 ++
 bin/named/server.c                   |  1 +
 bin/tests/system/checkconf/good.conf |  1 +
 doc/arm/Bv9ARM-book.xml              | 11 +++++++++++
 doc/arm/options.grammar.xml          |  1 +
 doc/misc/options                     |  1 +
 lib/isccfg/namedconf.c               |  1 +
 8 files changed, 19 insertions(+)
 diff --git a/bin/named/config.c b/bin/named/config.c
 index 62d1e88..e3731cf 100644
 --- a/bin/named/config.c
 +++ b/bin/named/config.c
@@ -134,6 +134,7 @@ options {\n\
 	transfers-per-ns 2;\n\
 #	treat-cr-as-space <obsolete>;\n\
 	trust-anchor-telemetry yes;\n\
 +	update-quota 100;\n\
 #	use-id-pool <obsolete>;\n\
 #	use-ixfr <obsolete>;\n\
 \n\
 diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
 index 6565fce..5842cb5 100644
 --- a/bin/named/named.conf.docbook
 +++ b/bin/named/named.conf.docbook
@@ -455,6 +455,7 @@ options {
 	trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
 	try-tcp-refresh <replaceable>boolean</replaceable>;
 	update-check-ksk <replaceable>boolean</replaceable>;
 +	update-quota <replaceable>integer</replaceable>;
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 	use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
 	use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
@@ -864,6 +865,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 		type ( delegation-only | forward | hint | master | redirect
 		    | slave | static-stub | stub );
 		update-check-ksk <replaceable>boolean</replaceable>;
 +		update-quota <replaceable>integer</replaceable>;
 		update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> (
 		    6to4-self | external | krb5-self | krb5-selfsub |
 		    krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
 diff --git a/bin/named/server.c b/bin/named/server.c
 index f09b895..7af90d0 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -7792,6 +7792,7 @@ load_configuration(const char *filename, ns_server_t *server,
 	configure_server_quota(maps, "tcp-clients", &server->tcpquota);
 	configure_server_quota(maps, "recursive-clients",
 			       &server->recursionquota);
 +	configure_server_quota(maps, "update-quota", &server->updquota);
 	if (server->recursionquota.max > 1000) {
 		int margin = ISC_MAX(100, ns_g_cpus + 1);
 diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
 index 1359cf3..5d9b292 100644
 --- a/bin/tests/system/checkconf/good.conf
 +++ b/bin/tests/system/checkconf/good.conf
@@ -63,6 +63,7 @@ options {
 	serial-queries 10;
 	serial-query-rate 100;
 	server-id none;
 +	update-quota 200;
 	max-cache-size 20000000000000;
 	nta-lifetime 604800;
 	nta-recheck 604800;
 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
 index 9aca6d7..acf772b 100644
 --- a/doc/arm/Bv9ARM-book.xml
 +++ b/doc/arm/Bv9ARM-book.xml
@@ -8599,6 +8599,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      </listitem>
 	    </varlistentry>
 +	    <varlistentry>
 +	      <term><command>update-quota</command></term>
 +	      <listitem>
 +		<para>
 +		This is the maximum number of simultaneous DNS UPDATE messages that
 +		the server will accept for updating local authoritiative zones or
 +			forwarding to a primary server. The default is <userinput>100</userinput>.
 +		</para>
 +	      </listitem>
 +	    </varlistentry>
 +
 	  </variablelist>
 	</section>
 diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml
 index 793ac0b..1d17ea8 100644
 --- a/doc/arm/options.grammar.xml
 +++ b/doc/arm/options.grammar.xml
@@ -277,6 +277,7 @@
 	<command>trust-anchor-telemetry</command> <replaceable>boolean</replaceable>; // experimental
 	<command>try-tcp-refresh</command> <replaceable>boolean</replaceable>;
 	<command>update-check-ksk</command> <replaceable>boolean</replaceable>;
 +	<command>update-quota</command> <replaceable>integer</replaceable>;
 	<command>use-alt-transfer-source</command> <replaceable>boolean</replaceable>;
 	<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
 	<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
 diff --git a/doc/misc/options b/doc/misc/options
 index fde93c7..e6d6ba6 100644
 --- a/doc/misc/options
 +++ b/doc/misc/options
@@ -357,6 +357,7 @@ options {
         trust-anchor-telemetry <boolean>; // experimental
         try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
 +        update-quota <integer>;
         use-alt-transfer-source <boolean>;
         use-id-pool <boolean>; // obsolete
         use-ixfr <boolean>; // obsolete
 diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
 index b562f95..667111c 100644
 --- a/lib/isccfg/namedconf.c
 +++ b/lib/isccfg/namedconf.c
@@ -1136,6 +1136,7 @@ options_clauses[] = {
 	{ "transfers-out", &cfg_type_uint32, 0 },
 	{ "transfers-per-ns", &cfg_type_uint32, 0 },
 	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 +	{ "update-quota", &cfg_type_uint32, 0 },
 	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
 -- 
 2.39.2
--- a/SOURCES/bind-9.16-CVE-2022-3094-3.patch
+++ b/SOURCES/bind-9.16-CVE-2022-3094-3.patch
@ -0,0 +1,553 @@
 From cba333b262b7ee0034a66cc93cf27f6c4918eea2 Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Tue, 8 Nov 2022 17:32:41 -0800
 Subject: [PATCH] move update ACL and update-policy checks before quota
 check allow-update, update-policy, and allow-update-forwarding before
 consuming quota slots, so that unauthorized clients can't fill the
 quota.
 (this moves the access check before the prerequisite check, which
 violates the precise wording of RFC 2136. however, RFC co-author Paul
 Vixie has stated that the RFC is mistaken on this point; it should have
 said that access checking must happen *no later than* the completion of
 prerequisite checks, not that it must happen exactly then.)
 (cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d)
 ---
 bin/named/update.c | 440 ++++++++++++++++++++++++++++++---------------
 1 file changed, 298 insertions(+), 142 deletions(-)
 diff --git a/bin/named/update.c b/bin/named/update.c
 index 8853ee7..4d1fe78 100644
 --- a/bin/named/update.c
 +++ b/bin/named/update.c
@@ -251,6 +251,9 @@ static void updatedone_action(isc_task_t *task, isc_event_t *event);
 static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
 static void forward_done(isc_task_t *task, isc_event_t *event);
 static isc_result_t add_rr_prepare_action(void *data, rr_t *rr);
 +static isc_result_t
 +rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 +	  const dns_rdata_t *rdata, bool *flag);
 /**************************************************************************/
@@ -328,23 +331,24 @@ checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
 {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char classbuf[DNS_RDATACLASS_FORMATSIZE];
 -	int level;
 	isc_result_t result;
 +	bool update_possible =
 +		((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
 +		 ssutable != NULL);
 	result = ns_client_checkaclsilent(client, NULL, queryacl, true);
 	if (result != ISC_R_SUCCESS) {
 +		int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
 +
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
 		dns_rdataclass_format(client->view->rdclass, classbuf,
 				      sizeof(classbuf));
 -		level = (updateacl == NULL && ssutable == NULL) ?
 -				ISC_LOG_INFO : ISC_LOG_ERROR;
 -
 		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
 			      NS_LOGMODULE_UPDATE, level,
 			      "update '%s/%s' denied due to allow-query",
 			      namebuf, classbuf);
 -	} else if (updateacl == NULL && ssutable == NULL) {
 +	} else if (!update_possible) {
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
 		dns_rdataclass_format(client->view->rdclass, classbuf,
 				      sizeof(classbuf));
@@ -1525,6 +1529,277 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
 	update_event_t *event = NULL;
 	isc_task_t *zonetask = NULL;
 	ns_client_t *evclient;
 +#if 1
 +	dns_ssutable_t *ssutable = NULL;
 +	dns_message_t *request = client->message;
 +	dns_rdataclass_t zoneclass;
 +	dns_rdatatype_t covers;
 +	dns_name_t *zonename = NULL;
 +	dns_db_t *db = NULL;
 +	dns_dbversion_t *ver = NULL;
 +
 +	CHECK(dns_zone_getdb(zone, &db));
 +	zonename = dns_db_origin(db);
 +	zoneclass = dns_db_class(db);
 +	dns_zone_getssutable(zone, &ssutable);
 +	dns_db_currentversion(db, &ver);
 +
 +	/*
 +	 * Update message processing can leak record existence information
 +	 * so check that we are allowed to query this zone.  Additionally,
 +	 * if we would refuse all updates for this zone, we bail out here.
 +	 */
 +	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
 +			    dns_zone_getorigin(zone),
 +			    dns_zone_getupdateacl(zone), ssutable));
 +
 +	/*
 +	 * Check requestor's permissions.
 +	 */
 +	if (ssutable == NULL)
 +		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
 +				     "update", zonename, false, false));
 +	else if (client->signer == NULL && !TCPCLIENT(client))
 +		CHECK(checkupdateacl(client, NULL, "update", zonename,
 +				     false, true));
 +
 +	if (dns_zone_getupdatedisabled(zone))
 +		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
 +				     "because the zone is frozen.  Use "
 +				     "'rndc thaw' to re-enable updates.");
 +
 +	/*
 +	 * Perform the Update Section Prescan.
 +	 */
 +
 +	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
 +	     result == ISC_R_SUCCESS;
 +	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
 +	{
 +		dns_name_t *name = NULL;
 +		dns_rdata_t rdata = DNS_RDATA_INIT;
 +		dns_ttl_t ttl;
 +		dns_rdataclass_t update_class;
 +		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
 +			       &name, &rdata, &covers, &ttl, &update_class);
 +
 +		if (! dns_name_issubdomain(name, zonename))
 +			FAILC(DNS_R_NOTZONE,
 +			      "update RR is outside zone");
 +		if (update_class == zoneclass) {
 +			/*
 +			 * Check for meta-RRs.  The RFC2136 pseudocode says
 +			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
 +			 * "or any other QUERY metatype"
 +			 */
 +			if (dns_rdatatype_ismeta(rdata.type)) {
 +				FAILC(DNS_R_FORMERR,
 +				      "meta-RR in update");
 +			}
 +			result = dns_zone_checknames(zone, name, &rdata);
 +			if (result != ISC_R_SUCCESS)
 +				FAIL(DNS_R_REFUSED);
 +		} else if (update_class == dns_rdataclass_any) {
 +			if (ttl != 0 || rdata.length != 0 ||
 +			    (dns_rdatatype_ismeta(rdata.type) &&
 +			     rdata.type != dns_rdatatype_any))
 +				FAILC(DNS_R_FORMERR,
 +				      "meta-RR in update");
 +		} else if (update_class == dns_rdataclass_none) {
 +			if (ttl != 0 ||
 +			    dns_rdatatype_ismeta(rdata.type))
 +				FAILC(DNS_R_FORMERR,
 +				      "meta-RR in update");
 +		} else {
 +			update_log(client, zone, ISC_LOG_WARNING,
 +				   "update RR has incorrect class %d",
 +				   update_class);
 +			FAIL(DNS_R_FORMERR);
 +		}
 +
 +		/*
 +		 * draft-ietf-dnsind-simple-secure-update-01 says
 +		 * "Unlike traditional dynamic update, the client
 +		 * is forbidden from updating NSEC records."
