Fedora bind import

Import commit 91d60335005d38c4fa34b1cc3c835a0ec15983ed

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -0,0 +1,224 @@
+bind-9.7.1-P2.tar.gz
+config-8.tar.bz2
+bind-9.7.2b1.tar.gz
+/config-8.tar.bz2
+/bind-9.7.2rc1.tar.gz
+/bind-9.7.2.tar.gz
+/bind-9.7.2-P2.tar.gz
+/bind-9.7.2-P3.tar.gz
+/bind-9.7.3b1.tar.gz
+/bind-9.7.3rc1.tar.gz
+/bind-9.7.3.tar.gz
+/bind-9.8.0rc1.tar.gz
+/bind-9.8.0.tar.gz
+/bind-9.8.0-P1.tar.gz
+/bind-9.8.0-P2.tar.gz
+/bind-9.8.0-P4.tar.gz
+/bind-9.8.1rc1.tar.gz
+/bind-9.8.1.tar.gz
+/bind-9.9.0b1.tar.gz
+/bind-9.9.0b2.tar.gz
+/bind-9.9.0rc1.tar.gz
+/bind-9.9.0rc2.tar.gz
+/bind-9.9.0.tar.gz
+/bind-9.9.1.tar.gz
+/bind-9.9.1-P1.tar.gz
+/bind-9.9.1-P2.tar.gz
+/bind-9.9.1-P3.tar.gz
+/bind-9.9.2.tar.gz
+/bind-9.9.2-P1.tar.gz
+/config-9.tar.bz2
+/config-10.tar.bz2
+/bind-9.9.2-P2.tar.gz
+/bind-9.9.3rc1.tar.gz
+/config-11.tar.bz2
+/bind-9.9.3rc2.tar.gz
+/bind-9.9.3.tar.gz
+/bind-9.9.3-P1.tar.gz
+/bind-9.9.4b1.tar.gz
+/bind-9.9.4rc1.tar.gz
+/bind-9.9.4rc2.tar.gz
+/bind-9.9.4.tar.gz
+/config-12.tar.bz2
+/bind-9.9.5b1.tar.gz
+/bind-9.9.5rc2.tar.gz
+/bind-9.9.5.tar.gz
+/bind-9.9.5-P1.tar.gz
+/bind-9.9.6.tar.gz
+/bind-9.9.6-P1.tar.gz
+/bind-9.10.1b2.tar.gz
+/bind-9.10.1.tar.gz
+/bind-9.10.1-P1.tar.gz
+/bind-9.10.2rc1.tar.gz
+/bind-9.10.2rc2.tar.gz
+/bind-9.10.2.tar.gz
+/config-13.tar.bz2
+/config-14.tar.bz2
+/bind-9.10.2-P1.tar.gz
+/bind-9.10.2-P2.tar.gz
+/bind-9.10.2-P3.tar.gz
+/bind-9.10.3rc1.tar.gz
+/bind-9.10.3.tar.gz
+/bind-9.10.3-P2.tar.gz
+/config-15.tar.bz2
+/bind-9.10.3-P3.tar.gz
+/bind-9.10.3-P4.tar.gz
+/bind-9.10.4-P1.tar.gz
+/bind-9.10.4-P2.tar.gz
+/bind-9.10.4-P3.tar.gz
+/bind-9.10.4-P4.tar.gz
+/bind-9.11.0-P1.tar.gz
+/bind-9.11.0-P2.tar.gz
+/bind-9.11.0-P3.tar.gz
+/bind-9.11.0-P5.tar.gz
+/config-16.tar.bz2
+/bind-9.11.1-P1.tar.gz
+/bind-9.11.1-P2.tar.gz
+/bind-9.11.1-P3.tar.gz
+/bind-9.11.2b1.tar.gz
+/bind-9.11.2.tar.gz
+/config-17.tar.bz2
+/bind-9.11.2-P1.tar.gz
+/bind-9.11.3b1.tar.gz
+/bind-9.11.3.tar.gz
+/config-18.tar.bz2
+/bind-9.11.4rc1.tar.gz
+/bind-9.11.4.tar.gz
+/bind-9.11.4-P1.tar.gz
+/bind-9.11.4-P2.tar.gz
+/bind-9.11.5.tar.gz
+/bind-9.11.5-P1.tar.gz
+/config-19.tar.bz2
+/bind-9.11.5-P4.tar.gz
+/bind-9.11.6.tar.gz
+/bind-9.11.6-P1.tar.gz
+/bind-9.11.7.tar.gz
+/bind-9.11.8.tar.gz
+/bind-9.11.9.tar.gz
+/bind-9.11.10.tar.gz
+/bind-9.11.11.tar.gz
+/bind-9.11.12.tar.gz
+/bind-9.11.13.tar.gz
+/bind-9.11.13.tar.gz.asc
+/bind-9.11.14.tar.gz
+/bind-9.11.14.tar.gz.asc
+/bind-9.11.17.tar.gz
+/bind-9.11.17.tar.gz.asc
+/bind-9.11.18.tar.gz
+/bind-9.11.18.tar.gz.asc
+/bind-9.11.19.tar.gz
+/bind-9.11.19.tar.gz.asc
+/bind-9.11.20.tar.gz
+/bind-9.11.20.tar.gz.asc
+/bind-9.11.21.tar.gz
+/bind-9.11.21.tar.gz.asc
+/bind-9.11.22.tar.gz
+/bind-9.11.22.tar.gz.asc
+/bind-9.11.23.tar.gz
+/bind-9.11.23.tar.gz.asc
+/bind-9.11.24.tar.gz
+/bind-9.11.24.tar.gz.asc
+/bind-9.11.25.tar.gz
+/bind-9.11.25.tar.gz.asc
+/bind-9.11.26.tar.gz
+/bind-9.11.26.tar.gz.asc
+/bind-9.16.1.tar.xz
+/bind-9.16.1.tar.xz.asc
+/bind-9.16.2.tar.xz
+/bind-9.16.2.tar.xz.asc
+/bind-9.16.4.tar.xz
+/bind-9.16.4.tar.xz.asc
+/bind-9.16.5.tar.xz
+/bind-9.16.5.tar.xz.asc
+/bind-9.16.6.tar.xz
+/bind-9.16.6.tar.xz.asc
+/bind-9.16.7.tar.xz
+/bind-9.16.7.tar.xz.asc
+/bind-9.16.8.tar.xz
+/bind-9.16.8.tar.xz.asc
+/bind-9.16.9.tar.xz
+/bind-9.16.9.tar.xz.asc
+/bind-9.16.10.tar.xz
+/bind-9.16.10.tar.xz.asc
+/bind-9.16.11.tar.xz
+/bind-9.16.11.tar.xz.asc
+/bind-9.16.13.tar.xz
+/bind-9.16.13.tar.xz.asc
+/bind-9.16.15.tar.xz
+/bind-9.16.15.tar.xz.asc
+/bind-9.16.16.tar.xz
+/bind-9.16.16.tar.xz.asc
+/bind-9.16.17.tar.xz
+/bind-9.16.17.tar.xz.asc
+/bind-9.16.18.tar.xz
+/bind-9.16.18.tar.xz.asc
+/bind-9.16.19.tar.xz
+/bind-9.16.19.tar.xz.asc
+/bind-9.16.20.tar.xz
+/bind-9.16.20.tar.xz.asc
+/bind-9.16.21.tar.xz
+/bind-9.16.21.tar.xz.asc
+/bind-9.16.22.tar.xz
+/bind-9.16.22.tar.xz.asc
+/bind-9.16.23.tar.xz
+/bind-9.16.23.tar.xz.asc
+/bind-9.16.24.tar.xz
+/bind-9.16.24.tar.xz.asc
+/bind-9.16.25.tar.xz
+/bind-9.16.25.tar.xz.asc
+/bind-9.16.26.tar.xz
+/bind-9.16.26.tar.xz.asc
+/bind-9.16.27.tar.xz
+/bind-9.16.27.tar.xz.asc
+/bind-9.16.28.tar.xz
+/bind-9.16.28.tar.xz.asc
+/bind-9.16.29.tar.xz
+/bind-9.16.29.tar.xz.asc
+/bind-9.16.30.tar.xz
+/bind-9.16.30.tar.xz.asc
+/bind-9.18.0.tar.xz
+/bind-9.18.0.tar.xz.asc
+/bind-9.18.1.tar.xz
+/bind-9.18.1.tar.xz.asc
+/bind-9.18.2.tar.xz
+/bind-9.18.2.tar.xz.asc
+/bind-9.18.3.tar.xz
+/bind-9.18.3.tar.xz.asc
+/bind-9.18.4.tar.xz
+/bind-9.18.4.tar.xz.asc
+/bind-9.18.5.tar.xz
+/bind-9.18.5.tar.xz.asc
+/bind-9.18.6.tar.xz
+/bind-9.18.6.tar.xz.asc
+/bind-9.18.7.tar.xz
+/bind-9.18.7.tar.xz.asc
+/bind-9.18.8.tar.xz
+/bind-9.18.8.tar.xz.asc
+/bind-9.18.9.tar.xz
+/bind-9.18.9.tar.xz.asc
+/bind-9.18.10.tar.xz
+/bind-9.18.10.tar.xz.asc
+/bind-9.18.11.tar.xz
+/bind-9.18.11.tar.xz.asc
+/bind-9.18.12.tar.xz
+/bind-9.18.12.tar.xz.asc
+/bind-9.18.13.tar.xz
+/bind-9.18.13.tar.xz.asc
+/bind-9.18.14.tar.xz
+/bind-9.18.14.tar.xz.asc
+/bind-9.18.15.tar.xz
+/bind-9.18.15.tar.xz.asc
+/bind-9.18.16.tar.xz
+/bind-9.18.16.tar.xz.asc
+/bind-9.18.17.tar.xz
+/bind-9.18.17.tar.xz.asc
+/bind-9.18.18.tar.xz
+/bind-9.18.18.tar.xz.asc
+/bind-9.18.19.tar.xz
+/bind-9.18.19.tar.xz.asc
+/bind-9.18.20.tar.xz
+/bind-9.18.20.tar.xz.asc
+/bind-9.18.21.tar.xz
+/bind-9.18.21.tar.xz.asc
+/bind-9.18.24.tar.xz
+/bind-9.18.24.tar.xz.asc

Changes.md

@@ -0,0 +1,43 @@
+# Significant Changes in BIND9 package
+
+## BIND 9.16
+
+### New features
+
+- *libuv* is used for network subsystem as a mandatory dependency
+- *dnssec-policy* support in named.conf is introduced, providing a a key and signing policy
+  ([KASP](https://gitlab.isc.org/isc-projects/bind9/-/wikis/DNSSEC-Key-and-Signing-Policy-(KASP)))
+- *trusted-keys* and *managed-keys* are deprecated, replaced by *trust-anchors*
+- *trust-anchors* support also anchor in a *DS* format, in addition to *DNSKEY* format
+- **dig, mdig** and **delv** support **+yaml** parameter to print detailed machine parseable output
+
+### Feature changes
+
+- Static trust anchor and *dnssec-validation auto;* are incompatible and cause fatal error, when used together.
+- *DS* and *CDS* now generates only SHA-256 digest, SHA-1 is no longer generated by default
+- SipHash 2-4 DNS Cookie ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873.html) is now default).
+  Only AES alternative algorithm is kept, HMAC-SHA cookie support were removed.
+- **dnssec-signzone** and **dnssec-verify** commands print output to stdout, *-q* parameter can silence them
+
+### Features removed
+
+- *dnssec-enable* option is obsolete, DNSSEC support is always enabled
+- *dnssec-lookaside* option is deprecated and support for it removed from all tools
+- *cleaning-interval* option is removed
+
+### Upstream release notes
+
+- [9.16.10 notes](https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10)
+- [9.16.0 notes](https://downloads.isc.org/isc/bind9/9.16.0/doc/arm/html/notes.html#notes-for-bind-9-16-0)
+
+## BIND 9.14
+
+- single thread support removed. Cannot provide *bind-export-libs* for DHCP
+- *lwres* support completely removed. Both daemon and library
+- common parts of daemon moved into *libns* shared library
+- introduced plugin for filtering aaaa responses
+- some SDB utilities no longer supported
+
+### Upstream release notes
+
+- [9.14.7 notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html)

README.md

@@ -0,0 +1,33 @@
+# BIND 9
+
+[BIND (Berkeley Internet Name Domain)](https://www.isc.org/downloads/bind/doc/) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+Internet Systems Consortium
+([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
+corporation dedicated to providing software and services in support of the
+Internet infrastructure, developed BIND 9 and is responsible for its
+ongoing maintenance and improvement.
+
+More details about upstream project can be found on their
+[gitlab](https://gitlab.isc.org/isc-projects/bind9). This repository contains
+only upstream sources and packaging instructions for
+[Fedora Project](https://fedoraproject.org).
+
+## Subpackages
+
+The package contains several subpackages, some of them can be disabled on rebuild.
+
+* **bind** -- *named* daemon providing DNS server
+* **bind-utils** -- set of tools to analyse DNS responses or update entries (dig, host)
+* **bind-doc** -- documentation for current bind, *BIND 9 Administrator Reference Manual*.
+* **bind-license** -- Shared license for all packages but bind-export-libs.
+* **bind-libs** -- Shared libraries used by some others programs
+* **bind-devel** -- Development headers for libs. Can be disabled by `--without DEVEL`
+
+
+## Optional features
+
+* *GSSTSIG* -- Support for Kerberos authentication in BIND.
+* *LMDB* -- Support for dynamic database for managing runtime added zones. Provides faster removal of added zone with much less overhead. But requires lmdb linked to base libs.
+* *DLZ* -- Support for dynamic loaded modules providing support for features *bind-sdb* provides, but only small module is required.