 +		 */
 +		if (rdata.type == dns_rdatatype_nsec3) {
 +			FAILC(DNS_R_REFUSED,
 +			      "explicit NSEC3 updates are not allowed "
 +			      "in secure zones");
 +		} else if (rdata.type == dns_rdatatype_nsec) {
 +			FAILC(DNS_R_REFUSED,
 +			      "explicit NSEC updates are not allowed "
 +			      "in secure zones");
 +		} else if (rdata.type == dns_rdatatype_rrsig &&
 +			   !dns_name_equal(name, zonename)) {
 +			FAILC(DNS_R_REFUSED,
 +			      "explicit RRSIG updates are currently "
 +			      "not supported in secure zones except "
 +			      "at the apex");
 +		}
 +
 +		if (ssutable != NULL) {
 +			isc_netaddr_t netaddr;
 +			dst_key_t *tsigkey = NULL;
 +			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 +
 +			if (client->message->tsigkey != NULL)
 +				tsigkey = client->message->tsigkey->key;
 +
 +			if (rdata.type != dns_rdatatype_any) {
 +				if (!dns_ssutable_checkrules2
 +				    (ssutable, client->signer, name, &netaddr,
 +				     TCPCLIENT(client),
 +				     &ns_g_server->aclenv,
 +				     rdata.type, tsigkey))
 +				{
 +					FAILC(DNS_R_REFUSED,
 +					      "rejected by secure update");
 +				}
 +			} else {
 +				if (!ssu_checkall(db, ver, name, ssutable,
 +						  client->signer,
 +						  &netaddr,
 +						  TCPCLIENT(client),
 +						  tsigkey))
 +				{
 +					FAILC(DNS_R_REFUSED,
 +					      "rejected by secure update");
 +				}
 +			}
 +		}
 +	}
 +	if (result != ISC_R_NOMORE)
 +		FAIL(result);
 +
 +	update_log(client, zone, LOGLEVEL_DEBUG,
 +		   "update section prescan OK");
 +#if 0
 +	if (ssutable == NULL) {
 +		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
 +						// zonename
 +				     "update", dns_zone_getorigin(zone), false,
 +				     false));
 +	} else if (client->signer == NULL && !TCPCLIENT(client)) {
 +		CHECK(checkupdateacl(client, NULL, "update",
 +				     dns_zone_getorigin(zone), false, true));
 +	}
 +
 +	if (dns_zone_getupdatedisabled(zone)) {
 +		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
 +				     "because the zone is frozen.  Use "
 +				     "'rndc thaw' to re-enable updates.");
 +	}
 +
 +	/*
 +	 * Prescan the update section, checking for updates that
 +	 * are illegal or violate policy.
 +	 */
 +	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
 +	     result == ISC_R_SUCCESS;
 +	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
 +	{
 +		dns_name_t *name = NULL;
 +		dns_rdata_t rdata = DNS_RDATA_INIT;
 +		dns_ttl_t ttl;
 +		dns_rdataclass_t update_class;
 +
 +		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
 +			       &rdata, &covers, &ttl, &update_class);
 +
 +		if (!dns_name_issubdomain(name, zonename)) {
 +			FAILC(DNS_R_NOTZONE, "update RR is outside zone");
 +		}
 +		if (update_class == zoneclass) {
 +			/*
 +			 * Check for meta-RRs.  The RFC2136 pseudocode says
 +			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
 +			 * "or any other QUERY metatype"
 +			 */
 +			if (dns_rdatatype_ismeta(rdata.type)) {
 +				FAILC(DNS_R_FORMERR, "meta-RR in update");
 +			}
 +			result = dns_zone_checknames(zone, name, &rdata);
 +			if (result != ISC_R_SUCCESS) {
 +				FAIL(DNS_R_REFUSED);
 +			}
 +		} else if (update_class == dns_rdataclass_any) {
 +			if (ttl != 0 || rdata.length != 0 ||
 +			    (dns_rdatatype_ismeta(rdata.type) &&
 +			     rdata.type != dns_rdatatype_any))
 +			{
 +				FAILC(DNS_R_FORMERR, "meta-RR in update");
 +			}
 +		} else if (update_class == dns_rdataclass_none) {
 +			if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
 +				FAILC(DNS_R_FORMERR, "meta-RR in update");
 +			}
 +		} else {
 +			update_log(client, zone, ISC_LOG_WARNING,
 +				   "update RR has incorrect class %d",
 +				   update_class);
 +			FAIL(DNS_R_FORMERR);
 +		}
 +
 +		/*
 +		 * draft-ietf-dnsind-simple-secure-update-01 says
 +		 * "Unlike traditional dynamic update, the client
 +		 * is forbidden from updating NSEC records."
 +		 */
 +		if (rdata.type == dns_rdatatype_nsec3) {
 +			FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
 +					     "allowed "
 +					     "in secure zones");
 +		} else if (rdata.type == dns_rdatatype_nsec) {
 +			FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
 +					     "allowed "
 +					     "in secure zones");
 +		} else if (rdata.type == dns_rdatatype_rrsig &&
 +			   !dns_name_equal(name, zonename))
 +		{
 +			FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
 +					     "currently "
 +					     "not supported in secure zones "
 +					     "except "
 +					     "at the apex");
 +		}
 +
 +		if (ssutable != NULL) {
 +			isc_netaddr_t netaddr;
 +			dst_key_t *tsigkey = NULL;
 +			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 +
 +			if (client->message->tsigkey != NULL) {
 +				tsigkey = client->message->tsigkey->key;
 +			}
 +
 +			if (rdata.type != dns_rdatatype_any) {
 +				if (!dns_ssutable_checkrules(
 +					    ssutable, client->signer, name,
 +					    &netaddr, TCPCLIENT(client), env,
 +					    rdata.type, tsigkey))
 +				{
 +					FAILC(DNS_R_REFUSED, "rejected by "
 +							     "secure update");
 +				}
 +			} else {
 +				if (!ssu_checkall(db, ver, name, ssutable,
 +						  client->signer, &netaddr, env,
 +						  TCPCLIENT(client), tsigkey))
 +				{
 +					FAILC(DNS_R_REFUSED, "rejected by "
 +							     "secure update");
 +				}
 +			}
 +		}
 +	}
 +	if (result != ISC_R_NOMORE) {
 +		FAIL(result);
 +	}
 +
 +	update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
 +#endif
 +#endif
 	result = isc_quota_attach(&ns_g_server->updquota,
 				  &(isc_quota_t *){ NULL });
@@ -1558,6 +1833,15 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
  failure:
 	if (event != NULL)
 		isc_event_free(ISC_EVENT_PTR(&event));
 +	if (db != NULL) {
 +		dns_db_closeversion(db, &ver, false);
 +		dns_db_detach(&db);
 +	}
 +
 +	if (ssutable != NULL) {
 +		dns_ssutable_detach(&ssutable);
 +	}
 +
 	return (result);
 }
@@ -1644,9 +1928,6 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		CHECK(send_update_event(client, zone));
 		break;
 	case dns_zone_slave:
 -		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
 -				     "update forwarding", zonename, true,
 -				     false));
 		CHECK(send_forward_event(client, zone));
 		break;
 	default:
@@ -1656,7 +1937,6 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
  failure:
 	if (result == DNS_R_REFUSED) {
 -		INSIST(dns_zone_gettype(zone) == dns_zone_slave);
 		inc_stats(zone, dns_nsstatscounter_updaterej);
 	}
 	/*
@@ -2520,7 +2800,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_rdatatype_t covers;
 	dns_message_t *request = client->message;
 	dns_rdataclass_t zoneclass;
 -	dns_name_t *zonename;
 +	dns_name_t *zonename = NULL;
 	dns_ssutable_t *ssutable = NULL;
 	dns_fixedname_t tmpnamefixed;
 	dns_name_t *tmpname = NULL;
@@ -2542,14 +2822,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	zonename = dns_db_origin(db);
 	zoneclass = dns_db_class(db);
 	dns_zone_getssutable(zone, &ssutable);
 -
 -	/*
 -	 * Update message processing can leak record existence information
 -	 * so check that we are allowed to query this zone.  Additionally
 -	 * if we would refuse all updates for this zone we bail out here.
 -	 */
 -	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
 -			    dns_zone_getupdateacl(zone), ssutable));
 +	options = dns_zone_getoptions(zone);
 	/*
 	 * Get old and new versions now that queryacl has been checked.
@@ -2673,134 +2946,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	update_log(client, zone, LOGLEVEL_DEBUG,
 		   "prerequisites are OK");
 -	/*
 -	 * Check Requestor's Permissions.  It seems a bit silly to do this
 -	 * only after prerequisite testing, but that is what RFC2136 says.
 -	 */
 -	if (ssutable == NULL)
 -		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
 -				     "update", zonename, false, false));
 -	else if (client->signer == NULL && !TCPCLIENT(client))
 -		CHECK(checkupdateacl(client, NULL, "update", zonename,
 -				     false, true));
 -
 -	if (dns_zone_getupdatedisabled(zone))
 -		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
 -				     "because the zone is frozen.  Use "
 -				     "'rndc thaw' to re-enable updates.");
 -
 -	/*
 -	 * Perform the Update Section Prescan.
 -	 */
 -
 -	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
 -	     result == ISC_R_SUCCESS;
 -	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
 -	{
 -		dns_name_t *name = NULL;
 -		dns_rdata_t rdata = DNS_RDATA_INIT;
 -		dns_ttl_t ttl;
 -		dns_rdataclass_t update_class;
 -		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
 -			       &name, &rdata, &covers, &ttl, &update_class);
 -
 -		if (! dns_name_issubdomain(name, zonename))
 -			FAILC(DNS_R_NOTZONE,
 -			      "update RR is outside zone");
 -		if (update_class == zoneclass) {
 -			/*
 -			 * Check for meta-RRs.  The RFC2136 pseudocode says
 -			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
 -			 * "or any other QUERY metatype"
 -			 */
 -			if (dns_rdatatype_ismeta(rdata.type)) {
 -				FAILC(DNS_R_FORMERR,
 -				      "meta-RR in update");
 -			}
 -			result = dns_zone_checknames(zone, name, &rdata);
 -			if (result != ISC_R_SUCCESS)
 -				FAIL(DNS_R_REFUSED);
 -		} else if (update_class == dns_rdataclass_any) {
 -			if (ttl != 0 || rdata.length != 0 ||
 -			    (dns_rdatatype_ismeta(rdata.type) &&
 -			     rdata.type != dns_rdatatype_any))
 -				FAILC(DNS_R_FORMERR,
 -				      "meta-RR in update");
 -		} else if (update_class == dns_rdataclass_none) {
 -			if (ttl != 0 ||
 -			    dns_rdatatype_ismeta(rdata.type))
 -				FAILC(DNS_R_FORMERR,
 -				      "meta-RR in update");
 -		} else {
 -			update_log(client, zone, ISC_LOG_WARNING,
 -				   "update RR has incorrect class %d",
 -				   update_class);
 -			FAIL(DNS_R_FORMERR);
 -		}
 -
 -		/*
 -		 * draft-ietf-dnsind-simple-secure-update-01 says
 -		 * "Unlike traditional dynamic update, the client
 -		 * is forbidden from updating NSEC records."
 -		 */
 -		if (rdata.type == dns_rdatatype_nsec3) {
 -			FAILC(DNS_R_REFUSED,
 -			      "explicit NSEC3 updates are not allowed "
 -			      "in secure zones");
 -		} else if (rdata.type == dns_rdatatype_nsec) {
 -			FAILC(DNS_R_REFUSED,
 -			      "explicit NSEC updates are not allowed "
 -			      "in secure zones");
 -		} else if (rdata.type == dns_rdatatype_rrsig &&
 -			   !dns_name_equal(name, zonename)) {
 -			FAILC(DNS_R_REFUSED,
 -			      "explicit RRSIG updates are currently "
 -			      "not supported in secure zones except "
 -			      "at the apex");
 -		}
 -
 -		if (ssutable != NULL) {
 -			isc_netaddr_t netaddr;
 -			dst_key_t *tsigkey = NULL;
 -			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 -
 -			if (client->message->tsigkey != NULL)
 -				tsigkey = client->message->tsigkey->key;
 -
 -			if (rdata.type != dns_rdatatype_any) {
 -				if (!dns_ssutable_checkrules2
 -				    (ssutable, client->signer, name, &netaddr,
 -				     TCPCLIENT(client),
 -				     &ns_g_server->aclenv,
 -				     rdata.type, tsigkey))
 -				{
 -					FAILC(DNS_R_REFUSED,
 -					      "rejected by secure update");
 -				}
 -			} else {
 -				if (!ssu_checkall(db, ver, name, ssutable,
 -						  client->signer,
 -						  &netaddr,
 -						  TCPCLIENT(client),
 -						  tsigkey))
 -				{
 -					FAILC(DNS_R_REFUSED,
 -					      "rejected by secure update");
 -				}
 -			}
 -		}
 -	}
 -	if (result != ISC_R_NOMORE)
 -		FAIL(result);
 -
 -	update_log(client, zone, LOGLEVEL_DEBUG,
 -		   "update section prescan OK");
 -
 	/*
 	 * Process the Update Section.
 	 */
 -	options = dns_zone_getoptions(zone);
 	options2 = dns_zone_getoptions2(zone);
 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
 	     result == ISC_R_SUCCESS;
@@ -3494,6 +3643,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
 	isc_task_t *zonetask = NULL;
 	ns_client_t *evclient;
 +	result = checkupdateacl(client, dns_zone_getforwardacl(zone),
 +				"update forwarding", dns_zone_getorigin(zone),
 +				true, false);
 +	if (result != ISC_R_SUCCESS) {
 +		return (result);
 +	}
 +
 	result = isc_quota_attach(&ns_g_server->updquota,
 				  &(isc_quota_t *){ NULL });
 	if (result != ISC_R_SUCCESS) {
 -- 
 2.39.2
--- a/SOURCES/bind-9.16-CVE-2022-3094-test.patch
+++ b/SOURCES/bind-9.16-CVE-2022-3094-test.patch
@ -0,0 +1,266 @@
 From 3d84c651f823cb90b73fd736d32ad6de57b11610 Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Wed, 9 Nov 2022 21:56:16 -0800
 Subject: [PATCH] test failure conditions
 verify that updates are refused when the client is disallowed by
 allow-query, and update forwarding is refused when the client is
 is disallowed by update-forwarding.
 verify that "too many DNS UPDATEs" appears in the log file when too
 many simultaneous updates are processing.
 (cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
 ---
 bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +
 bin/tests/system/nsupdate/tests.sh            | 28 +++++++++++++
 bin/tests/system/upforwd/clean.sh             |  2 +
 .../ns3/{named.conf.in => named1.conf.in}     |  7 +++-
 bin/tests/system/upforwd/ns3/named2.conf.in   | 41 +++++++++++++++++++
 bin/tests/system/upforwd/setup.sh             |  2 +-
 bin/tests/system/upforwd/tests.sh             | 40 ++++++++++++++++++
 7 files changed, 120 insertions(+), 2 deletions(-)
 rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (85%)
 create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
 diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
 index cb80269..228ad6a 100644
 --- a/bin/tests/system/nsupdate/ns1/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -20,6 +20,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
 +	update-quota 1;
 };
 key rndc_key {
@@ -76,6 +77,7 @@ zone "other.nil" {
 	check-integrity no;
 	check-mx warn;
 	update-policy local;
 +	allow-query { !10.53.0.2; any; };
 	allow-query-on { 10.53.0.1; 127.0.0.1; };
 	allow-transfer { any; };
 };
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
 index f8994ff..4cabf8d 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
@@ -1069,6 +1069,34 @@ END
 grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 +n=$((n + 1))
 +ret=0
 +echo_i "check that update is rejected if query is not allowed ($n)"
 +{
 +  $NSUPDATE -d <<END
 +  local 10.53.0.2
 +  server 10.53.0.1 ${PORT}
 +  update add reject.other.nil 3600 IN TXT Whatever
 +  send
 +END
 +} > nsupdate.out.test$n 2>&1
 +grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
 +[ $ret = 0 ] || { echo_i "failed"; status=1; }
 +
 +n=$((n + 1))
 +ret=0
 +echo_i "check that update is rejected if quota is exceeded ($n)"
 +for loop in 1 2 3 4 5 6 7 8 9 10; do
 +{
 +  $NSUPDATE -l -p ${PORT} -k ns1/session.key > nsupdate.out.test$n-${loop} 2>&1 <<END
 +  update add txt-$loop.other.nil 3600 IN TXT Whatever
 +  send
 +END
 +} &
 +done
 +wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
 +[ $ret = 0 ] || { echo_i "failed"; status=1; }
 +
 if $FEATURETEST --gssapi ; then
   n=`expr $n + 1`
   ret=0
 diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
 index 15cf423..832c727 100644
 --- a/bin/tests/system/upforwd/clean.sh
 +++ b/bin/tests/system/upforwd/clean.sh
@@ -24,3 +24,5 @@ rm -f Ksig0.example2.*
 rm -f keyname
 rm -f ns*/named.lock
 rm -f ns1/example2.db
 +rm -f nsupdate.out.*
 +rm -f ns*/named.run.prev
 diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
 similarity index 85%
 rename from bin/tests/system/upforwd/ns3/named.conf.in
 rename to bin/tests/system/upforwd/ns3/named1.conf.in
 index e81cd1a..83a490f 100644
 --- a/bin/tests/system/upforwd/ns3/named.conf.in
 +++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -22,10 +22,15 @@ options {
 	notify yes;
 };
 +include "../../common/rndc.key";
 +controls {
 +	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 +};
 +
 zone "example" {
 	type slave;
 	file "example.bk";
 -	allow-update-forwarding { any; };
 +	allow-update-forwarding { 10.53.0.1; };
 	masters { 10.53.0.1; };
 };
 diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
 new file mode 100644
 index 0000000..992cd69
 --- /dev/null
 +++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@@ -0,0 +1,41 @@
 +/*
 + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 + *
 + * SPDX-License-Identifier: MPL-2.0
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0.  If a copy of the MPL was not distributed with this
 + * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 + *
 + * See the COPYRIGHT file distributed with this work for additional
 + * information regarding copyright ownership.
 + */
 +
 +options {
 +	query-source address 10.53.0.3;
 +	notify-source 10.53.0.3;
 +	transfer-source 10.53.0.3;
 +	port @PORT@;
 +	pid-file "named.pid";
 +	listen-on { 10.53.0.3; };
 +	listen-on-v6 { none; };
 +	recursion no;
 +	notify yes;
 +	update-quota 1;
 +};
 +
 +key rndc_key {
 +	secret "1234abcd8765";
 +	algorithm hmac-sha256;
 +};
 +
 +controls {
 +	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 +};
 +
 +zone "example" {
 +	type slave;
 +	file "example.bk";
 +	allow-update-forwarding { any; };
 +	masters { 10.53.0.1; };
 +};
 diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
 index 74c7ba3..928902b 100644
 --- a/bin/tests/system/upforwd/setup.sh
 +++ b/bin/tests/system/upforwd/setup.sh
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 -copy_setports ns3/named.conf.in ns3/named.conf
 +copy_setports ns3/named1.conf.in ns3/named.conf
 #
 # SIG(0) required cryptographic support which may not be configured.
 diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
 index f4c3216..ebc9ded 100644
 --- a/bin/tests/system/upforwd/tests.sh
 +++ b/bin/tests/system/upforwd/tests.sh
@@ -17,6 +17,7 @@ SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
 +RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
 status=0
 n=1
@@ -69,6 +70,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 echo_i "updating zone (signed) ($n)"
 ret=0
 $NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
 +local 10.53.0.1
 server 10.53.0.3 ${PORT}
 update add updated.example. 600 A 10.10.10.1
 update add updated.example. 600 TXT Foo
@@ -116,6 +118,7 @@ n=`expr $n + 1`
 echo_i "updating zone (unsigned) ($n)"
 ret=0
 $NSUPDATE -- - <<EOF || ret=1
 +local 10.53.0.1
 server 10.53.0.3 ${PORT}
 update add unsigned.example. 600 A 10.10.10.1
 update add unsigned.example. 600 TXT Foo
@@ -161,6 +164,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
 do
 (
 $NSUPDATE -- - <<EOF 
 +local 10.53.0.1
 server 10.53.0.3 ${PORT}
 zone nomaster
 update add unsigned.nomaster. 600 A 10.10.10.1
@@ -181,6 +185,7 @@ then
 	ret=0
 	keyname=`cat keyname`
 	$NSUPDATE -k $keyname.private -- - <<EOF
 +	local 10.53.0.1
 	server 10.53.0.3 ${PORT}
 	zone example2
 	update add unsigned.example2. 600 A 10.10.10.1
@@ -194,5 +199,40 @@ EOF
 	n=`expr $n + 1`
 fi
 +echo_i "attempting an update that should be rejected by ACL ($n)"
 +ret=0
 +{
 +        $NSUPDATE -- - << EOF
 +        local 10.53.0.2
 +        server 10.53.0.3 ${PORT}
 +        update add another.unsigned.example. 600 A 10.10.10.2
 +        update add another.unsigned.example. 600 TXT Bar
 +        send
 +EOF
 +} > nsupdate.out.$n 2>&1
 +grep REFUSED nsupdate.out.$n > /dev/null || ret=1
 +if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 +n=`expr $n + 1`
 +
 +n=$((n + 1))
 +ret=0
 +echo_i "attempting updates that should exceed quota ($n)"
 +# lower the update quota to 1.