bind-9.11.12.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMooACgkQdLtrmky7
+PThv2RAAnXNLYTzXtH6ls29tRm5Hc+D6UaeqcWDNQ4BpkRVhrFxtukalGCi9mmB6
+NPJzFyXmaOW654pypCIuEgqJNFUpDtLzLzT7SUF+mhm+5plsaRSBnh4mq87l5KSp
+twODAPnfCJV+HBk5RmToLEstAbGQ7xEBTyQtZoFkY+V7zEFwENKiCvWsoSWOkYR3
+zXo3sKjc83HV9ShbW/mCtbZf5L0qlbrKOAzqJfAFMhNNJi8kMbmr/Zi2sIfN+Rhv
+g8HQo89Epv6r51yAdeED8idIX4rKjjcEtHrZeDmLdCcdHgSEj2sIlH92Joce6vL0
+S59A0rItIXm6fW8sz6WNpcj4tVtWYbIYjXZ4SPFNkaUrHv8cUekq+5vbI+v07Gh3
+2bhtDsDyTY5I1/AsY/EFmwkCAjUS00jZryBnuJpLB3v5JtUog4ek32yLBzPrqRBo
+1876j4nlXAia8mG0OgJNWZ0gHyUPe/TgfR8fQDLmHxHHlKrJNTEwY6bLW8jzFTX1
+zk510fI1K7J9tiQgf5wcBQ2h3EBlqzDNIJDovoATzLYIf0HKyVegh/vnQdtdEhUR
+1DzJAt3bsBfAP1AFfWPD/ACu5Zdm7SxY1wE/pjkwttDU3sRZqOfuwNBGeolu3cVN
+O9/h1zsyVeVS0ui2vu4+V4EvNitmXsVbG2doDq9L5yBiIKGO2Ew=
+=GCy6
+-----END PGP SIGNATURE-----

bind-9.14.7.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMpEACgkQdLtrmky7
+PTh/sg//QbNRAQvADQfwF1PPo+JxB+3WzQ9oJAWeHbOoiubwkUwO9xE+BEnTNd5o
+oM1lSLqFxNykOTaoeJlqPftPod1cxo7lSzkwflugGyB/59wliCpqCg053YV4x9mO
+QggvA/E50+0FI/Om/7v4GHGADu/JE83FovOueWAB0LgqfDSD6QFcNFF9sUJJ4P7r
+FcEXSWj8QbrHMWBKncZUOpD2ECotvtrYmi0DTHl1XfigESDQpWtsnTFuabCCsvkh
+ch9wQRplAes2Mf/aS5tl1y0QKKBFuEjtGiTdgrDl6o9GLnx6CueX5saZehu2EVkr
+fq2vEYUC2lRQSjuxSMMJ3L0TGUcl7+ixlAIISS2K9L5Xx7MhBXt/EH5KiKPfsEet
+3EH+DhxV5uXjDU7MgvREnxT+ssV23e0HWTz4tVVQ9LpvYmWPIgLcSOhHCc57yoQF
+c46V0f69dMWbMAlQ93EZSG274ZvpIszpK8+3hGI3/TuDFFgiQJeJJBFVtYJMle69
+3mEEclfzO7fBiXZFec6nVx2309bL64bafN7zszPKXl4XgoefOfD0v0eWqQT4fxfm
+dnGC0qMqSZs5F+d0fISV5JUUNYzt9PZjvnzqLLGOeTF6l3/n9G1mmNsXcxJ1OEIF
+6qh1oO7JTPjt0MFhKac4QjNQi/Bnp25O3I/PRyWZCbiwXkyvyQU=
+=ZT7s
+-----END PGP SIGNATURE-----

bind-9.16-redhat_doc.patch

@@ -0,0 +1,66 @@
+From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 17 Jun 2020 23:17:13 +0200
+Subject: [PATCH] Update man named with Red Hat specifics
+
+This is almost unmodified text and requires revalidation. Some of those
+statements are no longer correct.
+---
+ bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/bin/named/named.rst b/bin/named/named.rst
+index ea440b2..fa51984 100644
+--- a/bin/named/named.rst
++++ b/bin/named/named.rst
+@@ -212,6 +212,47 @@ Files
+ |named_pid|
+    The default process-id file.
+ 
++Notes
++~~~~~
++
++**Red Hat SELinux BIND Security Profile:**
++
++By default, Red Hat ships BIND with the most secure SELinux policy
++that will not prevent normal BIND operation and will prevent exploitation
++of all known BIND security vulnerabilities . See the selinux(8) man page
++for information about SElinux.
++
++It is not necessary to run named in a chroot environment if the Red Hat
++SELinux policy for named is enabled. When enabled, this policy is far
++more secure than a chroot environment. Users are recommended to enable
++SELinux and remove the bind-chroot package.
++
++*With this extra security comes some restrictions:*
++
++By default, the SELinux policy does not allow named to write any master
++zone database files. Only the root user may create files in the $ROOTDIR/var/named
++zone database file directory (the options { "directory" } option), where
++$ROOTDIR is set in /etc/sysconfig/named.
++
++The "named" group must be granted read privelege to
++these files in order for named to be enabled to read them.
++
++Any file created in the zone database file directory is automatically assigned
++the SELinux file context *named_zone_t* .
++
++By default, SELinux prevents any role from modifying *named_zone_t* files; this
++means that files in the zone database directory cannot be modified by dynamic
++DNS (DDNS) updates or zone transfers.
++
++The Red Hat BIND distribution and SELinux policy creates three directories where
++named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
++*/var/named/data*. By placing files you want named to modify, such as
++slave or DDNS updateable zone files and database / statistics dump files in
++these directories, named will work normally and no further operator action is
++required. Files in these directories are automatically assigned the '*named_cache_t*'
++file context, which SELinux allows named to write.
++
++
+ See Also
+ ~~~~~~~~
+ 
+-- 
+2.34.1
+

bind-9.18-unittest-netmgr-unstable.patch

@@ -0,0 +1,75 @@
+From 0f3a398fe813189c5dd56b0367a72c7b3f19504b Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 14 Sep 2022 13:06:24 +0200
+Subject: [PATCH] Disable some often failing tests
+
+Make those tests skipped in default build, when CI=true environment is
+set. It is not clear why they fail mostly on COPR, but they do fail
+often.
+---
+ tests/isc/netmgr_test.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tests/isc/netmgr_test.c b/tests/isc/netmgr_test.c
+index 94e4bf7..7f9629c 100644
+--- a/tests/isc/netmgr_test.c
++++ b/tests/isc/netmgr_test.c
+@@ -1567,13 +1567,13 @@ stream_half_recv_half_send(void **state __attribute__((unused))) {
+ /* TCP */
+ ISC_RUN_TEST_IMPL(tcp_noop) { stream_noop(state); }
+ 
+-ISC_RUN_TEST_IMPL(tcp_noresponse) { stream_noresponse(state); }
++ISC_RUN_TEST_IMPL(tcp_noresponse) { SKIP_IN_CI; stream_noresponse(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_timeout_recovery) { stream_timeout_recovery(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_one) { stream_recv_one(state); }
+ 
+-ISC_RUN_TEST_IMPL(tcp_recv_two) { stream_recv_two(state); }
++ISC_RUN_TEST_IMPL(tcp_recv_two) { SKIP_IN_CI; stream_recv_two(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_send) {
+ 	SKIP_IN_CI;
+@@ -1623,6 +1623,7 @@ ISC_RUN_TEST_IMPL(tcp_recv_one_quota) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_two_quota) {
++	SKIP_IN_CI;
+ 	atomic_store(&check_listener_quota, true);
+ 	stream_recv_two(state);
+ }
+@@ -1836,6 +1837,7 @@ ISC_RUN_TEST_IMPL(tcpdns_recv_two) {
+ 	isc_result_t result = ISC_R_SUCCESS;
+ 	isc_nmsocket_t *listen_sock = NULL;
+ 
++	SKIP_IN_CI;
+ 	atomic_store(&nsends, 2);
+ 
+ 	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+@@ -2095,6 +2097,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tls_recv_two) {
++	SKIP_IN_CI;
+ 	stream_use_TLS = true;
+ 	stream_recv_two(state);
+ }
+@@ -2160,6 +2163,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one_quota) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tls_recv_two_quota) {
++	SKIP_IN_CI;
+ 	stream_use_TLS = true;
+ 	atomic_store(&check_listener_quota, true);
+ 	stream_recv_two(state);
+@@ -2395,6 +2399,7 @@ ISC_RUN_TEST_IMPL(tlsdns_recv_two) {
+ 	isc_result_t result = ISC_R_SUCCESS;
+ 	isc_nmsocket_t *listen_sock = NULL;
+ 
++	SKIP_IN_CI;
+ 	atomic_store(&nsends, 2);
+ 
+ 	result = isc_nm_listentlsdns(listen_nm, &tcp_listen_addr,
+-- 
+2.37.2
+

bind-9.5-PIE.patch

@@ -0,0 +1,17 @@
+diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
+index 57a023b..085f2f7 100644
+--- a/bin/named/Makefile.am
++++ b/bin/named/Makefile.am
+@@ -32,9 +32,12 @@ AM_CPPFLAGS +=				\
+ endif HAVE_LIBXML2
+ 
+ AM_CPPFLAGS +=						\
++	-fpie                                           \
+ 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
+ 	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
+ 
++AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
++
+ sbin_PROGRAMS = named
+ 
+ nodist_named_SOURCES = xsl.c

bind.tmpfiles.d

@@ -0,0 +1 @@
+d /run/named 0755 named named -

bind97-exportlib.patch

@@ -0,0 +1,226 @@
+diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in
+diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in
+--- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/dns/Makefile.in	2013-05-13 10:45:22.574089729 +0200
+@@ -35,9 +35,9 @@ CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_
+ 
+ CWARNINGS =
+ 
+-ISCLIBS =	../isc/libisc.@A@
++ISCLIBS =	../isc/libisc-export.@A@
+ 
+-ISCDEPLIBS =	../isc/libisc.@A@
++ISCDEPLIBS =	../isc/libisc-export.@A@
+ 
+ LIBS =		@LIBS@
+ 
+@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libdns.@SA@: ${OBJS}
++libdns-export.@SA@: ${OBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS}
+ 	${RANLIB} $@
+ 
+-libdns.la: ${OBJS}
++libdns-export.la: ${OBJS}
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \
+ 		-rpath ${export_libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ 
+-timestamp: libdns.@A@
++timestamp: libdns-export.@A@
+ 	touch timestamp
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \
+ 	${DESTDIR}${export_libdir}/
+ 
+ clean distclean::
+-	rm -f libdns.@A@ timestamp
++	rm -f libdns-export.@A@ timestamp
+ 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+ 	rm -f include/dns/rdatastruct.h
+ 
+diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in
+--- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/irs/Makefile.in	2013-05-13 10:45:22.575089729 +0200
+@@ -43,9 +43,9 @@ SRCS =		context.c \
+ 		gai_sterror.c getaddrinfo.c getnameinfo.c \
+ 		resconf.c
+ 
+-ISCLIBS =	../isc/libisc.@A@
+-DNSLIBS =	../dns/libdns.@A@
+-ISCCFGLIBS =	../isccfg/libisccfg.@A@
++ISCLIBS =	../isc/libisc-export.@A@
++DNSLIBS =	../dns/libdns-export.@A@
++ISCCFGLIBS =	../isccfg/libisccfg-export.@A@
+ 
+ LIBS =		@LIBS@
+ 
+@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libirs.@SA@: ${OBJS} version.@O@
++libirs-export.@SA@: ${OBJS} version.@O@
+ 	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+ 	${RANLIB} $@
+ 
+-libirs.la: ${OBJS} version.@O@
++libirs-export.la: ${OBJS} version.@O@
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \
+ 		-rpath ${export_libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
+ 
+-timestamp: libirs.@A@
++timestamp: libirs-export.@A@
+ 	touch timestamp
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \
+ 	${DESTDIR}${export_libdir}/
+ 
+ clean distclean::
+-	rm -f libirs.@A@ libirs.la timestamp
++	rm -f libirs-export.@A@ libirs-export.la timestamp
+diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in
+--- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in	2013-05-13 10:45:22.576089729 +0200
+@@ -30,11 +30,11 @@ CINCLUDES =	-I. ${DNS_INCLUDES} -I${expo
+ CDEFINES =
+ CWARNINGS =
+ 
+-ISCLIBS =	../isc/libisc.@A@
+-DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
++ISCLIBS =	../isc/libisc-export.@A@
++DNSLIBS =	../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
+ 
+ ISCDEPLIBS =	../../lib/isc/libisc.@A@
+-ISCCFGDEPLIBS =	libisccfg.@A@
++ISCCFGDEPLIBS =	libisccfg-export.@A@
+ 
+ LIBS =		@LIBS@
+ 
+@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libisccfg.@SA@: ${OBJS}
++libisccfg-export.@SA@: ${OBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS}
+ 	${RANLIB} $@
+ 
+-libisccfg.la: ${OBJS}
++libisccfg-export.la: ${OBJS}
+ 	 ${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \
+ 		-rpath ${export_libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
+ 
+-timestamp: libisccfg.@A@
++timestamp: libisccfg-export.@A@
+ 	touch timestamp
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \
+ 	${DESTDIR}${export_libdir}/
+ 
+ clean distclean::
+-	rm -f libisccfg.@A@ timestamp
++	rm -f libisccfg-export.@A@ timestamp
+diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in
+--- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/isc/Makefile.in	2013-05-13 10:45:22.576089729 +0200
+@@ -100,6 +100,10 @@ SRCS =		@ISC_EXTRA_SRCS@ \
+ 
+ LIBS =		@LIBS@
+ 
++# Note: the order of SUBDIRS is important.
++# Attempt to disable parallel processing.