 +copy_setports ns3/named2.conf.in ns3/named.conf
 +$RNDCCMD 10.53.0.3 reconfig
 +nextpart ns3/named.run > /dev/null
 +for loop in 1 2 3 4 5 6 7 8 9 10; do
 +{
 +  $NSUPDATE -- - > /dev/null 2>&1 <<END
 +  local 10.53.0.1
 +  server 10.53.0.3 ${PORT}
 +  update add txt-$loop.unsigned.example 300 IN TXT Whatever
 +  send
 +END
 +} &
 +done
 +wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
 +[ $ret = 0 ] || { echo_i "failed"; status=1; }
 +
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
 -- 
 2.39.2
--- a/SOURCES/bind-9.16-CVE-2022-38177.patch
+++ b/SOURCES/bind-9.16-CVE-2022-38177.patch
@ -0,0 +1,27 @@
 From 0095b8a6b09173ab5eb48611dc0233d2a6337dc1 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Tue, 20 Sep 2022 11:21:45 +0200
 Subject: [PATCH] Fix CVE-2022-38177
 5961.	[security]	Fix memory leak in ECDSA verify processing.
 			(CVE-2022-38177) [GL #3487]
 ---
 lib/dns/opensslecdsa_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
 index 83b5b51..7576e04 100644
 --- a/lib/dns/opensslecdsa_link.c
 +++ b/lib/dns/opensslecdsa_link.c
@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 		siglen = DNS_SIG_ECDSA384SIZE;
 	if (sig->length != siglen)
 -		return (DST_R_VERIFYFAILURE);
 +		DST_RET(DST_R_VERIFYFAILURE);
 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
 		DST_RET (dst__openssl_toresult3(dctx->category,
 -- 
 2.37.3
--- a/SOURCES/bind-9.16-CVE-2022-38178.patch
+++ b/SOURCES/bind-9.16-CVE-2022-38178.patch
@ -0,0 +1,27 @@
 From bb68864bf05d29df644427ec841bc3db6a336519 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Tue, 20 Sep 2022 11:22:47 +0200
 Subject: [PATCH] Fix CVE-2022-38178
 5962.	[security]	Fix memory leak in EdDSA verify processing.
 			(CVE-2022-38178) [GL #3487]
 ---
 lib/dns/openssleddsa_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
 index 8b115ec..4f3c2a8 100644
 --- a/lib/dns/openssleddsa_link.c
 +++ b/lib/dns/openssleddsa_link.c
@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 		siglen = DNS_SIG_ED448SIZE;
 	if (sig->length != siglen)
 -		return (DST_R_VERIFYFAILURE);
 +		DST_RET(DST_R_VERIFYFAILURE);
 	isc_buffer_usedregion(buf, &tbsreg);
 -- 
 2.37.3
--- a/SOURCES/bind-9.16-CVE-2023-3341.patch
+++ b/SOURCES/bind-9.16-CVE-2023-3341.patch
@ -0,0 +1,166 @@
 From 3883ec072e5feed1237dc864854ab95ded7302d6 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Tue, 19 Sep 2023 13:14:52 +0200
 Subject: [PATCH] Backport of CVE-2023-3341 fix
 Taken from BIND 9.16.44 change.
 ---
 lib/isccc/cc.c                   | 36 +++++++++++++++++++++++---------
 lib/isccc/include/isccc/result.h |  4 +++-
 lib/isccc/result.c               |  4 +++-
 3 files changed, 32 insertions(+), 12 deletions(-)
 diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
 index 463a053..a54e60c 100644
 --- a/lib/isccc/cc.c
 +++ b/lib/isccc/cc.c
@@ -53,6 +53,10 @@
 #define MAX_TAGS		256
 #define DUP_LIFETIME		900
 +#ifndef ISCCC_MAXDEPTH
 +#define ISCCC_MAXDEPTH \
 +	10 /* Big enough for rndc which just sends a string each way. */
 +#endif
 typedef isccc_sexpr_t *sexpr_ptr;
@@ -573,19 +577,23 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
 static isc_result_t
 table_fromwire(isccc_region_t *source, isccc_region_t *secret,
 -	       uint32_t algorithm, isccc_sexpr_t **alistp);
 +	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
 static isc_result_t
 -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
 +list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp);
 static isc_result_t
 -value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
 +value_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **valuep) {
 	unsigned int msgtype;
 	uint32_t len;
 	isccc_sexpr_t *value;
 	isccc_region_t active;
 	isc_result_t result;
 +	if (depth > ISCCC_MAXDEPTH) {
 +		return (ISCCC_R_MAXDEPTH);
 +	}
 +
 	if (REGION_SIZE(*source) < 1 + 4)
 		return (ISC_R_UNEXPECTEDEND);
 	GET8(msgtype, source->rstart);
@@ -603,9 +611,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
 		} else
 			result = ISC_R_NOMEMORY;
 	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
 -		result = table_fromwire(&active, NULL, 0, valuep);
 +		result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
 	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
 -		result = list_fromwire(&active, valuep);
 +		result = list_fromwire(&active, depth + 1, valuep);
 	else
 		result = ISCCC_R_SYNTAX;
@@ -614,7 +622,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
 static isc_result_t
 table_fromwire(isccc_region_t *source, isccc_region_t *secret,
 -	       uint32_t algorithm, isccc_sexpr_t **alistp)
 +	       uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
 {
 	char key[256];
 	uint32_t len;
@@ -625,6 +633,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
 	REQUIRE(alistp != NULL && *alistp == NULL);
 +	if (depth > ISCCC_MAXDEPTH) {
 +		return (ISCCC_R_MAXDEPTH);
 +	}
 +
 	checksum_rstart = NULL;
 	first_tag = true;
 	alist = isccc_alist_create();
@@ -640,7 +652,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
 		GET_MEM(key, len, source->rstart);
 		key[len] = '\0';	/* Ensure NUL termination. */
 		value = NULL;
 -		result = value_fromwire(source, &value);
 +		result = value_fromwire(source, depth + 1, &value);
 		if (result != ISC_R_SUCCESS)
 			goto bad;
 		if (isccc_alist_define(alist, key, value) == NULL) {
@@ -673,14 +685,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
 }
 static isc_result_t
 -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
 +list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) {
 	isccc_sexpr_t *list, *value;
 	isc_result_t result;
 +	if (depth > ISCCC_MAXDEPTH) {
 +		return (ISCCC_R_MAXDEPTH);
 +	}
 +
 	list = NULL;
 	while (!REGION_EMPTY(*source)) {
 		value = NULL;
 -		result = value_fromwire(source, &value);
 +		result = value_fromwire(source, depth + 1, &value);
 		if (result != ISC_R_SUCCESS) {
 			isccc_sexpr_free(&list);
 			return (result);
@@ -711,7 +727,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
 	if (version != 1)
 		return (ISCCC_R_UNKNOWNVERSION);
 -	return (table_fromwire(source, secret, algorithm, alistp));
 +	return (table_fromwire(source, secret, algorithm, 0, alistp));
 }
 static isc_result_t
 diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
 index 6c79dd7..b30b08a 100644
 --- a/lib/isccc/include/isccc/result.h
 +++ b/lib/isccc/include/isccc/result.h
@@ -47,8 +47,10 @@
 #define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
 /*% Duplicate */
 #define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
 +/*% Maximum recursion depth */
 +#define ISCCC_R_MAXDEPTH		(ISC_RESULTCLASS_ISCCC + 6)
 -#define ISCCC_R_NRESULTS 		6	/*%< Number of results */
 +#define ISCCC_R_NRESULTS 		7	/*%< Number of results */
 ISC_LANG_BEGINDECLS
 diff --git a/lib/isccc/result.c b/lib/isccc/result.c
 index 8419bbb..a3a3b9a 100644
 --- a/lib/isccc/result.c
 +++ b/lib/isccc/result.c
@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
 	"bad auth",				/* 3 */
 	"expired",				/* 4 */
 	"clock skew",				/* 5 */
 -	"duplicate"				/* 6 */
 +	"duplicate",				/* 6 */
 +	"max depth",				/* 7 */
 };
 static const char *ids[ISCCC_R_NRESULTS] = {
@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
 	"ISCCC_R_EXPIRED",
 	"ISCCC_R_CLOCKSKEW",
 	"ISCCC_R_DUPLICATE",
 +	"ISCCC_R_MAXDEPTH"
 };
 #define ISCCC_RESULT_RESULTSET			2
 -- 
 2.41.0
--- a/SOURCES/bind-9.16-update-b.root-servers.net.patch
+++ b/SOURCES/bind-9.16-update-b.root-servers.net.patch
@ -0,0 +1,31 @@
 From 4e595a6b961e73af43350833109ccba0950119f9 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Thu, 12 Oct 2023 10:19:38 +1100
 Subject: [PATCH] Update b.root-servers.net IP addresses
 This covers both root hints and the default primaries for the root
 zone mirror.  The official change date is Nov 27, 2023.