++.NOTPARALLEL:
++.NO_PARALLEL:
+ SUBDIRS =	include unix nls @ISC_THREAD_DIR@
+ TARGETS =	timestamp
+ 
+@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libisc.@SA@: ${OBJS}
++libisc-export.@SA@: ${OBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS}
+ 	${RANLIB} $@
+ 
+-libisc.la: ${OBJS}
++libisc-export.la: ${OBJS}
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \
+ 		-rpath ${export_libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} ${LIBS}
+ 
+-timestamp: libisc.@A@
++timestamp: libisc-export.@A@
+ 	touch timestamp
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \
+ 	${DESTDIR}${export_libdir}
+ 
+ clean distclean::
+-	rm -f libisc.@A@ libisc.la timestamp
++	rm -f libisc-export.@A@ libisc-export.la timestamp
+diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in
+--- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/samples/Makefile.in	2013-05-13 10:45:22.577089729 +0200
+@@ -31,15 +31,15 @@ CINCLUDES =	-I${srcdir}/include -I../dns
+ CDEFINES =
+ CWARNINGS =
+ 
+-DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+-ISCLIBS =	../isc/libisc.@A@
+-ISCCFGLIBS =	../isccfg/libisccfg.@A@
+-IRSLIBS =	../irs/libirs.@A@
++DNSLIBS =	../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
++ISCLIBS =	../isc/libisc-export.@A@
++ISCCFGLIBS =	../isccfg/libisccfg-export.@A@
++IRSLIBS =	../irs/libirs-export.@A@
+ 
+-DNSDEPLIBS =	../dns/libdns.@A@
+-ISCDEPLIBS =	../isc/libisc.@A@
+-ISCCFGDEPLIBS =	../isccfg/libisccfg.@A@
+-IRSDEPLIBS =	../irs/libirs.@A@
++DNSDEPLIBS =	../dns/libdns-export.@A@
++ISCDEPLIBS =	../isc/libisc-export.@A@
++ISCCFGDEPLIBS =	../isccfg/libisccfg-export.@A@
++IRSDEPLIBS =	../irs/libirs-export.@A@
+ 
+ DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+ 

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

codesign2019.txt

@@ -0,0 +1,252 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: GPGTools - http://gpgtools.org
+
+mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
+r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
+pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
+yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
+ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
+/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
+qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
+UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
+SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
+o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
+LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
+tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
+LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
+EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
+1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
+tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
+5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
+Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
+JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
+hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
+xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
+gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
+pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
+vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
+6f2op3tMiQEzBBABCAAdFiEEFcm6uMUTPAcGawLtlumWUDlMmawFAlwuSqAACgkQ
+lumWUDlMmaz+igf/ZW8OY5aWjRk7QiXp93jkWRIbMi8kB9jW5u6tfYXFjMADpqiQ
+yYdzEHFayRF92PQwj81UzIWzOWjErFWLDE2xol9sP5LdzeqoyED+XTqKggpVsIs+
+Lq672qnumQoZKp1YGb8MDocU2DNg/VsMdi7kCnEnPbcSuBxksmxGYomusXNrAF94
+1OJ2sqd9BuFamLIyn8XUCGGYlsvMoe4kTCg6Cc1sQvx0lDG8urKN57jBKWbP4alV
++JBV5KQcf74gzPmE3ypgY1tMEwxyH/WyS9ekDbai0qauX6eUAsM1bduH8fIcknLS
+Zl5hrJTrzWFF9/DKOth8QOwhJ9zoIF1fcAsx9okBMwQQAQgAHRYhBHpqR7X54SM6
+0lUrXL2X3GOe6MR7BQJcLktcAAoJEL2X3GOe6MR7jwEH/iaolMeno1oeWAgzN6Mg
+bx3maweh/9Vqty1fwk7Crq1G78X5i1OCkknEL2p0Bfle4ApwcC4HZVcqCgoYpRV3
+/EEXtwkMNy3plWdBbLCQSev/E1D39GzgAHiMnv7NUJnkoJbvMrvrAiUTXPTtARMM
+gjEpvgEs60wuJxS8ESomRhe/KW4myxDoBxF+K+e5bOkOvvWVcAYJHWZ1BIZs4n6b
++C2vO8q5aKTkQ/XvNT7utbTOqj1SGhItRaAQKXHBdzkQ1Et3wTA4+uRg4gK12624
+9LperYs26w9X9UzApl+qVxQhtWUw3tnUXMastDfQrRcvJgq1xpv++OqX5Uc93RTf
+SNWJAjMEEAEIAB0WIQS+DpdItxglOii7if/xsRvwXPAuVwUCXC5LlQAKCRDxsRvw
+XPAuV29KEACEwlTVVKe4gnBYHnlAD7csoQ0+gJ6C+Ofzlw+UItRIcFeVCAknSGBs
+NPxr9JStIvKpmsbSKpCNUEAYnRP2immh94y/C6BuTe1uUUmqBGr1f4OAUwZpmI29
+ixYeY/uUs9FZO3bS0/WtG46tdcJK41qtM0DYAGT3oeZhJMTW15dfvMGlFukauSOU
++BbR+6sZhqdbWl/AOTE/6x5otnAaW0GObY/BW240Xq/KTgBrzVdK5qNoYsMVsiTd
+0im0JKvFG08ED+ZfcILhlO6G9jRhoTkhtYuf8CKN1dPf2IoB5FrRFf0xqRr9hNlk
+X7ViNMP9OPb8i3BubWvRi5rNSquCwrFATSiAgaA9Yi1BNzQsmQxOql9lsh7eCH7m
++8zzUg9umWI6PkSv8vHBo2kPX73wmtEsF6vxJlk0yDBuQw7y0uuKh406tEEk4cP2
+8U4baq+ihpioupDhNuEII1h1Eh/RBE408RAOpcr+2F0m/fKOoJyz7u+AxyV81Ia6
+fyBnUfZnlfKo16w87c1HJRs9dKkRa5yGziBf9TcED3sru58Pftes2Nr80/iOh26i
+P2pRihcIyrmeAqDWnneErVCmPMDTe6zkMrm/0iZ25/Jfq+M8IHEzFEw3Y1FBOeFg
+9TyMDwYG2biJPTNTDO0BQ+Rrvs4SjFWEYSxgJSvG1jMfSPt5AR6MJrkCDQRcKvQU
+ARAAufZX5WzJr0lZAhxaGpHY6JMBr4jVOCP4TrDZhwC2K4CXNM/PLLNisWzquiWa
+FvUDhB89kCxrEhipwVFYhBr16CDQxrr8yhah3RIxrBMYhRTxgIAkANgkhGWfDJSE
+zXauA7krYtS3rYwhfXe4cNsTkLPbnMUlyLJcqj2wnZcZIt97aL+NFRPyfIw1KfUb
+9u3tB9seDYbvTEULeL07aTnHpWM5f3bTwJrJ2OFPzXseCCzPiVNh3Bv+YtJ1pMTr
+c/UHO5DoJuHLsF0wicPSrpD0twspFdR/0rT6eNycsaCtV4GQzBcMPvY7qai5XrZm
+Cqgluo1W6l6+F5YrKvRMtyyFkUNGcPywdjSlP44JyRrS2uzvFUViSsJArcmFG2TJ
+LCohnse8wqjw0dIUVbmDbE4zjaG56zkvu0k+04Wwp3XPgOZrbl6cbhX3yLhu/Gt0
+dzd9EReoNfKXk32hBzKas/vdeB5DZejbOOOWYftqyZC1LvDvvrYFhFK6VGozfZ6L
+Fml1hzn+xPahp5tRv93/T9zXeVPm9zilGMqm/gjRgh8ojWxNQoNzJyqTPWIvWmbu
+EIP3T3cTFq6lJpJsg3+sfzofGWZCGnBZQGqm8rEOoUWiaKe1BvQCX1x8p4/x8/tX
+TaVDpQCGoqxXt09plkDuGMuiDICxBlaHWUR2jLoHc2cLrB8AEQEAAYkCPAQYAQgA
+JhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcKvQUAhsMBQkD7JcAAAoJEHS7a5pM
+uz04pB8P/Amfg54IFeALiPOrKbjC3bVAQzrsf09IL8sUln/LCZIx9HgGAJj/f35S
+Q35sK2ucjWiDX6qCxVrWmC6caQXFgXOFSKIlqladmmgj4sIdLM5wj4nbomHChpB5
+rqV/GgkFwWBQ3kPCatXvc8Bg+zKJ+wXgTuPFXefyE9R+SLuas2grQ9hAjvTGHYbq
+iYxSlNDFc1aHLAQ3bS76351MHuMHOpLzoB0OkZDCVNW4GNEqrLbINdr50RAK+Loo
+Z2UBIobEZjXYor9A2FWkSvdjyz6X1QKMdQMath6R91k/O0abBa7ly4/805eAGXM3
+w1Xf2eMlpiUs69BeYoJBklK8aNMntpDREunJjhiPU4JoDzSxl5Qv7LuXylyo0YJA
+9YmydKhTTcRdwsKc//nGr/ckg4BRl+VbtJBYvd3xGB7IQ+pT/TOakv9qCospAhr3
+EQjVP/XpnWJRd+x+dq8UXqwWmTenWDE42cNr7BDFJdOqS5ZWy4sIz4sdjpSxXMB9
+8iiRtKSpKRCJgXScB7SYebh835EgG2YyQGdhJMO7C6ok9POYQBqL8sBqRzImJKoT
+VDvOH42WArKwJWTHa4mPdiDHEIZlkONerec3JXtl4Mfv8cwZ5Lb8fSiB/x8AWvqs
+puc/7hQtkus4TcgutS1fwhAwpnFItpVF6+73CMQrJsblBdTjW0T+uQINBFxbVHwB
+EADebZOJbhPdhHeBPdlZYE3rRjB8scDpWdjrCupfmeTC9MM6JgCE4DEMBtBXk+h1
++7wfpblYYNFwGVFvytG5nvGRDtHWxwd1Z9O8Fx4Zqu0Fx/wAn7ZL3ryE+tdHR7JK
+7SLxOa2X49T/8LY0U8Q65I4ZRo/b4VMcXApCmncw3QSRqHT/mYdNnf+HHPvi3jza
+md3iVptCS4Iaisc079DFda+htWXspBc13lmPi2vGQkWjjS3B4yO8JackyQPVhpsg
+KYbRBzOH0Kii8bXmyA6O5uIJYEddp5Veged4FE/ej3CrgGP1D0Yk1epx8lLbi9RB
+kwFS7DA5rQ23UnbSy1WyV1ZgPrWqQAWuGpjMTVTWN0ElI3AGxAnE8lZlSXyE+XyV
+uHjjIVrayBjLKVqDuSLdKZeCvI4QsyHH6F0NKJQkngvXxLZYxO6s0c2EFFLzdVWT
+1V9GMP8UsDrrb+JsZjUVmPR1tTP4xqEQG6KjfFoQm5XWpGtFwh91OK1lwf/Bx2/C
+j+PquLLFcj7hEP79VDTUZPQAduTTxIeTzHXH+x1PCHFB10xxH3e82VSdJeBUrJxn
+riXzK50SKTTmF+uYpHqE8Jg1N2Y1n5ksuxeYUy8PFjhAeBCqZ6ZcldUDf4999e/z
+PT8bwfCDr8jRdqJHrq7RxTJiP5RsMudWpKeohzJGwQ5uZwARAQABiQRyBBgBCAAm
+FiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVHwCGwIFCQO9IQACQAkQdLtrmky7
+PTjBdCAEGQEIAB0WIQSVztolaxygoV8wL7WVIaftXazpGAUCXFtUfAAKCRCVIaft
+XazpGPeMEACm9nxA/VKf8RxDo2ZuTgyuSwlR8tCjAE4k3+UoiYUbamkW4pjx9Vgd
+1zC5bNxSWZ5vlJ4CH8ArKFqNK5LBVDZqhYureAo/1Af2b9vRJw0/QQHhuXz/jqeT
+wwrLuKpy796Gpt+aFfcmS0ZC4QXfxJERhAP6tu1p6YmAsSb+bjziQVkKrt9mhOrL
+dtz6WP0Fg1joRj33FgnnLtayHvtgQrNFI3ztCjk/B2FjYZxqbBGfk5gyo0cTE2Fi
+oLhG/XrxIoZepFMJkGYETnYQXrOt2KuJLvawV70YQmG8EqHYY8drKA0XDZs8TVdT
+5cvGvtm8ERz5znsssRBxQMI5Ml6O2ahrXp8Eq4htCzlvO8t2MOtzvqAJRiyAd6bA
+Uo+MGVRpnvePOR1SAgBXCd416rF0iCXc1utZxnqwdq9kJAZ+8mCLx4N4jk6AdGpX
+zcNkLg7QmUzXn75RxZ6GrIUYZJNMlswXq5XhSW4o8ePlaxWjh9+QTtU964AZhpA1
+uoHsKGTBxHJs0w6McZm14kb2PuaO2/rpf8s8IZyc93+Y5O/gHZ6/agBjA9qN6wkQ
+R1d5UhJC4QS/m35rBGBKK9X3fqQxaBCio6Qz+m4A3GchrztJpq+2P+ma5ylsTq5j
+V4njky26WNtrV7+N0C4Moj3I4Qn6YU/eSManTXzHzoiPZCEH/IOxgXIiD/9Zm3Zz
+I+h4NCfSGyP11/w1gEzlTHQ4at/FXIIDh0Y2ZNpWPffuFQLtcER2vyKPwhDYpGMy
+NNHXks4azfrXVCv0wmSNBbeS8pJrYtopZpCEBrAbg/YLv9m5lpDSRHaR3gv/qMZ7
+QxY+NwqciqTwGq68PuF4mDSvtfuFmbEES9Iybiie+eL/6DU2knfBjgshUe6vElR+
+LYoPQ45GY2IxRTJ1pMXaZw1+evwH3UvseRGkRygiaBgoU/qR4prynvjMQcacCa+C
+aRnXZJYp/usVBeY0xut9toc9/OcLGoBr5h9l5YjruO2vu8VHou8N0tarVQn3YbQR