 (cherry picked from commit 2ca2f7e9852a3d6e93f065c01ea4679f723688f7)
 ---
 lib/dns/rootns.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
 index 9653f3b..d6ff76e 100644
 --- a/lib/dns/rootns.c
 +++ b/lib/dns/rootns.c
@@ -56,8 +56,8 @@ static char root_ns[] =
 ".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
 "A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
 "A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:BA3E::2:30\n"
 -"B.ROOT-SERVERS.NET.     3600000 IN      A       199.9.14.201\n"
 -"B.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:200::b\n"
 +"B.ROOT-SERVERS.NET.     3600000 IN      A       170.247.170.2\n"
 +"B.ROOT-SERVERS.NET.     3600000 IN      AAAA    2801:1b8:10::b\n"
 "C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
 "C.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2::c\n"
 "D.ROOT-SERVERS.NET.     3600000 IN      A       199.7.91.13\n"
 -- 
 2.43.0
--- a/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
+++ b/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch
@ -0,0 +1,85 @@
 From 8a9b9ff5a8b2443f7df4f60397ad215931ba44f1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 7 Jan 2025 15:22:40 +0100
 Subject: [PATCH] Isolate using the -T noaa flag only for part of the resolver
 test
 Instead of running the whole resolver/ns4 server with -T noaa flag,
 use it only for the part where it is actually needed.  The -T noaa
 could interfere with other parts of the test because the answers don't
 have the authoritative-answer bit set, and we could have false
 positives (or false negatives) in the test because the authoritative
 server doesn't follow the DNS protocol for all the tests in the resolver
 system test.
 (cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
 ---
 bin/tests/system/conf.sh.in              | 12 ++++++++++++
 bin/tests/system/resolver/ns4/named.noaa |  5 -----
 bin/tests/system/resolver/tests.sh       |  8 ++++++++
 3 files changed, 20 insertions(+), 5 deletions(-)
 delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
 diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
 index 06852f5..f77f7de 100644
 --- a/bin/tests/system/conf.sh.in
 +++ b/bin/tests/system/conf.sh.in
@@ -305,6 +305,18 @@ digcomp() {
     return $result
 }
 +start_server() {
 +    $PERL "$SYSTEMTESTTOP/start.pl" "$SYSTESTDIR" "$@"
 +}
 +
 +stop_server() {
 +    $PERL "$SYSTEMTESTTOP/stop.pl" "$SYSTESTDIR" "$@"
 +}
 +
 +send() {
 +    $PERL "$SYSTEMTESTTOP/send.pl" "$@"
 +}
 +
 #
 # Useful functions in test scripts
 #
 diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
 deleted file mode 100644
 index 3b121ad..0000000
 --- a/bin/tests/system/resolver/ns4/named.noaa
 +++ /dev/null
@@ -1,5 +0,0 @@
 -Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 -
 -See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
 -
 -Add -T noaa.
 diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
 index 6eb52fe..bf37467 100755
 --- a/bin/tests/system/resolver/tests.sh
 +++ b/bin/tests/system/resolver/tests.sh
@@ -281,6 +281,10 @@ done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 +stop_server ns4
 +touch ns4/named.noaa
 +start_server --noclean --restart --port ${PORT} ns4 || ret=1
 +
 n=`expr $n + 1`
 echo_i "RT21594 regression test check setup ($n)"
 ret=0
@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 +stop_server ns4
 +rm ns4/named.noaa
 +start_server --noclean --restart --port ${PORT} ns4 || ret=1
 +
 n=`expr $n + 1`
 echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
 ret=0
 -- 
 2.48.1
--- a/SOURCES/bind-9.18-CVE-2024-11187.patch
+++ b/SOURCES/bind-9.18-CVE-2024-11187.patch
@ -0,0 +1,151 @@
 From ca6c3446ef07d89fd3a28b6979d947af2ab5754f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Thu, 14 Nov 2024 10:37:29 +0100
 Subject: [PATCH] Limit the additional processing for large RDATA sets
 When answering queries, don't add data to the additional section if
 the answer has more than 13 names in the RDATA.  This limits the
 number of lookups into the database(s) during a single client query,
 reducing query processing load.
 Also, don't append any additional data to type=ANY queries. The
 answer to ANY is already big enough.
 (cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
 PatchNumber: 47
 ---
 bin/named/query.c                    | 14 ++++++++------
 bin/tests/system/additional/tests.sh |  2 +-
 lib/dns/include/dns/rdataset.h       | 12 ++++++++++++
 lib/dns/rdataset.c                   | 12 ++++++++++++
 4 files changed, 33 insertions(+), 7 deletions(-)
 diff --git a/bin/named/query.c b/bin/named/query.c
 index 51a29a8..e023d74 100644
 --- a/bin/named/query.c
 +++ b/bin/named/query.c
@@ -1835,9 +1835,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		 * section, it's helpful if we add the SRV additional data
 		 * as well.
 		 */
 -		eresult = dns_rdataset_additionaldata(trdataset,
 -						      query_addadditional,
 -						      client);
 +		eresult = dns_rdataset_additionaldata2(trdataset,
 +						       query_addadditional,
 +						       client,
 +						       DNS_RDATASET_MAXADDITIONAL);
 	}
  cleanup:
@@ -2432,7 +2433,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 						       rdataset->rdclass);
 	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
 -	if (NOADDITIONAL(client))
 +	if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
 		return;
 	/*
@@ -2442,8 +2443,9 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
 	 */
 	additionalctx.client = client;
 	additionalctx.rdataset = rdataset;
 -	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
 -					  &additionalctx);
 +	(void)dns_rdataset_additionaldata2(rdataset, query_addadditional2,
 +					   &additionalctx,
 +					   DNS_RDATASET_MAXADDITIONAL);
 	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
 }
 diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
 index 6400723..a33cc8a 100644
 --- a/bin/tests/system/additional/tests.sh
 +++ b/bin/tests/system/additional/tests.sh
@@ -261,7 +261,7 @@ n=`expr $n + 1`
 echo_i "testing with 'minimal-any no;' ($n)"
 ret=0
 $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
 -grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
 +grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
 if [ $ret -eq 1 ] ; then
     echo_i "failed"; status=`expr status + 1`
 fi
 diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
 index 710e97c..b3532f6 100644
 --- a/lib/dns/include/dns/rdataset.h
 +++ b/lib/dns/include/dns/rdataset.h
@@ -53,6 +53,8 @@
 #include <dns/types.h>
 #include <dns/rdatastruct.h>
 +#define DNS_RDATASET_MAXADDITIONAL 13
 +
 ISC_LANG_BEGINDECLS
 typedef enum {
@@ -501,13 +503,23 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
  *\li	If a call to dns_rdata_additionaldata() is not successful, the
  *	result returned will be the result of dns_rdataset_additionaldata().
  *
 + *\li	If 'limit' is non-zero and the number of the rdatasets is larger
 + *	than 'limit', no additional data will be processed.
 + *
  * Returns:
  *
  *\li	#ISC_R_SUCCESS
  *
 + *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
 + *
  *\li	Any error that dns_rdata_additionaldata() can return.
  */
 +isc_result_t
 +dns_rdataset_additionaldata2(dns_rdataset_t	   *rdataset,
 +			     dns_additionaldatafunc_t add, void *arg,
 +			     size_t limit);
 +
 isc_result_t
 dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
 			dns_rdataset_t *neg, dns_rdataset_t *negsig);
 diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
 index b42dea5..5160acf 100644
 --- a/lib/dns/rdataset.c
 +++ b/lib/dns/rdataset.c
@@ -28,6 +28,7 @@
 #include <dns/ncache.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 +#include <dns/result.h>
 static const char *trustnames[] = {
 	"none",
@@ -608,6 +609,13 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 isc_result_t
 dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 			    dns_additionaldatafunc_t add, void *arg)
 +{
 +	return dns_rdataset_additionaldata2(rdataset, add, arg, 0);
 +}
 +
 +isc_result_t
 +dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
 +			    dns_additionaldatafunc_t add, void *arg, size_t limit)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
@@ -620,6 +628,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
 +	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
 +		return DNS_R_TOOMANYRECORDS;
 +	}
 +
 	result = dns_rdataset_first(rdataset);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 -- 
 2.48.1
--- a/SOURCES/bind-9.3.2-redhat_doc.patch
+++ b/SOURCES/bind-9.3.2-redhat_doc.patch
@ -1,62 +1,98 @@
-diff --git a/bin/named/named.8 b/bin/named/named.8
+From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001
-index cd990a9..890be36 100644
+From: Petr Mensik <pemensik@redhat.com>
--- a/bin/named/named.8
+Date: Thu, 26 Nov 2020 12:13:10 +0100
-+++ b/bin/named/named.8
+Subject: [PATCH] Note specific Red Hat changes in manual page
-@@ -358,6 +358,57 @@ The default configuration file\&.
+
- /var/run/named/named\&.pid
+Change docbook template instead of generated manual page. Remove
- .RS 4
+system-config-bind reference, package were discontinued.
- The default process\-id file\&.
+---
-+.PP
+ bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++
-+.SH "NOTES"
+ 1 file changed, 73 insertions(+)
-+.PP
+
-+.TP
+diff --git a/bin/named/named.docbook b/bin/named/named.docbook
-+\fBRed Hat SELinux BIND Security Profile:\fR
+index 7e743a9..802bec3 100644
-+.PP
+--- a/bin/named/named.docbook
-+By default, Red Hat ships BIND with the most secure SELinux policy
+++ b/bin/named/named.docbook
-+that will not prevent normal BIND operation and will prevent exploitation
+@@ -516,6 +516,79 @@
-+of all known BIND security vulnerabilities . See the selinux(8) man page
+ 
-+for information about SElinux.
+   </refsection>
-+.PP
+ 
-+It is not necessary to run named in a chroot environment if the Red Hat
+  <refsection><info><title>NOTES</title></info>
-+SELinux policy for named is enabled. When enabled, this policy is far
+    <refsection><info><title>Red Hat SELinux BIND Security Profile</title></info>
-+more secure than a chroot environment. Users are recommended to enable
+
-+SELinux and remove the bind-chroot package.
+    <para>
-+.PP
+    By default, Red Hat ships BIND with the most secure SELinux policy
-+With this extra security comes some restrictions:
+    that will not prevent normal BIND operation and will prevent exploitation
-+.PP
+    of all known BIND security vulnerabilities . See the selinux(8) man page
-+By default, the SELinux policy does not allow named to write any master
+    for information about SElinux.
-+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+    </para>
-+zone database file directory (the options { "directory" } option), where
+
-+$ROOTDIR is set in /etc/sysconfig/named.
+    <para>
-+.PP
+    It is not necessary to run named in a chroot environment if the Red Hat
-+The "named" group must be granted read privelege to
+    SELinux policy for named is enabled. When enabled, this policy is far
-+these files in order for named to be enabled to read them.