+Fi+YtNtclWJa8Pq1AsKRTCFwDwP6eODv6mNOrEFydNRcpiQmzp47VWF/YHRfHzCq
+A1wHLxLUrpQTaVw6J4FqedAQ31aAO4faA7MS+ZMNBqZCZ7lTGC6TvojqqBAN2yX7
+AnnYpZHM+lGpi2/ukVzLqSkGmdNOgbu+UZvoej3YnHYig4yWP+z2xrlJl8bkhU/d
+r9IQE5aRCEPB/JWhHJ2/GqYl9qjshlB52+6X2KDarwptOtzT9ooArYhpMwKIYh34
+c7X8tlAKYk7V5j7txIRFDKKAftC7dM82PntXJxSkWyR70GYnYjiXyrqqerqT7xIC
+mDEQgFOPpy09zFW62paO9uiZw6qwybwqgGpoX7kCDQRcW1TbARAA3ERo2mPv2VVg
+ZUFr4MtPDm4UG00YJW/LYa3D3k0e9tdSScACXprk1sAoxUlQx/CSdErPKwXG4rax
+iN4t5nICUUNYSC0dh09G25jC7nwsWc0AYyZu+h/FzfvpOm3fBwmBlzILlGh0URwH
+Ffj9fHt6hos4C+3PFZZ/X24aMJF/cov1oYi9rqFwt/l0mgtPE88Iyj2/Vp3Lergg
+QMzKfEuyluj9fL2cgU0Qa7oAPXmaxhHtua4cvbM5SXGo3FXjIgzH9OfM+2orebeN
+wH1M3ec6w+nPmRmCJLvPKGOeS7GVXL5/aOyPlDWzSXYnpCKS2ntw4K4nt0IA8n8z
+1db109l/C2noDrDSJEqOo843ShNGTYOMVUrj3a+Y7o2ATc9pNZalf0PwnKas7NDb
+IJ152PEQw665iYXcv2awjLF6W0yuSq8kfiaAxIrsie2Dto0zgqOs0Ot9Y74u11Hh
+wBSHUO3mEZJScAAcI/yDF2PvjvCQSzu4mdXb77t6X2O6YHULz4A7bVQCMazcTDI9
+/S0W2+ixPnnJVnE3xgjK9zuizji8JDJw1hJCQM+yTLVqq9pfvcRfQ6uwpMRzz/O3
+S0zDRiA69/GyfNwkpgz5QaGpY02IK5WrQU1doRjIz4BHAYzoIOkMkRqTtjdElQZw
+/D3wSO2uwsEMNwRzibR/Lz1JF2aGn6EAEQEAAYkEcgQYAQgAJhYhBK4/rHlnEexZ
+/AB6pHS7a5pMuz04BQJcW1TbAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkBCAAd
+FiEE1wyE5ktVjlvM7AchMuIXXx11eioFAlxbVNsACgkQMuIXXx11eiqCfQ//SFDf
+rOIEoslp6n6vlCuavOg02wvjskKQGP1P1Q4v40Fw1Gl87n9uXAoMpeF4H+pzUxOi
+BHYCQi+EemwocSThzaWfPzd3JG/0OcRymf+ZOcBb+58VJL7p88QdMFIAi5J+KMuA
+fEG0zLkc9anEnXoVMmQJX5K+6PyeVDvBbYGjLjQAsWTZTiVuQI0w3WxFtDGWqQII
+8e/qE0DA7c/auGn7j2hid308+FcdfpmLefW9YesWjE1yYvHoCRdFOJ/7Sft4MQCI
+Re7UET3TRMBvtisP2DcqyzGPp22s4ZYFCCJJNiB92bXdEl5zXe4Ff7JTfNE/QrR7
+Wg5R9hZHgHdbp8p8bA3f0y29YCx3puYg7BbmQWiMh3rXWE5b090pSpw0K9BQU3vO
+irr+5/2TaFOJXHl4VF03GrWsSncShCbdsdRIv4TB0lY2mN4q+e7bjlAzJJeoaS97
+GIqu3DBlAJyx/ZwWW23DXXwoQ4jNuJhpl2jaCE7rVQB0uLjbp0i9Zdd4SdYZxmO/
+Y+JfgoJz8eyx8wZi4eDz1ijN0WKsIGjxJH5VUK9STjijDMeG6ZZRLc6b1QCGhe97
+ZbDkEUTdQGoeu4L5Fiqoma13NEsf8ofBDv+myJm/O67Va9JI3gxhIrhmF7LMzQQp
+lYx2peZC1CmhEnn83dtt83mhXvX6Dth657BW/Qd+GQ//SVuTPuNkBXfrTi4dbnv+
+cU6IsoIBodTF/WsQ6h4kbtsPhO5DbrsLNuNumrqVEN8jw+HUsEeNvFNeMrTPdG2V
+87ShQ4BQGkCf+GFRBj0myxxXOFZYQx6RpY5fCe7yOcTzpkbnPWmm7V8HdOuZ0NnL
+JNQ5YogOI6UvXVKv35R9qBo+G9jkhhb0eaAu6BERzKVANKfsGN7545ElZ1qlffMh
+AQhXGb6TsvCeSg2cWGb2cnVL2d58uVukD4PDiq4qqwgClkF3bOO70SIgGrCteHbi
+4Hseopex5m6GqqjoUYXr7QQBwSaQdc+gKtEjMHCsHbUyHRk0qEHdEe+2RmL0d0ra
+QMJfKyYQjcCR7tnrgN4WD1h4NKRdC/KRW31MDmH9XVPrkOMQCUCnArXkOwdKWsKf
+h8af9HqweXOT1FHJN/M3tWaBpv6KoduF2f2pj1VhPZ2EqFUycJ26lrHyOpsynQR6
++TD+c1uXotDwKN5RW+YL1cydk6mhib64fdOyPUeTcHehjMAFgM2f5wi35Ujcj8id
+37cWOqRsggSbMnGO4AUA/YtcVNG8TjZbakson8ENK7e8q4sEiNFUZ7/CtzNokwHQ
+5uOG1+qB85Y4ImGnIZVeiBpjt73VVawg4Zvm/omtW50P9R+4rVhMJZZFAgrWg8BH
+H/KNznW0vUuShG8B+2FA/eu5Ag0EXFtVDAEQAL5ftI1GgVJEFgX5VsuFnfBnH95c
+zqmwEXaTP4s7Xm3O0Wy579EzRUD1eEw/UaD/q2OHScwvMP65cZYQ9w4hnCN6H96P
+96Teo7LOMCssvSXIO7gqP33LKTqDzsIoAFHwWE3dq1jbyP6T1Je85mr0Edvk8kOC
+B1hudswAARno/7X9zGulhhwuEHk5Iey7R59yRUQqBctdNcetGyaiFjjX0evuVADi
+/z/s07XhDLDt7+3Vglh1/7XGC64QhB9QjZ8j0u7+0xfmLLjhi+7EpkDlAHIJXX1H
+0wAsPOGKlYruQUmIsMNfBINZeulHEBZ4cAd30xsM296DzJ6QL9sAGfYMhRs0YHB/
+EJ10Zv0iw1pU2jCCUv/9Kf4F4nwgHQWQP7JAbfhOIUOUq/YlxjTLnkd25+7vD3KH
+NQ6UiRDROR9Jwetpd/zokpf5O5iTBpVL+sCq+NsTZyDOjITve2sY0V8v10M+Z+pL
+cp/cUZ4JEDS/WJ4/ovBNJP8b+YwN/RBgCjl8UBX/N+e7AA52eYP2H9GK9XPkzSCE
+VxEf5PyjGrwedpoLkzagrHsDuWo3uBquLyneT/ozihqKQAuInUy5B7rWU4mpKHe5
+Vto5o6Zuj+6MgHgIQzRK6Da2ziMNEmroxwZibcYCtUPdvcvxGh+byclnzBclKjOw
+kAalFPx0SxEbHmzPABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9
+OAUCXFtVDAIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBK7WIv4CB360
+tcFGwUKiedJIzcMQBQJcW1UMAAoJEEKiedJIzcMQH+cQAIQYXDnqi4Hl21LtAgky
+pZxug+x/LECVlwkrIfaQF337+fG+H9J7SdU87Sn1Xe/YUgQnF0XP/fjIVFM0e/Tb
+xVlmTFqiejLnIwJJDgUaHO3POT2sGEyO3tc0mqSzyRBxtMQ8yvApccBhL5QODv3h
+hlRWgk5MXU0IPeXw134IWm+o/PRiPBoXPawvVfEVIBlUFaiSZASf4BAiSad4aJQe
+P8PyP7FPvQB1xiib0iSetn6ZmNeN2OSUJPiPA8aE9JCKuFtomVQEDM0BqQDl5A7h
+5O2uyf0Li+/ArqBvfBjrH03e5zbID02dO3D2BjsV3jUeVPQ5WDgVg8LH+nfg/rRy
+wfCsx9zFp1mt3K4xN2v7IKwxGndApgCcx17gsjzMvLz0J7sSGov4MNjzqvGEDKCl
+uUvNKXqy7je9xcQLpoyvWtoWFXWTbQAcK5Vv+hC67r9bHpjI1KuqA8hYqNKxsv7s
+wiLZdd4SK9SIuwf0j8/XTZwmoFfGolJil0ZNxyqBF39+CMVpaHdLM1qKZz99TVzS
+h4obOOjkUjK458xSo0XCbJ4qXYp7PgxyWK6GIbTozbbG/1ldw+LUnqxt8Shf797L
+J9lbI3ICuR2P5PYlKJf3b6D9GyfqyrP387fKAKhHsYkZ1XD54/8wIgTrdfeNPtL0
+1mjWDjw5KvO9kuPBjcmzgt+NrtsQAJwKeZsiqLLcY8kJ9xP+/xtTlh2iVuZMfxwq
+hwlo4MMCzpobLDZ/JKU398m77eboTKJSBfeUYxQd4ATn1L8NLKjLxKAaBkjEk0nN
+8w9OUQbFlhQ/asLzzF7Z9IGGh9/SEgBZ8V67a0O3Qw9Xdi3ARK3bbZ8RIVJ0+P9G
+CGrfq9j4ZmGA2L4irLjsvDAv7CSMb4WBKW8j0Jz5LFMwOMJgG1TT5c6lNqFj6y09
+rZcVLnt8+lUv2Bw3LC0oI1TjFkrrCzIdfg++mPi3K/ZFc50bvnWF4eCOjgZ5U9Vb
+sxFZq3+vTRcIfI9z2lZ9CNDRA1O5jGvuVtEGLiSLF2aJ6kiNriLuuGTlXfg/Fpgh
+GTvyppOTzF7PtHzHBQ/ZjnhWojnc/jyJRwLK8cCl6+EOc887v8BDmqgFWtmycsE2
+5fDJ7UFGP13g/eDL3ZUgMDty5dQaUOTX145t2KT+lMqpY6ZK2EC+eoqrnIGJ+tYy
+0l4RRxi10mbNhuPIIDdph7X+mUHgCeA9gyF0Y+LqiB6CX+zFg7ovLvnCbMPxdGXq
+z7AjfwqZBKI+BVuBeDtyW4onmElCu5cXNKsg3W0IlQlZf9PMDU6Ht0XLUs7EPfbQ
+sH1Vqi1XE1W/tGnkmjcpG/qlt9Gx1uwFGLP6iomqUBc2c0GZ6R1xplXvd3w3yC8d
+8lAgPGImuQINBFxbVToBEADkuxhQx9gxlzzCc0nUu2v82XsD+GzONp9irt14gslx
+te96eKaTXTi0t5eya0X5TIY3wbREwjlfAeM9AfcAmWcsM4izrfPtANM6WOxB2Tbz
+EY2cqv7NBQii7Z5aqPyjcIiT0b0Gs2evlDkn3xEBBqTSrNcnGSA29bZPIkaUb7Qo
+p/Ani0S3/tgcR21gXsJwkgpfNKwvPT03Lz3/o5rXAyag0M/25adgk9SVKNcXc8h2
+HSGv5ENjwUKNNnowVbNLw4287mFUM2Vd6unGJ2MBj7aUwTrfBl7gNV96mMdDJWcB
+hGKYkxUvibuHCa2KH7gTrnV6X7sdrgD5CbJMPq6OZNSP6n6bUVg22eHxoETplFwT
+4NvV3clRMWIAG1XgXR1l99LAh7PPnPMM1pHQGPwYHQskoBFS4g5knzHpB9h9TfZ3
+MM4cDZR5NgWmE0fYVnWe5ax+wW0/IOklUoHv3qoL4yiN9wFJq2oLzUNQd9+tsqiy
+vxSTh8iYmHegyn5KuBPsrMPgvqiKOdalTZKkak9DOx4cGQL2qHspKxiBOb6uox2v
+fjMQ5bDeUn+4DYMdnZNHeywCUegJmDakUtlfvN+136IDHGwfdGcitqzswzd3+PI2
+qlwPE19gkrp9NUaD3Qj2ZtDP7sU2cThc6Gra5KRFW8f98bI77j1Wu6pCnYFLqPz4
+QQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVToCGwIF
+CQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQR5HX64jryNAThDSqwz3zWa56YK
+eQUCXFtVOgAKCRAz3zWa56YKeSWOEADK8u03LESGSQlZQqnnCAI8iYs1s+XRMEnG
+2tAQ1OK7/4eNgr1yZckmaW4FBMgeEgYIBJ7v3SlW7Hf7dE10TYPNGbP6UxVW8HIP
+rA4CINcGZXWWwpS374JNMS6A5eb6viuEgEMEi00jx0MmLvCMZKypmwXQUl5YJ5nB
+ytpQ1681mCQxGBMhT1eKQt3B4nAsoEnP+HnqVM/nKxBemSBNXX+C0b/YeQoLC3sD
+L+Z0NRI8U6PZl9Rokod3uynH0vfBYCEJd6MvsjtnJlVVaseYIA3ESNrFG12tw95I
+wKNrVCANZ1DBSyK4ovmmWsDrH+uFTHSLNjlxIuVxUfmXcLfgcepVCmd/7Z7UrWYr
+SXSvP0VG4ZmEPE7tNb8bfyADftO1cVsmcHBQeSrgvpSrTv9L8MocojpR5vJc1f+a
+sBT7rAeGzZP9riz1GmryXawaZgdLfaaJfzRQkc1uTChb7kMN+UMhVUdCAXmho0XO
+SfcsW84u/LpjdYh2Ww41xQO6EWvbZDNgD/Fdmp8Uh1MqJ1Dejri6kjNn6wPImXJd
+Eu6nHqWDRdYsfT4XUB18tB+4aIpFzCyIgpf7p1uaVU7Oqip5sZkc/WXKr77lV23m
+PQvpGRNCzgU2TJY7ktR3LOvUVN6wNfLMHzeQk18NdmcEGUrJ0YYtl9vE5/Eg9L6x
+LBH9PKt17IQ8D/9DLwQX8pl3fuTM8ZbzIPLxiXhbgzBBTXKRE2u1888+RIq9xE7c
+aVFjwq4qpgqZ5SFonTcG4Pi5ck3mFAzyA5zLRF+ckpmBpwSPMpLwCpv10369D1jh
+AF3JsUwt6DIb2BISMhh2ThSUMSKO75q8GSotsKjJyjD6vl1x4L7WXubTWxEiNuwD
+3kAjFWS1Z1VWtA9SURWAbsDaCV4VmwCCpSIwRr9OTbyu9XuMdMxGNpl8SwW7MVQb
+x4aYNvR7Hl/wIR71AHAXoSfrKp3p12anXjYYASHmbm16ugP4H7HLMBfznKet2f76
+gIxJr1CsAMTSqypcC1UoVb6Gz8djeIR+GU+6efHI4TIUMy5uMIUx8tYbwSEeo/y6
+NnjpJFYYjJa671iSABInNxs4+X+1zrFa+wl45EnaFxziEet2Qzv/VsusoLvLwnYi
+BZckclAS5xoVGFW0WJ01OfLUDHxGMt9GSheL8c+GLMaMtaCWunpmmt9zZ9WdpBOu
+AGluMG1Cee50TrhXaGE8CdNr8nOdSeLNAveBAPmuVa0JDSe20/D/RuYJLKeG9Vsq
+BZvjuGlOUsfl6UjtiGRbgS9OWpxeez5ugc9yyV+rBGIpmnIb+9quz2HmGxE65eA2
+cRNsZRIjFLzeAx/0RMaT1nlLFTBbUuZ+tJ+fgFtRGMhifZn1pb2dMQo0N7kCDQRc
+W1VuARAAv4LYaNq2Zev/v7M5DnxLpgHRcMkG7TOQpycrlK5653llpZzTy3mh5peW
+vcq3IDmdeUIJxQ+WDh2f0vS+NIKDC/HAddfHrZPbhO7zLxLcMW5KmV05ancaRSP0
+s0+IyQmvVxUNrgPinZiphlvRGoLXS6pdgfc4jIR9B2umPecfvfu/6EWFPnXZgG8K
+yY3Z+mwrmEO0FaXHBQuu6nactiPe79N4bLe8hk9RW6yIxLBeJzIoOlIcJmuRHapt
+nS2lV3mfhZdFnkAp1o6a2TL5BwgMY0wZUKZr78HEMKh6LbPN9rPepf0neUeq/k1l
+NJU7V6XMS+rezF31vgSJ5KoNGYhxtWZ54uksH2rcw7+ltpSVtqY91G/vibpRCJG3
+LdX/kxHni1NEWyZlpS/6ntuH6HSoNYsR9IMsbESs3QVCH74ApK88CxYCRB0SEo0M
+yAElbQ3bfEKCKl/FwC4IzAYAJ2arWKwBHRSJlsrNCtczrjG7j3EyJrn8+Tm5yjO6
+0THQjvc/nBxrNE09r1Lzz7jrDWC9Rl+BH6wqdniymoYyUAQsX2rZ+Jhah1Zkf+Gu
+76qtY+EH494dPM+0FazcBlgBd6/J5mh3Wk9JuecXLTEUGtzd1GmI9CENPAklCauX
+tNOWeTop27djuKWsZxuP1GyV6UYixFVOSWteyAbA32cncVv/2ZUAEQEAAYkEcgQY
+AQgAJhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcW1VuAhsCBQkDvSEAAkAJEHS7
+a5pMuz04wXQgBBkBCAAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlxbVW4ACgkQ
+F8xdsfAIhAd4jxAAiO9+VRQQ3eBOsJRgANdgL/l51kq7qE3u8xnSqNkrmdYDdT2H
+TYH5W4n2AmGo50BDafdjd6tut0qtzA3/hGWCooydxKFOsnIYziUeoHvlICj3RkHO
+y7utcFhAgRWi+kzFwnnXGf13dMU9iG7yvKrCrCEw44gzoQ1KnY1Xsj18n5JkqxeT
+94bzcSbz20OpOSIMfSQPrpy18WrZYwHodcIZ3IUUACCpMZdfTa9c/qHRQ/rcwl+B
+0JlHx0V4AYiSAsiMVgflO1Eqi7apPuwxPPd5nnHkrdDM9CYC3LdBORBXwncG3oZ5
+eTSXmsvFxHXH41JHsm/1QFcVmFAYhu9qJFCGiD+8UeTFtT+nnHU69BszgtUskqX8
+k9PqLdK7Vxkp16wc6WOp1NeIQ6Fd4PxTGrPqs9bJk7TlYtTFWpA0X+EMj/San+Ku
+PxqLEa4Ab12R4vs1pCrn/g1z3C/6ujH4B70HOrRTIeTjULJ6xdwXGtwUA09hio0r
+pHhtyZhAh5irUJNto4ZOk/Qyd+dfMsNvRJfbVIK2mmeRaBnp902AsQNgYVdi2Aki
+0h4kz3bVLGw7iD/xV2hV69+JwLSijkkmOpz/EjMwj0hDDYrHH3Y3o0dV3dNdk/5i
+6lQgcxSVsl9kWlHcoEllKbf0Hb1muKVwoGGYxFYna2jsLFVjG29M7iPSgrHjmg/+
+I3fmsLZ0VI9kmxniUlZ6gz5NB5PJ3RXmwKO9LkBgE5C1wpuZbNEQ1NsR2bprlJPm
+++GNSo8HaheuTRJn42kkOgfIJwjuvXih3FE/NtRA/W8H2uF6YLDjBKGZJbxQcmsd
+CTEuCRCVP8X7C5n3rl1YqzfWfNr8QFxvH7ivG7KOlSxvyTKcYatWb9uDUPrnr74f
+ZaMljHGsNyKj70MzZcrrsmt61yWGR0h+02rmIKlskl4hkh+qF5ehI+Bkd7eblsBy
+rxEREHq/ij2Vd7l0Z606YCE8vj8WfcsJj8JjwR3A+nND/oNJTTbQ3b8OvasvqIey
+WqqmGg73nbHjd/VIAUsfvnsEYatDk4pAA/wQr9c4T4s5Q/QRwDrAsa4J89FrDjWC
+hQBPL7TaP8Af/3Y3/86jLCN4lnW1qjPXv5rhBFeI0EVi1k1qdV06qr5HOk7CwQTT
+uc4rCdFcEnw8kVKZa/yFnlJfRa0Z4IwSahdp5fdFEuad6LpOcFFnYxWtIWhcg4GT
+RcMha/OZnsfqOqiAt6In+1IwuJBz3uMM7xw2AMaxzAejGEL63F81C5iJ6Ld6kQK+
+XblDW0G643bVbzkBb46MAT+UnLuWQUs3NDtk1FEioJyWUgbO/srMH4MoWM7rG8ZT
+nQPohNmPBrqL2phmE27HQsQ0rTjH2Z2ol7iy9OFMtT0=
+=MkGo
+-----END PGP PUBLIC KEY BLOCK-----

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_testing]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+
+#gating rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_stable]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}

generate-rndc-key.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [ -r /etc/rc.d/init.d/functions ]; then
+	. /etc/rc.d/init.d/functions
+else
+success() {
+	echo $" OK "
+}
+
+failure() {
+	echo -n " "
+	echo $"FAILED"
+}
+fi
+
+# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
+
+if [ ! -s /etc/rndc.key ] && [ ! -s /etc/rndc.conf ]; then
+  echo -n $"Generating /etc/rndc.key:"
+  if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
+  then
+    chmod 640 /etc/rndc.key
+    chown root:named /etc/rndc.key
+    [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
+    success $"/etc/rndc.key generation"
+    echo
+  else
+    rc=$?
+    failure $"/etc/rndc.key generation"
+    echo
+    exit $rc
+  fi
+fi

isc-keyblock.asc

@@ -0,0 +1,175 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGNjen4BEADDHiUVNbkFtiKPaMWjKxbKmF1nmv7XKjDhwSww6WFiGPbQyxNM
+r8EHlEJx5kMT67rx0IYMhTLiXm/9C4dGYyUfFWc35CGetuzstzCNkwJs7vZAhEyk
++06CX4GFiHPOmWIupGCxFkNz1Qopz3ZePMlZRslVCHzW4dbg5NKLI0ojXlNaTDU5
+mgUXpsPi/6l6QE6q3ouvmWPF4u71cZ1+W4UkIRAXOlbVsDzGaMaoHjJd8cOM8DrZ
+gKHACNPjzqOvEujXDC2vyKw6XpxR+pHz0QcrRtlKnVhPNiKcDfw2mJJ5zxi9uSDc
+dh5FomMn9sS4gy2Tub2urELnPf9xnURftRGG3VO6nZc81ufQB4s1BNT2ny0Uhx5V
+mXUJwefMypMBfAvWCWBCeyWYtBeo7LT3NmtLq3oVGPfl7+a0ToFAYeghspK8/nOX
+6/fqF1MEtzvWjXljz6K7FSDYSY9AoaESLHGwCo6dtff5S7f1+l6PCUNo6aM/B5Ke
+SIAN9Lm6z2iVuy9Lukw+5IRoRKHHV4rJauPtDeYoWnNiSd7Q4vFtotUIjRpDARpm
+xWS711Q2T+knHFLEiU8QzxjLhOnTzh4n9dDLHCkOY5WM5krldVeL5EuTyPKinuSn
+oE01A7I4IGJp753CshibxjNYDiEOVeK93R38Y543edlIrYxnfyMVsiqPkwARAQAB
+tDRNaWNoYcWCIEvEmXBpZcWEIChDb2RlLVNpZ25pbmcgS2V5KSA8bWljaGFsQGlz
+Yy5vcmc+iQJOBBMBCgA4FiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmNjen4CGwMF
+CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQUQpkKgbFLOwiLxAAjYuI4JQ8mPq7
+YrV9m4tu+jOKvoKfpjct2Rh02n/X3ChOgrdcXU898eH56tRk8Mv/E+cBTPN9zQn6
+rLprbYR2t2R+zgvuUZWA8In7aewoPIJw8OdlG0gTK9m3VHJIOhIX07qcFttSZw4m
+4rEU5mdxi9FatBWBzqnVm4Pn577aqRXK908j+6TvgWbZ6Cq0tw3syVT4kGj+93+P
+uIQQQkTYN8UDQPsAKzfzkbQC9I5YXBKUoB9CfhXig8V9N75R0gsWkJ8Vy/8wsPXT
+9/EPIIzhnhSuUIjvvBPbLGrzDgbhrfUQ/QVuXDVN8xl3rAWM/tiNGOnmzoYORyM5
+ftrnCDIaO4aVKR6rtEzfdQa5Kid1StfhFien/U8jYErxkEn2HRt2gVEX5nYq31T+
+0jgVode2Dzkm4+HKHmfOYsQeC07Mu6wZw9raNYqFjTcfh0ajFpLIT3j2YqOJE2jy
+KbcveJcy2NiOiUl13exIZuBkZm0wEVbvgVX1PlgL3GJqnbU/Q+maRTb8FBoQVsOd
+GIm7U/phU91qR+00SkOcp2LgHCCNKrmHXgiBNYBbInNIp6ze3bFvfKTRFn8WdY9v
+Z7vNfKar8rt90mpjYG9qMhmvh4E9icfp3wRUtOwyi7VVtVTTUq0iFTe2C0m0v6KW
+XcDwwwaTbl79BOqOH3Gp1flS2ECBsyiZAg0EY2N8xQEQAMWcyZbpxEyefX4JTszG
+ocpz8C8yqvZJQUfoDK5AecQWR7OegPkIqwJcHEH5cz+MduklXNQdra/snn6pxGig
+At3xCwfzRTH/aYXdjcjnma1elzZSTgk6Maw4zR/W9wea2DcUtMCcsys0gviN/VUe
+Aqt+5pmhy2PlEWfJG+Mzyrqgz3Q8hRyAJAKONAwNhs1A4ZqQX/6iuCkJbH1CBeoW
++c+5qJHYEXsx25qR1yiKOFo5b90QOcwaebUq+xKQRlnESn75FTgDjDfDm9BqrHcn
+Tv79kOuIN5vhz4BCsuo5QbNu4RGrs/1VSTPvMf5AN7xs9pYNMAEde7pSF1Ps3B5p
+CE6iUw9L53ytV4iJQKXpzG29LofUu65YQjIXPgK7NbBO7FUHA41YbSfoWiOAjfMh
+iE025YM2+RPQh/Nrc3PqBj4h21ycT+d8eEXKfc/okbVFFE9dKS1hUwKgSrs7baOG
+CBZdpiB+t3jWrr8UrteALab7v0rndco3QKOe9U3f+Gm3MdgLK1TGiRgpdyiIXEel
+J7zhsdoYEvaKMgUOjhf+COdlf8b9ITg93mDKe8h0OcpirCXw4O2ma3sklabzZKZf
+CPhhja6Ro5gmO5pxaLau+esQWNrjEikynNIs+GRphtcFsVVH+ww26mR0nI65Llgv
+kb4+DrbDGSPP6R/C2q/LMLM1ABEBAAG0ME1pY2hhbCBOb3dhayAoQ29kZS1TaWdu
+aW5nIEtleSkgPG1ub3dha0Bpc2Mub3JnPokCTgQTAQoAOBYhBNmczq+Hl0cBTwON
+YxguI1eUYu+qBQJjY3zFAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBgu
+I1eUYu+q9IAP/j/GGneuvjwbXdATiQAmkiFlOxjs+SsO/hgA/mmWcm+Kpg4cAlbP
+C2xEDa6biJyZ8TmLZEqPNrRm/umiisC8JnIJpIbInn42n4aDCRDW35lrYGdnP1Ft
+fexnEOWAJBDRVvh9OnfRfvf+HLFfLFl40b/15YzkTYGIfrMR9y8zalkzXxsVNsyr
+9Eq2pmYR7BT2z8d/9SAVuh8D3qgUylIgcFcCFJodsrI4zJSpIMfMntwVsZxDlis8
+JVFN8/pfhuBBe6vjqX/cGJnj6OL3T12jvvniv13W3rar2Ocm6XA9j1t5TZNhKqAy
+azAKu52NtdJjh25B6C/H+haXAX1eduCCE74uSarqS3F1wf6JI3p8fnWzk4hZNzxp
+nZjIk3vrHNjE4jXTZosXCf5DoVRfMpNbxj3YEnXV+kNZQRYPPatUPgFYbxz91hbN
+tHyCiy0GmTyf0QId8LTc0y9mPtP9QureJJ6rL8lt7pvXyrYglqhxDgRhJIGKMKdw
+0bQtTEF4tyNzC4/sg4/omAGH66clhXlqMmuUjHSUiQyA4LL1mJl63Q+bwqXX4B8t
+898tSUmb4Jmg3jLZ3Z9Hl7H8Sp3yYPOLzb2YUF6w3xFsUrNNzVxHFo8tAtEhtEfX
+D+ypkowZq8g41WqMlOBrrzQFuExUSXckH2Cn97lV6lkBoueqxP+Zv0bbmQINBGNj
+qIkBEADDw/CKszyuFKpVp4Z26rKJ3ooOlp8p9a+fmfuknPtMjJMSX8xK8pOlK739
+K83yvDRUidT4+R9IAUKM7TqGA0hoPZmZQLiK0YLlAAXufKxO9IsDZI/7DuF2d8fu
+usKQfS4oJC/IbzOAVwgwodnvKhttLWutT09GxiHrnfVPu6Uf4A+GWtrcTIWhXuxE
+m7+16ToxBOTLtQ3hh79/RndUuM0ldKRRzJUzASGIPmdQJDLCKgSSeaGjZAdq6gkl
+qT/K/R8eoLWSOaBRq8lBE1k7Tq4nSwthMHtCQq4+vxFWH3VF9hwy6ixccROPqt9s
+fNfJK3KF4KGhfejMuVn/Lxp1v+Ne2DsdnVofFakAbBMpMyauzAyXPncYSfFhzLBD
+kkn7THkfRznmHD8ux89kV534EyqYLjAy8AAD6zNc3tSYgfC0UUw7yz05Sl/eV9Xc
+pbezu2ipONlXko8jpCQiiHck599cy+StrjjYPwcHF5m8uUlNnzHoUj8qsoK5SA8u
+RnTW2I4DFbL0+x8eL7gmNQYFdMaA4azogtaTFWgPL2jPJ3B+/bUfHDZflvR0FB5+
+OD/QHsDv4SB6uX8TOhGbFsHpt7E0scb2U9B8gQeQQJZ3jmcIRp+K18mjYh/ErDFW
+23ixBe7h3tn2MGUTOhv1ibOYDE3GYBuGLQiom6yhCs8zrneuAQARAQABtDFXbG9k
+ZWsgV2VuY2VsIChDb2RlLVNpZ25pbmcgS2V5KSA8d2xvZGVrQGlzYy5vcmc+iQJO
+BBMBCgA4FiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmNjqIkCGwMFCwkIBwMFFQoJ
+CAsFFgIDAQACHgECF4AACgkQel4ITKylGIRk9g//XrvOYy9zQkpo4Dkol8yLxr99
+Dq9Ur2v8F5Ba4za4QdUxeYrlq8J827mkUqMtnlyb/+3zSMy2I6HAI8QxlDZL5K0g
+Gm7iLrwVTM8nAQiNU5vAe4D6PeO5ATBEvRdAUTQGz4xeaTrUXbmNUSC1dZEPvH1z
+Fa/Z1WZoy9GLeuWDXix6OXTP8FlQWUTL4/ILLtfJDsWCCX7efkyfnvad8Ye2NfU9
+tBjRX5QQ0Dpvgpr8/7El44XcmaHxPWEiq8X2p/d6j3nU/7LspUXRu3ptu5Q2RqMM
+iRDZme2c8zieHETpC7m5sshzGxRtT5jWEtZ6V37On5DNTObvXCiaGV95qgiHi5VG
+s3MFD3QSo1jJI951k68UM8V+OnzbJGN7TezZ3fTn5Pwdd4C4035QMl0E5NXCcXc8
+9d+3DeFmewRRGCaOKPuO/jFPLWcwMlQqp5tkNx8LpqEZfD7/t6FrSvDUsUDU8Rn0
+TQILnUZioO68HmeuJbhKaUCMuZGjBIbBqviiufFRiJuEFOVKADQ1u/P5ct/0T/gE
+JAho3aubzdYMH5DLsaw03W5KfOjeTLW10zSmSK65wnR6fdwlo5l/Sg6Z63QXD+/H
+/OIFgzviJkyoh6MkH55z2K8BDWbhOmaUBjNAcQEXV1KyHeLDkQ+TJfLjctv4KIpv
+D7i6kNIp1b6OSdDS9W+ZAg0EY2OzdwEQAMRWPO237ohaXNpKO+dw1qkfOYYisiTQ
+yfkT7BG0Xvu8jxeOdRuvUzzplgOfwWhOQkyEEXd205/PpwReeeRwhiu0BDSrzYGM
+KZdw9Bw4enoaOinf5WTqM76mc5WUYfvDJIiHies+ANxj4EqTzvSif9hxvvzrbKYV
+lHdaGtLm40D6yZSzDEe3X49DmEABM4g/Bs7NfVJcJ3LtLo6qbLy2tKEgNPW+VN/s
+harufucxnH5HM6BUUOGZx8L04UCNJu+jvZ0zjLc5DqubNO1526kZclAo94DfTkb+
+ir9nxKn7RkdcseibeYPdeIh3le6aU6M0KhTJs3RCxaQF9At08Vrrkh+wkK2Jr5QW
+bs8cHpEJ+Q7BwDuAQetFi94eq7Sswh4mjhJ6ZnFCx8v9EbQnvL76afMbhZOezpaQ
+aAwXVuIio2fsJpHfxWnXb93H1QKiOQdBZZLQGowcFQCqAWg7h2FwWWbKMV1smGHr
+/28tLZtk/4aSCd9cZ9+nofFPPemPLbYwnBECIZN21QKZ2oBXKxb3hchy4EBTKWtC
+G/fbTsjSfTCUpMNZ57HO3rGXchjSdIf+tTGJpAqWkTcXuhWXBMWPK6/2REk/DKis
+XHugHg9R9hqGs2DaMpGh5NrOLly9+0dsjU15iTQucXbCS9895bRtmDjIN8dLSo9H
+6DDw4yO7SHTlABEBAAG0NE1hcmNpbiBHb2R6aW5hIChDb2RlLVNpZ25pbmcgS2V5
+KSA8bWdvZHppbmFAaXNjLm9yZz6JAk4EEwEKADgWIQQJCioHkj+SW1dngDpC5d94
+yDJx2wUCY2OzdwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBC5d94yDJx
+29U0D/41C8WaGEphQW1N5lT/1284qiPuz3w3iSciAAoAe8iHUGBcSNpAWQmWvWXI
+buKb92Gtt8JtSOHwQj8qiHjqRsUu02t/tEgQMQUq6p2jqbxODJfHR8oMFMMB0i0I
+RgKtEQeq5wRJpVtH+zIFSl9PorsJtHHfhVbqxvE/axcNKa+WaqZdHuKMqADupQEw