+    more secure than a chroot environment. Users are recommended to enable
-+.PP
+    SELinux and remove the bind-chroot package.
-+Any file created in the zone database file directory is automatically assigned
+    </para>
-+the SELinux file context named_zone_t .
+
-+.PP
+    <para>
-+By default, SELinux prevents any role from modifying named_zone_t files; this
+    With this extra security comes some restrictions:
-+means that files in the zone database directory cannot be modified by dynamic
+    </para>
-+DNS (DDNS) updates or zone transfers.
+
-+.PP
+    <para>
-+The Red Hat BIND distribution and SELinux policy creates three directories where
+    By default, the SELinux policy allows named to write any master
-+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
+    zone database files. Only the root user may create files in the $ROOTDIR/var/named
-+/var/named/data. By placing files you want named to modify, such as
+    zone database file directory (the options { "directory" } option), where
-+slave or DDNS updateable zone files and database / statistics dump files in
+    $ROOTDIR is set in /etc/sysconfig/named.
-+these directories, named will work normally and no further operator action is
+    </para>
-+required. Files in these directories are automatically assigned the 'named_cache_t'
+
-+file context, which SELinux allows named to write.
+    <para>
-+.PP
+    The "named" group must be granted read privelege to
-+\fBRed Hat BIND SDB support:\fR
+    these files in order for named to be enabled to read them.
-+.PP
+    </para>
-+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
+
-+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
+    <para>
-+.PP
+    Any file created in the zone database file directory is automatically assigned
-+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
+    the SELinux file context named_zone_t .
-+.PP
+    </para>
-+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+
-+.br
+    <para>
-+.PP
+    By default, SELinux prevents any role from modifying named_zone_t files; this
- .RE
+    means that files in the zone database directory cannot be modified by dynamic
- .SH "SEE ALSO"
+    DNS (DDNS) updates or zone transfers.
- .PP
+    </para>
 +
 +    <para>
 +    The Red Hat BIND distribution and SELinux policy creates three directories where
 +    named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
 +    /var/named/data. By placing files you want named to modify, such as
 +    slave or DDNS updateable zone files and database / statistics dump files in
 +    these directories, named will work normally and no further operator action is
 +    required. Files in these directories are automatically assigned the 'named_cache_t'
 +    file context, which SELinux allows named to write.
 +    </para>
 +    </refsection>
 +
 +    <refsection><info><title>Red Hat BIND SDB support</title></info>
 +
 +    <para>
 +    Red Hat ships named with compiled in Simplified Database Backend modules that ISC
 +    provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them.
 +    </para>
 +
 +    <para>
 +    The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into <command>named-sdb</command>.
 +    </para>
 +
 +    <para>
 +    See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
 +    </para>
 +    </refsection>
 +
 +  </refsection>
 +
   <refsection><info><title>SEE ALSO</title></info>
     <para><citetitle>RFC 1033</citetitle>,
 -- 
 2.26.2
--- a/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
+++ b/SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
@ -1,5 +1,5 @@
 diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
-index 95ab742..6069f09 100644
+index 95ab742..5059a17 100644
 --- a/bin/sdb_tools/Makefile.in
 +++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@ -7,49 +7,46 @@ index 95ab742..6069f09 100644
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
 -TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-+TARGETS =	zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
 -OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
-+OBJS	=	zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
 -SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c
-+SRCS    =       zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
+SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
 MANPAGES =      zone2ldap.1
-@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
+@@ -47,6 +47,9 @@ EXT_CFLAGS =
- zone2sqlite@EXEEXT@: zone2sqlite.@O@  ${DEPLIBS}
+ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
- 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
 +ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
 +	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
 +
- clean distclean manclean maintainer-clean::
+ zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
- 	rm -f ${TARGETS} ${OBJS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
-@@ -62,6 +65,7 @@ installdirs:
+@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
 install:: ${TARGETS} installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
 diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
-index 23dd873..d56bc56 100644
+index e0e9207..d59936c 100644
 --- a/bin/sdb_tools/zone2ldap.c
 +++ b/bin/sdb_tools/zone2ldap.c
-@@ -65,6 +66,9 @@ ldap_info;
+@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
- /* usage Info */
+ void init_ldap_conn (void);
 void usage (void);
-+/* Check for existence of (and possibly add) containing dNSZone objects */
+ /* Ldap error checking */
-+int lookup_dns_zones( ldap_info *ldinfo);
+-void ldap_result_check (const char *msg, char *dn, int err);
-+
+void ldap_result_check (const char *msg, const char *dn, int err);
 /* Add to the ldap dit */
 void add_ldap_values (ldap_info * ldinfo);
-@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
+ /* Put a hostname into a char ** array */
 char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
 int get_attr_list_size (char **tmp);
 /* Get a DN */
@ -58,7 +55,7 @@ index 23dd873..d56bc56 100644
 /* Add to RR list */
 void add_to_rr_list (char *dn, char *name, char *type, char *data,
-@@ -103,11 +107,27 @@ void
+@@ -104,11 +104,26 @@ void
 init_ldap_conn ();
 void usage();
@ -87,11 +84,19 @@ index 23dd873..d56bc56 100644
 +static char *objectClasses    []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
 +static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
 +static char *dn_buffer      [64]={NULL};
 +
 LDAP *conn;
 unsigned int debug = 0;
-@@ -131,12 +151,12 @@ main (int argc, char **argv)
+@@ -120,7 +135,7 @@ static void
 fatal(const char *msg) {
   perror(msg);
   if (conn != NULL)
 -    ldap_unbind_s(conn);
 +    ldap_unbind_ext_s(conn, NULL, NULL);
   exit(1);
 }
@@ -132,12 +147,13 @@ main (int argc, char **argv)
   isc_result_t result;
   char *basedn;
   ldap_info *tmp;
@ -102,12 +107,12 @@ index 23dd873..d56bc56 100644
   isc_buffer_t buff;
   char *zonefile=0L;
   char fullbasedn[1024];
-  char *ctmp;
+   char *ctmp;
-+  char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
+  char *zn, *dcp[2], *znp[2], *rdn[2];
   dns_fixedname_t fixedzone, fixedname;
   dns_rdataset_t rdataset;
   char **dc_list;
-@@ -149,7 +169,7 @@ main (int argc, char **argv)
+@@ -150,7 +166,7 @@ main (int argc, char **argv)
   extern char *optarg;
   extern int optind, opterr, optopt;
   int create_base = 0;
@ -116,7 +121,7 @@ index 23dd873..d56bc56 100644
   if (argc < 2)
     {
-@@ -157,7 +177,7 @@ main (int argc, char **argv)
+@@ -158,7 +174,7 @@ main (int argc, char **argv)
       exit (-1);
     }
@ -125,7 +130,7 @@ index 23dd873..d56bc56 100644
     {
       switch (topt)
 	{
-@@ -180,6 +200,9 @@ main (int argc, char **argv)
+@@ -181,6 +197,9 @@ main (int argc, char **argv)
 	  if (bindpw == NULL)
 	    fatal("strdup");
 	  break;
@ -135,34 +140,26 @@ index 23dd873..d56bc56 100644
 	case 'b':
 	  ldapbase = strdup (optarg);
 	  if (ldapbase == NULL)
-@@ -301,27 +324,62 @@ main (int argc, char **argv)
+@@ -302,17 +321,51 @@ main (int argc, char **argv)
     {
       if (debug)
 	printf ("Creating base zone DN %s\n", argzone);
-
+ 
 +      
       dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
 -      basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
 -      for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
 +      basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
 +      if (debug)
 +	printf ("base DN %s\n", basedn);
-+
+ 
 -      for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
 +      for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
 	{
-	  if ((*ctmp == ',') || (ctmp == &basedn[0]))
+ 	  if ((*ctmp == ',') || (ctmp == &basedn[0]))
 +	    if ((*ctmp == ',') || (ctmp == &basedn[0]))
 	    {
 +
 	      base.mod_op = LDAP_MOD_ADD;
 -	      base.mod_type = (char*)"objectClass";
 -	      base.mod_values = (char**)topObjectClasses;
 +	      base.mod_type = objectClass;
-+	      base.mod_values = topObjectClasses;
+ 	      base.mod_values = (char**)topObjectClasses;
 	      base_attrs[0] = (void*)&base;
 -	      base_attrs[1] = NULL;
 -
 +
 +	      dcBase.mod_op = LDAP_MOD_ADD;
 +	      dcBase.mod_type = dc;
@ -196,19 +193,10 @@ index 23dd873..d56bc56 100644
 +
 +	      base.mod_values = topObjectClasses;
 +	      base_attrs[4] = NULL;
-+	      
+ 
 	      if (ldapbase)
 		{
- 		  if (ctmp != &basedn[0])
+@@ -329,6 +382,10 @@ main (int argc, char **argv)
 		    sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
 		  else
 -		    sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
 -
 +		    sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);		  
 		}
 	      else
 		{
@@ -330,8 +388,13 @@ main (int argc, char **argv)
 		  else
 		    sprintf (fullbasedn, "%s", ctmp);
 		}
@ -217,12 +205,9 @@ index 23dd873..d56bc56 100644
 +		  printf("Full base dn: %s\n", fullbasedn);
 +
 	      result = ldap_add_s (conn, fullbasedn, base_attrs);
- 	      ldap_result_check ("intial ldap_add_s", fullbasedn, result);
+ 	      ldap_result_check ("initial ldap_add_s", fullbasedn, result);
 +
 	    }
- 
+@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
 	}
@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
   isc_result_check (result, "dns_rdata_totext");
   data[isc_buffer_usedlength (&buff)] = 0;
@ -240,7 +225,7 @@ index 23dd873..d56bc56 100644
 }
-@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
   int attrlist;
   char ldap_type_buffer[128];
   char charttl[64];
@ -250,7 +235,7 @@ index 23dd873..d56bc56 100644
   if ((tmp = locate_by_dn (dn)) == NULL)
     {
-@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
 	    fatal("malloc");
 	}
       tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
@ -262,12 +247,8 @@ index 23dd873..d56bc56 100644
 +	tmp->attrs[0]->mod_values = objectClasses;
       else
 	{
-	  tmp->attrs[0]->mod_values = (char**)topObjectClasses;
+ 	  tmp->attrs[0]->mod_values = (char**)topObjectClasses;
-+	  tmp->attrs[0]->mod_values =topObjectClasses;
+@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
 	  tmp->attrs[1] = NULL;
 	  tmp->attrcnt = 2;
 	  tmp->next = ldap_info_base;
@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type,
 	}
       tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
@ -276,7 +257,7 @@ index 23dd873..d56bc56 100644
       tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
       if (tmp->attrs[1]->mod_values == (char **)NULL)
-@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
 	 fatal("strdup");
       tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
@ -285,16 +266,16 @@ index 23dd873..d56bc56 100644
       tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
       if (tmp->attrs[3]->mod_values == (char **)NULL)
-@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
       if (tmp->attrs[3]->mod_values[0] == NULL)
 	 fatal("strdup");
 +      znlen=strlen(gbl_zone);
-+      if ( *(gbl_zone + (znlen-1)) == '.' )
+      if ( gbl_zone[znlen-1] == '.' )
 +      { /* ldapdb MUST search by relative zone name */
 +	  zn = (char*)malloc(znlen);
-+	  strncpy(zn,gbl_zone,znlen-1);
+	  memcpy(zn, gbl_zone, znlen-1);
-+	  *(zn + (znlen-1))='\0';	  
+	  zn[znlen-1]='\0';
 +      }else
 +      {
 +	  zn = gbl_zone;
@ -313,7 +294,7 @@ index 23dd873..d56bc56 100644
       tmp->attrs[4]->mod_values[1] = NULL;
       tmp->attrs[5] = NULL;
-@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
   else
     {
@ -322,7 +303,7 @@ index 23dd873..d56bc56 100644
 	{
 	  sprintf (ldap_type_buffer, "%sRecord", type);
 	  if (!strncmp
-@@ -632,44 +707,70 @@ char **
+@@ -631,44 +700,70 @@ char **
 hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
 {
   char *tmp;
@ -430,7 +411,7 @@ index 23dd873..d56bc56 100644
   dn_buffer[i] = NULL;
   return dn_buffer;
-@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
  * exception of "@"/SOA. */
 char *
@ -439,19 +420,21 @@ index 23dd873..d56bc56 100644
 {
   int size;
 -  int x;
 -  static char dn[1024];
 -  char tmp[128];
 +  int x, znlen;
-   static char dn[1024];
+  static char dn[DNS_NAME_MAXTEXT*3/2];
-   char tmp[128];
+  char tmp[DNS_NAME_MAXTEXT*3/2];
 +  char zn[DNS_NAME_MAXTEXT+1];
   bzero (tmp, sizeof (tmp));
   bzero (dn, sizeof (dn));
   size = get_attr_list_size (dc_list);
 +  znlen = strlen(zone);
-+  if ( *(zone + (znlen-1)) == '.' )
+  if ( zone[znlen-1] == '.' )
 +  { /* ldapdb MUST search by relative zone name */
 +      memcpy(&(zn[0]),zone,znlen-1);
-+      *(zn + (znlen-1))='\0';
+      zn[znlen-1]='\0';
 +      zone = zn;
 +  }
   for (x = size - 2; x > 0; x--)
@ -459,41 +442,48 @@ index 23dd873..d56bc56 100644
     if (flag == WI_SPEC)
     {
       if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
-	sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl);
+-	sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
-+	sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
+	snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
       else if (x == (size - 2))
 -	      sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
-+	      sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
+	      snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
       else
- 	      sprintf(tmp,"dc=%s,", dc_list[x]);
+-	      sprintf(tmp,"dc=%s,", dc_list[x]);
 +	      snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
     }
-@@ -724,6 +833,7 @@ void
+     else
 init_ldap_conn ()
     {
-   int result;
+-	    sprintf(tmp, "dc=%s,", dc_list[x]);
-+  char ldb_tag[]="LDAP Bind";
+	    snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
-   conn = ldap_open (ldapsystem, LDAP_PORT);
+     }
-   if (conn == NULL)
+ 
-     {
+ 
-@@ -733,7 +843,7 @@ init_ldap_conn ()
+@@ -732,19 +835,18 @@ init_ldap_conn ()
     }
   result = ldap_simple_bind_s (conn, binddn, bindpw);
 -  ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
-+  ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
+  ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
 }
 /* Like isc_result_check, only for LDAP */
@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err)
     }
 }
 -
 -
 /* For running the ldap_info run queue. */
 void
- add_ldap_values (ldap_info * ldinfo)
+-ldap_result_check (const char *msg, char *dn, int err)
-@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo)
+ldap_result_check (const char *msg, const char *dn, int err)
 {
   if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
     {
 -      fprintf(stderr, "Error while adding %s (%s):\n",
 -		      dn, msg);
 -      ldap_perror (conn, dn);
 -      ldap_unbind_s (conn);
 +      fprintf(stderr, "Error while adding %s (%s):\n%s",
 +		      dn, msg, ldap_err2string(err));
 +      ldap_unbind_ext_s (conn, NULL, NULL);
       exit (-1);
     }
 }
@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
   int result;
   char dnbuffer[1024];
@ -505,12 +495,14 @@ index 23dd873..d56bc56 100644
   result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
 -  ldap_result_check ("ldap_add_s", dnbuffer, result);
 -}
 +    ldap_result_check ("ldap_add_s", dnbuffer, result);
-+
+ 
- }
+}
-@@ -777,5 +885,5 @@ void
+ 
@@ -776,5 +877,5 @@ void
 usage ()
 {
   fprintf (stderr,
--- a/SOURCES/bind-9.9.1-P2-multlib-conflict.patch
+++ b/SOURCES/bind-9.9.1-P2-multlib-conflict.patch
@ -1,8 +1,8 @@
 diff --git a/config.h.in b/config.h.in
-index e1364dd921..1dc65cfb21 100644
+index 4ecaa8f..2f65ccc 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
+@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig);
 #undef PREFER_GOSTASN1
 /* The size of `void *', as computed by sizeof. */
@ -11,39 +11,8 @@ index e1364dd921..1dc65cfb21 100644
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 diff --git a/configure.in b/configure.in
 index 73b1c8ccbb..129fc3f311 100644
 --- a/configure.in
 +++ b/configure.in
@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
 #include <sys/socket.h>
 #include <netdb.h>
 int getnameinfo(const struct sockaddr *, socklen_t, char *,
 -		socklen_t, char *, socklen_t, unsigned int);],
 +		socklen_t, char *, socklen_t, int);],
 [ return (0);],
 -	[AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
 +	[AC_MSG_RESULT(socklen_t for buflen; int for flags)
 	 AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
 		   [Define to the sockaddr length type used by getnameinfo(3).])
 	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
 		   [Define to the buffer length type used by getnameinfo(3).])
 -	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
 +	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
 		   [Define to the flags type used by getnameinfo(3).])],
 [AC_TRY_COMPILE([
 #include <sys/types.h>
@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
 [AC_MSG_RESULT(not match any subspecies; assume standard definition)
 AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
 -AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
 +AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
 #
 # ...and same for gai_strerror().
 diff --git a/isc-config.sh.in b/isc-config.sh.in
-index a8a0a89e88..b5e94ed13e 100644
+index a8a0a89..b5e94ed 100644
 --- a/isc-config.sh.in
 +++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@
--- a/SOURCES/bind-95-rh452060.patch
+++ b/SOURCES/bind-95-rh452060.patch
@ -1,34 +1,34 @@
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index f657c30..ff9a2d2 100644
+index c06c804..e75b8b7 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
-@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
+@@ -1816,6 +1816,13 @@ clear_query(dig_query_t *query) {
 	if (query->timer != NULL)
 		isc_timer_detach(&query->timer);
 +
 +	if (query->waiting_senddone) {
 +		debug("send_done not yet called");
-+		query->pending_free = ISC_TRUE;
+		query->pending_free = true;
 +		return;
 +	}
 +
 	lookup = query->lookup;
 	if (lookup->current_query == query)
-@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
+@@ -1841,10 +1848,7 @@ clear_query(dig_query_t *query) {
 	isc_mempool_put(commctx, query->recvspace);
 	isc_buffer_invalidate(&query->recvbuf);
 	isc_buffer_invalidate(&query->lengthbuf);
 -	if (query->waiting_senddone)
-		query->pending_free = ISC_TRUE;
+-		query->pending_free = true;
 -	else
 -		isc_mem_free(mctx, query);
 +	isc_mem_free(mctx, query);
 }
 /*%
-@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
+@@ -2895,9 +2899,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
 	isc_event_free(&event);
 	if (query->pending_free)
--- a/SOURCES/bind93-rh490837.patch
+++ b/SOURCES/bind93-rh490837.patch
@ -1,13 +1,22 @@
-? patch
+diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
-? lib/isc/lex.c.rh490837
+index 1f44b5a..a3625f9 100644
-Index: lib/isc/lex.c
+--- a/lib/isc/include/isc/stdio.h
-===================================================================
+++ b/lib/isc/include/isc/stdio.h
-RCS file: /var/snap/bind9/lib/isc/lex.c,v
+@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f);
-retrieving revision 1.86
+  * direct counterpart in the stdio library.
-diff -p -u -r1.86 lex.c
+  */
--- lib/isc/lex.c	17 Sep 2007 09:56:29 -0000	1.86
+ 
-+++ lib/isc/lex.c	6 Apr 2009 13:24:15 -0000
+isc_result_t
-@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne
+isc_stdio_fgetc(FILE *f, int *ret);
 +
 ISC_LANG_ENDDECLS
 #endif /* ISC_STDIO_H */
 diff --git a/lib/isc/lex.c b/lib/isc/lex.c
 index a8955bc..fc6103b 100644
 --- a/lib/isc/lex.c
 +++ b/lib/isc/lex.c
@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 			if (source->is_file) {
 				stream = source->input;
@ -28,34 +37,14 @@ diff -p -u -r1.86 lex.c
 						goto done;
 					}
 +
- 					source->at_eof = ISC_TRUE;
+ 					source->at_eof = true;
 				}
 			} else {
-Index: lib/isc/include/isc/stdio.h
+diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
-===================================================================
+index 2f12bcc..5bfd648 100644
-RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v
+--- a/lib/isc/unix/errno2result.c
-retrieving revision 1.13
+++ b/lib/isc/unix/errno2result.c
-diff -p -u -r1.13 stdio.h
+@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog,
 --- lib/isc/include/isc/stdio.h	19 Jun 2007 23:47:18 -0000	1.13
 +++ lib/isc/include/isc/stdio.h	6 Apr 2009 13:24:15 -0000
@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f);
  * direct counterpart in the stdio library.