+6rD7yYVX6YPiHxMhba2AAAoHT/3VpHC0JidZ5BWGwkfnGbV1/7O91GHfJx6KN/AK
+DKb5hFl4TrieDLJzphBWg0y4FJ4K7WSIKvcT2cLel9f9pHV6ysqSZWkCbkjkaVIi
+LyoA0o7l263WU0D5oG2ihW6Pa2YrWHDDjfTem+kOEFsMjN+Gw74I4KWUBtldfnHK
+A8TyeviKkVok1lwDAoJ3LJi/bcyCLgBZLInOU31mQ7mIXq1ENCOIvQvaG0Lwdt59
+sBI8sknHkt+54t/VCaKbWSBOzgGur6EDf9WtPHWvHNCKEleDiHCELdhRYYtENO7T
+vTv6Fq6Lh26dor26LnARLPvGLAKwONJ0vlTEG8IyoD5AHz9MwdXYgzh8wIvc/HtD
+/0FlQGLd0WYVI6UjZfPxHOZAzARJKXLJMqiSn8hnO8v6JZaUcOF0yRKTKtzqsjzU
+v9TubCGdQAaCSCaD2fmA0BEs/FpOnZ8P1fXMpcHGEtMV0qc0wZkCDQRjY7/GARAA
+ubCCHkdiMblMA9ZlcOVN1Wep7TuYxQouATTb+73iHDQRNIU7DvluHoSq5zJe1Qst
+zjTmtlkr2dyI5JnBexUEKrw2X7gPXfLaXY01gLLB/Jn8tU9VxPqBybxmjmEdP58B
+I7BwmCyMYNqDuvPSfTMlogH/pF35Al+c8UbOfDEQqxSO2nKPNa4T5ZoVxvMxV4gn
+hEJPv8Xte/wiE+CxxbmO2we6rwJjWe7O3T0mNmqvpO8iIsLlQnwTFD5L1huywPc0
+UDHK0nl8k2lkue2buaOiancLatXt/i+L1DIimCgZwOt3DlVLURH5lz5ALXE/fn+5
+wKkp+XVyNTAEFhSGifgBDYFw3nZeRTU7unMsRssL8SjuwPWoCcRI/3VE08xCuXc+
+h6NpGfeJjLRgUSSBF+958djY320TcXaRLrqRhjcJ34dBsDYsRSC15nnq2JU6Vj5t
+rJL9qOdwVAFwKeAfROUULcy/LHZ3QgKLN5jOfdqYzE2KHk1+VANttRPTG34i6uq6
+yzCFFYadwST22+QWvxh2ohYj2INvvrzRf3lVxssWyb4USB0JPajgnGeNY/hSYfDa
+KArqOr9S+3q7h0v4RgoPxDRFIC8v/10W4wPC7R3wj0m/1WHkSm951Wtzq3V84uCF
+LLhx2ByNpnJFRFqklonAH3WHUIeYcdXAsTeunrGU/XsAEQEAAbQuR3JlZyBDaG91
+bGVzIChDb2RlLVNpZ25pbmcgS2V5KSA8Z3JlZ0Bpc2Mub3JnPokCTgQTAQoAOBYh
+BJWA1r8syA8eO7ESUt6rkdVLE8m4BQJjY7/GAhsDBQsJCAcDBRUKCQgLBRYCAwEA
+Ah4BAheAAAoJEN6rkdVLE8m42PwP/RFmUzgsoM23Z/NQ2AacCFTmHweEllkmf+25
+3hP80BuSHKsdzlmllFux+xbKZEpQK0nL3fqW8yyv69WmsoKZPpZJxmQ6bwUbtXC7
+rHkt5gfOXiTaxDBmgO2dcnDsKLb+bEQ7C5hay1P8rOvf13a4UZeTP37gRGmMr38+
+LvADIspIxBdSvFa7Hb4HKG4VVDai8jaPCF0q8daEWMJxyKSfOQBtSVVAzjLcGrYR
+bCPDAI1DEASyQOru52WREe4vJCwSaq9dZyGhaWcnyTVQO8bsSLxu7cUVxA3SOheQ
+izYKkYNbaBDmWlZxLYFsTUf5izEYdW5BwHaowmw22hSspFod+c37BoY/ePfkR5iQ
+YuEff/unyqvdHMDqIXWZqpAi5o5hW3jdCd7ZL5T0WWjz4CQ8eko1ZYYnYzZlDrge
+F0veW8+lzHBLx3Ad8HyVGwtRe+VV1V0AZ0lpWMtxo02ZDRtqNDqPqVfLT5P87ZPv
+r5GhKtedgrjwY2clgmCT0xgAKNxi2SC+c/vI5PRkIoqwbTiryLIYq8tl6T1k6AMY
+eN1ZNQR7eNEXpIvYRD/BZw7IWKkCRaKwfDVhUHCm0ikylwdLXIfEEEA5mu2LJeZh
+vCddhks0S8+lRyWR/3okurF6rlloNtM1pslceh2AMDwfs3fORhYJxFsV7O7fyRnD
+NS93fq56mQINBGNj8P4BEADXK//p0lWEUNUYirsm6BUyUXqPlPrpVTdPB1tJPj1o
+zgeMKFOpYRPU1IZF1G6pbKD09gL6y19LehQYx1a57PF7kCx2ZvvcFN24EHto1H1p
+Ti48dZ7KyyEO1rBeLY5Zjgz6YvQZcSH3cd6cTrAo7hPIAjtgSTWp04FjtYJqf+tT
+gf+9ZWY+i4nQ6/Q5Z5NUd8jsOcOoFDsmY6Fds+lzn0aZSg2yfd8fnX5QFOIwDv66
+aM25q2kvkrX0wtvSQbulC8x5g6fIB3xEL6MWbXcEBYkBMW5Cnw/Kmyj7lJwVwvEO
+FFhKaOH/d2LG3rM66gl048aJYLhEJyFSyooBynXs8S/NLDgca94Bvb54FPX8LC3p
+lqJRLxhdkha5NLcUYiHOq/L7LWdThh5rRAy87Ggog8TVza118K3oiYujlyVEzLhB
+NVMT8x5kl15YknVgOKJAv9j28bSZihHrS7aga1BtYFD8yA9MuuDaHARV6YmThkdg
+OEz/PNECjsxCLcT5Bbthzg6Jg1qo3Unyeup0UbyX4zxSphCVmerDmMYddLjJ/ydc
+1uxyn4IPINBSx2sAPuUIymhVC29MB6N+SnB37/poTvSsIH15Vg264OVdaervIpuC
+W3eUANr7zrdO85nc1CTWGhugFwccXv9nyxAt8zUF/ci17p1/mLpy9K3LqlStVI9j
+MwARAQABtDBDYXRoeSBBbG1vbmQgKENvZGUtU2lnbmluZyBLZXkpIDxjYXRoeWFA
+aXNjLm9yZz6JAk4EEwEKADgWIQT8h0w+P+hncHCscb617/asfhrd+AUCY2Pw/gIb
+AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRC17/asfhrd+HM6D/9KD/n245Fq
+jVzew92lJtufAxAFkTA5WO6fXweMlUeqMOub4vpVMLPLoFe5TzWbJMtF0m/P5+aU
+YbcvZBWFHsrnwTgA55c1VrhggLOxpw4EU0TvBdwrO7PFOYc2WznaMG+mJdqw+uNM
+yK+G44aIaC6rvi3ILSo5HPnbgQWHs39QIRLLcUjtqvavQQeyYAl0zrvNI9Xrs/Nf
+eE6PS4hIXg90A9VJRhay18w9hA+STb+xmK+3oSwP1ayLqqQ43OnV/pExSHBsjBQk
+4p1nIPlRFL30lGp/o2MoBsRvQM1tELpgBTk1LaTHzuKEpOskrWU37xu0QgEtj7YE
+r0X+GGBxgJuUzqSyLsaDgH1sEDqE+AthFfv2dxDadcXM2cdch9y3OyuSMo89aWGc
+mEVyesjYoV40tDCG73qLtfehhV/iARDMCfnZGyGYIZdDBL+tZTNeLKVDIUi/R3x9
+OmpEl8ZuCuYltyEsJnCF/rQBVMgcTOmsMu6CMx+qT3kC8iGtHqkUT2ufpKISahTn
+e329FQjClEWwBHkr0T4K80Z0REjSo6UBtio73IOCxXe0RqO37L/qgo8xKZbLxy86
+857PRWJhgbw169FJ2kR5p+M5d/g/MUeYnigvWlORW5LyrFg6RnZ1ZbULZI80QhHN
+aSFf/w020HBsLCkzWA/XM6MO2ifJTSn8NpkCDQRkSjCrARAApLUMHAbmxUMWLgDQ
+apRZBwWXriEyIVqA/SIy1PyWPPFXqs3LZ5Kn5Gw1WO8PfzkPZNtccGmNLjujIoRB
+qR41nV5zxcpS896SujBoYl80A4F4v9Op9i2pFeI9r9acFcUDjbGWBqNro4EfRcJN
+Ctkd9+pl3TUvFX06QCTxmmHy3M81SW3b4NWI+jia1cKjCd+qBFBgKWdjSMBeVTBC
+R9eKqsBQ1UJql2bRzc8pReS+TYCeEbhaOCvUCCKCwGtsSUOW726iNB/4zR4OOuQV
+B9ORufwed+E/RXa8N08/l5O96uXG0krJtOVm0/qQcXOaKxiDo6djnAgCdjFK5zaj
+7594wqbI7de58alWb/egqIhjBTgk+/cO+epZ05qx5SoJZL7ny2ottrfS2cBqP4g1
+SIt1sYl9ImHmJkNrNDy0s25nE9Nga6OfRqVbwnwot4ouTGwj0oZsCjw+gWjDdztH
+1fUWSnlA8jaX9/RZG2wKt9dI+Tp/U4d5dyTb8lIIzzgtAzDmDfPxwwT0rxAAL13A
+gDkJ0AzXA4WTOxb/JE2yfCz//kt7n8SYM//LixL4VAB7e/wnfZBhTq0OFpaPjFU0
+h/k0dc40AqcUuK3lSSjQr3KTzRHtjz8qtN4DFSuyZac83QSVtWE1rFKjS8bl3XHC
+kFFRJ2dMt2WRSkLOYNiTGbYLvmEAEQEAAbQwQW5kcmVpIFBhdmVsIChDb2RlLVNp
+Z25pbmcgS2V5KSA8YW5kcmVpQGlzYy5vcmc+iQJOBBMBCgA4FiEE2mo1COZypJ3T
+gq/ZW49NkbiO2QkFAmRKMKsCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
+W49NkbiO2QnQZw//XCpeqT0z/sqtu4FYWwYLz1OvWqhe+uA45f9BccnNSVkGFa7w
+3hlLQC/FLUIx2cVy9AluJBP29iQge/bCcXnzo/QvCbhe/4lCTxhr7nsBe1bWpuNI
+4Pl+cQxZQBwcz74zZ1jjaaQOqm3XtdZxeKNfCQmNvz389UZEk2m8K6qJD23fy20V
+n5Y2C502UuP3MitbYKBxBSbs+Auwy1evz/prQ9VeD4Nv3Zr+jWbWFW+dSDC8jkrX
+cGdwWrUQ51QD8VBB9lPWPGY6yTbRmacr4AlVSo2DAfyjHRrGHigRF/VAD5p1+u2g
+3UFLJaEyujfzwU1kG4+zQCWZ2W2UBOekklq/yefxEY5vU1/Lad7vQhBmogQNF21T
+FvLUE6ez7XNsdMZStDPiT8OoTyFZYLRM4yw5rWKw+1mICBv7NV82YD/8hoMoZPyX
+2tNRTXv2MZ6qD++0dMCIZNEyFTB344srvQSyJ7K7vwxulc7iFWngRA8oe6JkAhH4
+B0yNq1FJm6jIL41S2FmnDL3DlfAdKWapBqzgqkv+X5DQBaTlG9a4BcSsdMJgU/Yx
+dD03YsKhDtEWTqBmmEamR1K1CgCC3mOJfsHB5z+Qhdraz2hMr00EQrD5lnpLLpcF
+rYWoilvVlRy7Y7U5wfhY4074L2ZfB+yElKsvtfGKJX/8g+eJdeRuII+hjEc=
+=NX7P
+-----END PGP PUBLIC KEY BLOCK-----

ldap2zone.c

@@ -0,0 +1,411 @@
+/*
+ * Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
+ * $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ */
+
+#define LDAP_DEPRECATED 1
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#include <ldap.h>
+
+struct string {
+    void *data;
+    size_t len;
+};
+
+struct assstack_entry {
+    struct string key;
+    struct string val;
+    struct assstack_entry *next;
+};
+
+struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key);
+void assstack_push(struct assstack_entry **stack, struct assstack_entry *item);
+void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item);
+void printsoa(struct string *soa);
+void printrrs(char *defaultttl, struct assstack_entry *item);
+void print_zone(char *defaultttl, struct assstack_entry *stack);
+void usage(char *name);
+void err(char *name, const char *msg);
+int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val);
+
+struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) {
+    for (; stack; stack = stack->next)
+	if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len))
+	    return stack;
+    return NULL;
+}
+
+void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) {
+    item->next = *stack;
+    *stack = item;
+}
+
+void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) {
+    struct assstack_entry *p;
+    
+    item->next = NULL;
+    if (!*stack) {
+	*stack = item;
+	return;
+    }
+    /* find end, should keep track of end somewhere */
+    /* really a queue, not a stack */
+    p = *stack;
+    while (p->next)
+	p = p->next;
+    p->next = item;
+}
+
+void printsoa(struct string *soa) {
+    char *s;
+    size_t i;
+    
+    s = (char *)soa->data;
+    i = 0;
+    while (i < soa->len) {
+	putchar(s[i]);
+	if (s[i++] == ' ')
+	    break;
+    }
+    while (i < soa->len) {
+	putchar(s[i]);
+	if (s[i++] == ' ')
+	    break;
+    } 
+    printf("(\n\t\t\t\t");
+    while (i < soa->len) {
+	putchar(s[i]);
+	if (s[i++] == ' ')
+	    break;
+    }
+    printf("; Serialnumber\n\t\t\t\t");
+    while (i < soa->len) {
+	if (s[i] == ' ')
+	    break;
+	putchar(s[i++]);
+    }
+    i++;
+    printf("\t; Refresh\n\t\t\t\t");
+    while (i < soa->len) {
+	if (s[i] == ' ')
+	    break;
+	putchar(s[i++]);
+    }
+    i++;
+    printf("\t; Retry\n\t\t\t\t");
+    while (i < soa->len) {
+	if (s[i] == ' ')
+	    break;
+	putchar(s[i++]);
+    }
+    i++;
+    printf("\t; Expire\n\t\t\t\t");
+    while (i < soa->len) {
+	putchar(s[i++]);
+    }
+    printf(" )\t; Minimum TTL\n");
+}
+
+void printrrs(char *defaultttl, struct assstack_entry *item) {
+    struct assstack_entry *stack;
+    char *s;
+    int first;
+    size_t i;
+    char *ttl, *type;
+    int top;
+    
+    s = (char *)item->key.data;
+
+    if (item->key.len == 1 && *s == '@') {
+	top = 1;
+	printf("@\t");
+    } else {
+	top = 0;
+	for (i = 0; i < item->key.len; i++)
+	    putchar(s[i]);
+	if (item->key.len < 8)