  */
 +isc_result_t
 +isc_stdio_fgetc(FILE *f, int *ret);
 +
 ISC_LANG_ENDDECLS
 #endif /* ISC_STDIO_H */
 Index: lib/isc/unix/errno2result.c
 ===================================================================
 RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v
 retrieving revision 1.17
 diff -p -u -r1.17 errno2result.c
 --- lib/isc/unix/errno2result.c	19 Jun 2007 23:47:18 -0000	1.17
 +++ lib/isc/unix/errno2result.c	6 Apr 2009 13:24:15 -0000
@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) {
 	case EINVAL:		/* XXX sometimes this is not for files */
 	case ENAMETOOLONG:
 	case EBADF:
@ -63,14 +52,11 @@ diff -p -u -r1.17 errno2result.c
 		return (ISC_R_INVALIDFILE);
 	case ENOENT:
 		return (ISC_R_FILENOTFOUND);
-Index: lib/isc/unix/stdio.c
+diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
-===================================================================
+index e60fa65..77f0b13 100644
-RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v
+--- a/lib/isc/unix/stdio.c
-retrieving revision 1.8
+++ b/lib/isc/unix/stdio.c
-diff -p -u -r1.8 stdio.c
+@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) {
 --- lib/isc/unix/stdio.c	19 Jun 2007 23:47:18 -0000	1.8
 +++ lib/isc/unix/stdio.c	6 Apr 2009 13:24:15 -0000
@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) {
 		return (isc__errno2result(errno));
 }
--- a/SOURCES/bind97-rh478718.patch
+++ b/SOURCES/bind97-rh478718.patch
@ -1,8 +1,8 @@
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 896e81c1ce..73b1c8ccbb 100644
+index 26c509e..c1bfd62 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
+@@ -4152,6 +4152,10 @@ if test "yes" = "$use_atomic"; then
 	AC_MSG_RESULT($arch)
 fi
@ -14,10 +14,10 @@ index 896e81c1ce..73b1c8ccbb 100644
 	AC_MSG_CHECKING([compiler support for inline assembly code])
 diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
-index 2ff522342f..58df86adb3 100644
+index c902d46..9c7c342 100644
 --- a/lib/isc/include/isc/platform.h.in
 +++ b/lib/isc/include/isc/platform.h.in
-@@ -289,19 +289,25 @@
+@@ -284,19 +284,25 @@
  * If the "xaddq" operation (64bit xadd) is available on this architecture,
  * ISC_PLATFORM_HAVEXADDQ will be defined.
  */
--- a/SOURCES/bind97-rh645544.patch
+++ b/SOURCES/bind97-rh645544.patch
@ -1,7 +1,8 @@
-diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544	2013-08-19 10:30:52.000000000 +0200
+index ecb3ddb..f7f73cd 100644
-+++ bind-9.9.4rc2/lib/dns/resolver.c	2013-09-06 17:58:03.864165823 +0200
+--- a/lib/dns/resolver.c
-@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
+++ b/lib/dns/resolver.c
@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) {
 	 */
 	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
@ -10,7 +11,7 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
 		      "success resolving '%s' (in '%s'?) after %s",
 		      fctx->info, domainbuf, fctx->reason);
-@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
+@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
 	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
 	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
@ -19,12 +20,12 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
 		      "lame server resolving '%s' (in '%s'?): %s",
 		      namebuf, domainbuf, addrbuf);
 }
-@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
+@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
- 	}
+ 	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
 -		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
 +		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
- 		      "DNS format error from %s resolving %s%s%s: %s",
+ 		      "DNS format error from %s resolving %s for %s: %s",
- 		      nsbuf, fctx->info, clmsg, clbuf, msgbuf);
+ 		      nsbuf, fctx->info, fctx->clientstr, msgbuf);
 }
--- a/SOURCES/named-chroot.files
+++ b/SOURCES/named-chroot.files
@ -16,7 +16,9 @@
 /etc/named
 /usr/lib64/bind
 /usr/lib/bind
 /usr/share/GeoIP
 /run/named
 /proc/sys/net/ipv4/ip_local_port_range
 # Warning: the order is important
 # If a directory containing $ROOTDIR is listed here,
 # it MUST be listed last. (/var/named contains /var/named/chroot)
--- a/SOURCES/named-chroot.service
+++ b/SOURCES/named-chroot.service
@ -20,7 +20,7 @@ PIDFile=/var/named/chroot/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
-ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/SOURCES/named-pkcs11.service
+++ b/SOURCES/named-pkcs11.service
@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
-ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/SOURCES/named-sdb-chroot.service
+++ b/SOURCES/named-sdb-chroot.service
@ -20,7 +20,7 @@ PIDFile=/var/named/chroot_sdb/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS
-ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/SOURCES/named-sdb.service
+++ b/SOURCES/named-sdb.service
@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS
-ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/SOURCES/named.empty
+++ b/SOURCES/named.empty
@ -0,0 +1,10 @@
 $TTL 3H
@	IN SOA	@ rname.invalid. (
 					0	; serial
 					1D	; refresh
 					1H	; retry
 					1W	; expire
 					3H )	; minimum
 	NS	@
 	A	127.0.0.1
 	AAAA	::1
--- a/SOURCES/named.localhost
+++ b/SOURCES/named.localhost
@ -0,0 +1,10 @@
 $TTL 1D
@	IN SOA	@ rname.invalid. (
 					0	; serial
 					1D	; refresh
 					1H	; retry
 					1W	; expire
 					3H )	; minimum
 	NS	@
 	A	127.0.0.1
 	AAAA	::1
--- a/SOURCES/named.loopback
+++ b/SOURCES/named.loopback
@ -0,0 +1,11 @@
 $TTL 1D
@	IN SOA	@ rname.invalid. (
 					0	; serial
 					1D	; refresh
 					1H	; retry
 					1W	; expire
 					3H )	; minimum
 	NS	@
 	A	127.0.0.1
 	AAAA	::1
 	PTR	localhost.
--- a/SOURCES/named.rfc1912.zones
+++ b/SOURCES/named.rfc1912.zones
@ -0,0 +1,45 @@
 // named.rfc1912.zones:
 //
 // Provided by Red Hat caching-nameserver package 
 //
 // ISC BIND named zone configuration for zones recommended by
 // RFC 1912 section 4.1 : localhost TLDs and address zones
 // and https://tools.ietf.org/html/rfc6303
 // (c)2007 R W Franks
 // 
 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 //
 // Note: empty-zones-enable yes; option is default.
 // If private ranges should be forwarded, add 
 // disable-empty-zone "."; into options
 // 
 zone "localhost.localdomain" IN {
 	type master;
 	file "named.localhost";
 	allow-update { none; };
 };
 zone "localhost" IN {
 	type master;
 	file "named.localhost";
 	allow-update { none; };
 };
 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
 	type master;
 	file "named.loopback";
 	allow-update { none; };
 };
 zone "1.0.0.127.in-addr.arpa" IN {
 	type master;
 	file "named.loopback";
 	allow-update { none; };
 };
 zone "0.in-addr.arpa" IN {
 	type master;
 	file "named.empty";
 	allow-update { none; };
 };
--- a/SOURCES/named.root
+++ b/SOURCES/named.root
@ -0,0 +1,56 @@
 ; <<>> DiG 9.18.20 <<>> -4 +tcp +norec +nostats @d.root-servers.net
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47286
 ;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 1450
 ;; QUESTION SECTION:
 ;.				IN	NS
 ;; ANSWER SECTION:
 .			518400	IN	NS	a.root-servers.net.
 .			518400	IN	NS	b.root-servers.net.
 .			518400	IN	NS	c.root-servers.net.
 .			518400	IN	NS	d.root-servers.net.
 .			518400	IN	NS	e.root-servers.net.
 .			518400	IN	NS	f.root-servers.net.
 .			518400	IN	NS	g.root-servers.net.
 .			518400	IN	NS	h.root-servers.net.
 .			518400	IN	NS	i.root-servers.net.
 .			518400	IN	NS	j.root-servers.net.
 .			518400	IN	NS	k.root-servers.net.
 .			518400	IN	NS	l.root-servers.net.
 .			518400	IN	NS	m.root-servers.net.
 ;; ADDITIONAL SECTION:
 a.root-servers.net.	518400	IN	A	198.41.0.4
 b.root-servers.net.	518400	IN	A	170.247.170.2
 c.root-servers.net.	518400	IN	A	192.33.4.12
 d.root-servers.net.	518400	IN	A	199.7.91.13
 e.root-servers.net.	518400	IN	A	192.203.230.10
 f.root-servers.net.	518400	IN	A	192.5.5.241
 g.root-servers.net.	518400	IN	A	192.112.36.4
 h.root-servers.net.	518400	IN	A	198.97.190.53
 i.root-servers.net.	518400	IN	A	192.36.148.17
 j.root-servers.net.	518400	IN	A	192.58.128.30
 k.root-servers.net.	518400	IN	A	193.0.14.129
 l.root-servers.net.	518400	IN	A	199.7.83.42
 m.root-servers.net.	518400	IN	A	202.12.27.33
 a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
 b.root-servers.net.	518400	IN	AAAA	2801:1b8:10::b
 c.root-servers.net.	518400	IN	AAAA	2001:500:2::c
 d.root-servers.net.	518400	IN	AAAA	2001:500:2d::d
 e.root-servers.net.	518400	IN	AAAA	2001:500:a8::e
 f.root-servers.net.	518400	IN	AAAA	2001:500:2f::f
 g.root-servers.net.	518400	IN	AAAA	2001:500:12::d0d
 h.root-servers.net.	518400	IN	AAAA	2001:500:1::53
 i.root-servers.net.	518400	IN	AAAA	2001:7fe::53
 j.root-servers.net.	518400	IN	AAAA	2001:503:c27::2:30
 k.root-servers.net.	518400	IN	AAAA	2001:7fd::1
 l.root-servers.net.	518400	IN	AAAA	2001:500:9f::42
 m.root-servers.net.	518400	IN	AAAA	2001:dc3::35
--- a/SOURCES/named.root.key
+++ b/SOURCES/named.root.key
@ -0,0 +1,19 @@
 managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        #
        # This key (20326) was published in the root zone in 2017.
        # Servers which were already using the old key (19036) should
        # roll seamlessly to this new one via RFC 5011 rollover. Servers
        # being set up for the first time can use the contents of this
        # file as initializing keys; thereafter, the keys in the
        # managed key database will be trusted and maintained
        # automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
                R1AkUTV74bU=";
 };
--- a/SOURCES/named.service
+++ b/SOURCES/named.service
@ -15,8 +15,7 @@ PIDFile=/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
-
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/SOURCES/trusted-key.key
+++ b/SOURCES/trusted-key.key
@ -1,2 +1 @@
 . 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
 . 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
`@ -1,2 +1 @@`
	`. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=`
	`. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=`	`. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=`