+	    putchar('\t');
+	putchar('\t');
+    }
+    
+    first = 1;
+    for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) {
+	ttl = (char *)stack->key.data;
+	s = strchr(ttl, ' ');
+	*s++ = '\0';
+	type = s;
+	
+	if (first)
+	    first = 0;
+        else
+	    printf("\t\t");
+	    
+	if (strcmp(defaultttl, ttl))
+	    printf("%s", ttl);
+	putchar('\t');
+	
+	if (top) {
+	    top = 0;
+	    printf("IN\t%s\t", type);
+	    /* Should always be SOA here */
+	    if (!strcmp(type, "SOA")) {
+		printsoa(&stack->val);
+		continue;
+	    }
+	} else
+	    printf("%s\t", type);
+
+	s = (char *)stack->val.data;
+	for (i = 0; i < stack->val.len; i++)
+	    putchar(s[i]);
+	putchar('\n');
+    }
+}
+
+void print_zone(char *defaultttl, struct assstack_entry *stack) {
+    printf("$TTL %s\n", defaultttl);
+    for (; stack; stack = stack->next)
+	printrrs(defaultttl, stack);
+};
+
+void usage(char *name) {
+    fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name);
+    exit(1);
+};
+
+void err(char *name, const char *msg) {
+    fprintf(stderr, "%s: %s\n", name, msg);
+    exit(1);
+};
+
+int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) {
+    struct string key;
+    struct assstack_entry *rr, *rrdata;
+    
+    /* Do nothing if name or value have 0 length */
+    if (!name->bv_len || !val->bv_len)
+	return 0;
+
+    /* see if already have an entry for this name */
+    key.len = name->bv_len;
+    key.data = name->bv_val;
+
+    rr = assstack_find(*stack, &key);
+    if (!rr) {
+	/* Not found, create and push new entry */
+	rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
+	if (!rr)
+	    return -1;
+	rr->key.len = name->bv_len;
+	rr->key.data = (void *) malloc(rr->key.len);
+	if (!rr->key.data) {
+	    free(rr);
+	    return -1;
+	}
+	memcpy(rr->key.data, name->bv_val, name->bv_len);
+	rr->val.len = sizeof(void *);
+	rr->val.data = NULL;
+	if (name->bv_len == 1 && *(char *)name->bv_val == '@')
+	    assstack_push(stack, rr);
+	else
+	    assstack_insertbottom(stack, rr);
+    }
+
+    rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
+    if (!rrdata) {
+	free(rr->key.data);
+	free(rr);
+	return -1;
+    }
+    rrdata->key.len = strlen(type) + strlen(ttl) + 1;
+    rrdata->key.data = (void *) malloc(rrdata->key.len);
+    if (!rrdata->key.data) {
+	free(rrdata);
+	free(rr->key.data);
+	free(rr);
+	return -1;
+    }
+    sprintf((char *)rrdata->key.data, "%s %s", ttl, type);
+	
+    rrdata->val.len = val->bv_len;
+    rrdata->val.data = (void *) malloc(val->bv_len);
+    if (!rrdata->val.data) {
+	free(rrdata->key.data);
+	free(rrdata);
+	free(rr->key.data);
+	free(rr);
+	return -1;
+    }
+    memcpy(rrdata->val.data, val->bv_val, val->bv_len);
+
+    if (!strcmp(type, "SOA"))
+	assstack_push((struct assstack_entry **) &(rr->val.data), rrdata);
+    else
+	assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata);
+    return 0;
+}
+
+int main(int argc, char **argv) {
+    char *s, *hostporturl, *base = NULL;
+    char *ttl, *defaultttl;
+    LDAP *ld;
+    char *fltr = NULL;
+    LDAPMessage *res, *e;
+    char *a, **ttlvals, **soavals, *serial;
+    struct berval **vals, **names;
+    char type[64];
+    BerElement *ptr;
+    int i, j, rc, msgid;
+    struct assstack_entry *zone = NULL;
+    
+    if (argc < 4 || argc > 5)
+        usage(argv[0]);
+
+    hostporturl = argv[2];
+
+    if (hostporturl != strstr( hostporturl, "ldap"))
+	err(argv[0], "Not an LDAP URL");
+
+    s = strchr(hostporturl, ':');
+
+    if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/')
+	err(argv[0], "Not an LDAP URL");
+
+    s = strchr(s+3, '/');
+    if (s) {
+	*s++ = '\0';
+	base = s;
+	s = strchr(base, '?');
+	if (s)
+	    err(argv[0], "LDAP URL can only contain host, port and base");
+    }
+
+    defaultttl = argv[3];
+    
+    rc = ldap_initialize(&ld, hostporturl);
+    if (rc != LDAP_SUCCESS)
+	err(argv[0], "ldap_initialize() failed");
+
+    if (argc == 5) {
+	/* serial number specified, check if different from one in SOA */
+	fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1);
+	sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]);
+	msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
+	if (msgid == -1)
+	    err(argv[0], "ldap_search() failed");
+
+	while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
+	    /* not supporting continuation references at present */
+	    if (rc != LDAP_RES_SEARCH_ENTRY)
+		err(argv[0], "ldap_result() returned cont.ref? Exiting");
+
+	    /* only one entry per result message */
+	    e = ldap_first_entry(ld, res);
+	    if (e == NULL) {
+		ldap_msgfree(res);
+		err(argv[0], "ldap_first_entry() failed");
+	    }
+	
+	    soavals = ldap_get_values(ld, e, "SOARecord");
+	    if (soavals)
+		break;
+	}
+
+	ldap_msgfree(res);
+	if (!soavals) {
+		err(argv[0], "No SOA Record found");
+	}
+	
+	/* We have a SOA, compare serial numbers */
+	/* Only checkinf first value, should be only one */
+	s = strchr(soavals[0], ' ');
+	s++;
+	s = strchr(s, ' ');
+	s++;
+	serial = s;
+	s = strchr(s, ' ');
+	*s = '\0';
+	if (!strcmp(serial, argv[4])) {
+	    ldap_value_free(soavals);
+	    err(argv[0], "serial numbers match");
+	}
+	ldap_value_free(soavals);
+    }
+
+    if (!fltr)
+	fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1);
+    if (!fltr)
+	err(argv[0], "Malloc failed");
+    sprintf(fltr, "(zoneName=%s)", argv[1]);
+
+    msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
+    if (msgid == -1)
+	err(argv[0], "ldap_search() failed");
+
+    while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
+	/* not supporting continuation references at present */
+	if (rc != LDAP_RES_SEARCH_ENTRY)
+	    err(argv[0], "ldap_result() returned cont.ref? Exiting");
+
+	/* only one entry per result message */
+	e = ldap_first_entry(ld, res);
+	if (e == NULL) {
+	    ldap_msgfree(res);
+	    err(argv[0], "ldap_first_entry() failed");
+	}
+	
+	names = ldap_get_values_len(ld, e, "relativeDomainName");
+	if (!names)
+	    continue;
+	
+	ttlvals = ldap_get_values(ld, e, "dNSTTL");
+	ttl = ttlvals ? ttlvals[0] : defaultttl;
+
+	for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) {
+	    char *s;
+
+	    for (s = a; *s; s++)
+		*s = toupper(*s);
+	    s = strstr(a, "RECORD");
+	    if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) {
+		ldap_memfree(a);
+		continue;
+	    }
+			
+	    strncpy(type, a, s - a);
+	    type[s - a] = '\0';
+	    vals = ldap_get_values_len(ld, e, a);
+	    if (vals) {
+		for (i = 0; vals[i]; i++)
+		    for (j = 0; names[j]; j++)
+			if (putrr(&zone, names[j], type, ttl, vals[i]))
+			    err(argv[0], "malloc failed");
+		ldap_value_free_len(vals);
+	    }
+	    ldap_memfree(a);
+	}
+
+	if (ptr)
+	    ber_free(ptr, 0);
+	if (ttlvals)
+	    ldap_value_free(ttlvals);
+	ldap_value_free_len(names);
+	/* free this result */
+	ldap_msgfree(res);
+    }
+
+    /* free final result */
+    ldap_msgfree(res);
+
+    print_zone(defaultttl, zone);
+    return 0;
+}

makefile-replace-libs.py

@@ -0,0 +1,143 @@
+#!/usr/bin/python3
+#
+# Makefile modificator
+#
+# Should help in building bin/tests/system tests standalone,
+# linked to libraries installed into the system.
+# TODO:
+# - Fix top_srcdir, because dyndb/driver/Makefile uses $TOPSRC/mkinstalldirs
+# - Fix conf.sh to contain paths to system tools
+# - Export $TOP/version somewhere, where it would be used
+# - system tests needs bin/tests code. Do not include just bin/tests/system
+#
+# Possible solution:
+#
+# sed -e 's/$TOP\/s\?bin\/\(delv\|confgen\|named\|nsupdate\|pkcs11\|python\|rndc\|check\|dig\|dnssec\|tools\)\/\([[:alnum:]-]\+\)/`type -p \2`/' conf.sh
+# sed -e 's,../../../../\(isc-config.sh\),\1,' builtin/tests.sh
+# or use: $NAMED -V | head -1 | cut -d ' ' -f 2
+
+import re
+import argparse
+
+"""
+Script for replacing Makefile ISC_INCLUDES with runtime flags.
+
+Should translate part of Makefile to use isc-config.sh instead static linked sources.
+ISC_INCLUDES = -I/home/pemensik/rhel/bind/bind-9.11.12/build/lib/isc/include \
+        -I${top_srcdir}/lib/isc \
+        -I${top_srcdir}/lib/isc/include \
+        -I${top_srcdir}/lib/isc/unix/include \
+        -I${top_srcdir}/lib/isc/pthreads/include \
+        -I${top_srcdir}/lib/isc/x86_32/include
+
+Should be translated to:
+ISC_INCLUDES = $(shell isc-config.sh --cflags isc)
+"""
+
+def isc_config(mode, lib):
+    if mode:
+        return '$(shell isc-config.sh {mode} {lib})'.format(mode=mode, lib=lib)
+    else:
+        return ''
+
+def check_match(match, debug=False):
+    """
+    Check this definition is handled by internal library
+    """
+    if not match:
+        return False
+    lib = match.group(2).lower()
+    ok = not lib_filter or lib in lib_filter
+    if debug:
+        print('{status} {lib}: {text}'.format(status=ok, lib=lib, text=match.group(1)))
+    return ok
+
+def fix_line(match, mode):
+    lib = match.group(2).lower()
+    return match.group(1)+isc_config(mode, lib)+"\n"
+
+def fix_file_lines(path, debug=False):
+    """
+    Opens file and scans fixes selected parameters
+
+    Returns list of lines if something should be changed,
+    None if no action is required
+    """
+    fixed = []
+    changed = False
+    with open(path, 'r') as fin:
+        fout = None
+
+        line = next(fin, None)
+        while line:
+            appended = False
+            while line.endswith("\\\n"):
+                line += next(fin, None)
+
+            inc = re_includes.match(line)
+            deplibs = re_deplibs.match(line)
+            libs = re_libs.match(line)
+            newline = None
+            if check_match(inc, debug=debug):
+                newline = fix_line(inc, '--cflags')
+            elif check_match(deplibs, debug=debug):
+                newline = fix_line(libs, None)
+            elif check_match(libs, debug=debug):
+                newline = fix_line(libs, '--libs')
+
+            if newline and line != newline:
+                changed = True
+                line = newline
+
+            fixed.append(line)
+            line = next(fin, None)
+
+    if not changed:
+        return None
+    else:
+        return fixed
+
+def write_lines(path, lines):
+    fout = open(path, 'w')
+    for line in lines:
+        fout.write(line)
+    fout.close()
+
+def print_lines(lines):
+    for line in lines:
+        print(line, end='')
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Makefile multiline include replacer')
+    parser.add_argument('files', nargs='+')
+    parser.add_argument('--filter', type=str,
+            default='isc isccc isccfg dns lwres bind9 irs',
+            help='List of libraries supported by isc-config.sh')
+    parser.add_argument('--check', action='store_true',
+            help='Test file only')
+    parser.add_argument('--print', action='store_true',
+            help='Print changed file only')
+    parser.add_argument('--debug', action='store_true',
+            help='Enable debug outputs')
+
+    args = parser.parse_args()
+    lib_filter = None
+
+    re_includes = re.compile(r'^\s*((\w+)_INCLUDES\s+=\s*).*')
+    re_deplibs = re.compile(r'^\s*((\w+)DEPLIBS\s*=).*')
+    re_libs = re.compile(r'^\s*((\w+)LIBS\s*=).*')
+
+    if args.filter:
+        lib_filter = set(args.filter.split(' '))
+        pass
+
+    for path in args.files:
+        lines = fix_file_lines(path, debug=args.debug)
+        if lines:
+            if args.print:
+                print_lines(lines)
+            elif not args.check:
+                write_lines(path, lines)
+                print('File {path} was fixed'.format(path=path))
+        else:
+            print('File {path} does not need fixing'.format(path=path))

named-chroot-setup.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Set-up/destroy chroot environment for named (DNS)
+BindsTo=named-chroot.service
+Wants=named-setup-rndc.service
+After=named-setup-rndc.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files

named-chroot.files

@@ -0,0 +1,25 @@
+# Configuration of files used in chroot
+# Following files are made available after named-chroot.service start
+# if they are missing or empty in target directory.
+/etc/localtime
+/etc/named.root.key
+/etc/named.conf
+/etc/named.rfc1912.zones
+/etc/rndc.conf
+/etc/rndc.key
+/etc/named.iscdlv.key
+/etc/crypto-policies/back-ends/bind.config
+/etc/protocols
+/etc/services
+/etc/named.dnssec.keys
+/etc/pki/dnssec-keys
+/etc/named
+/usr/lib64/bind
+/usr/lib/bind
+/usr/share/GeoIP
+/run/named
+/proc/sys/net/ipv4/ip_local_port_range
+# Warning: the order is important
+# If a directory containing $ROOTDIR is listed here,
+# it MUST be listed last. (/var/named contains /var/named/chroot)
+/var/named

named-chroot.service

@@ -0,0 +1,31 @@
+# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
+# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
+# broken when rsyslogd daemon is restarted (due update, for example).
+
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Requires=named-chroot-setup.service
+Before=nss-lookup.target
+After=named-chroot-setup.service
+After=network.target
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/var/named/chroot/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
+
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=false
+Restart=on-abnormal
+
+[Install]
+WantedBy=multi-user.target

named-setup-rndc.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Generate rndc key for BIND (DNS)
+
+[Service]
+Type=oneshot
+
+ExecStart=/usr/libexec/generate-rndc-key.sh

named.conf

@@ -0,0 +1,59 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 { 127.0.0.1; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	secroots-file	"/var/named/data/named.secroots";
+	recursing-file	"/var/named/data/named.recursing";
+	allow-query     { localhost; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-validation yes;
+
+	managed-keys-directory "/var/named/dynamic";
+	geoip-directory "/usr/share/GeoIP";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+	include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+

named.conf.sample

@@ -0,0 +1,243 @@
+/*
+ Sample named.conf BIND DNS server 'named' configuration file
+ for the Red Hat BIND distribution.
+
+ See the BIND Administrator's Reference Manual (ARM) for details, in:
+   file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
+ Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
+ its manual.
+*/
+
+options
+{
+	// Put files that named is allowed to write in the data/ directory:
+	directory 		"/var/named";		// "Working" directory
+	dump-file 		"data/cache_dump.db";
+        statistics-file 	"data/named_stats.txt";
+        memstatistics-file 	"data/named_mem_stats.txt";
+	secroots-file		"data/named.secroots";
+	recursing-file		"data/named.recursing";
+
+
+	/*
+	  Specify listenning interfaces. You can use list of addresses (';' is
+	  delimiter) or keywords "any"/"none"
+	*/
+	//listen-on port 53	{ any; };
+	listen-on port 53	{ 127.0.0.1; };
+
+	//listen-on-v6 port 53	{ any; };
+	listen-on-v6 port 53	{ ::1; };
+
+	/*
+	  Access restrictions
+
+	  There are two important options:
+	    allow-query { argument; };
+	      - allow queries for authoritative data
+
+	    allow-query-cache { argument; };
+	      - allow queries for non-authoritative data (mostly cached data)
+
+	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
+	  Examples:
+	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
+	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
+	*/
+
+	allow-query		{ localhost; };
+	allow-query-cache	{ localhost; };
+
+	/* Enable/disable recursion - recursion yes/no;
+
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	 */
+	recursion yes;
+
+	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
+
+	/* Enable DNSSEC validation on recursive servers */
+	dnssec-validation yes;
+
+	/* In Fedora we use /run/named instead of default /var/run/named
+	   so we have to configure paths properly. */
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+    /* In Fedora we use system-wide Crypto Policy */
+    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+    include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging 
+{
+/*      If you want to enable debugging, eg. using the 'rndc trace' command,
+ *      named will try to write the 'named.run' file in the $directory (/var/named).
+ *      By default, SELinux policy does not allow named to modify the /var/named directory,
+ *      so put the default debug log file in data/ :
+ */
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+/*
+ Views let a name server answer a DNS query differently depending on who is asking.
+
+ By default, if named.conf contains no "view" clauses, all zones are in the 
+ "default" view, which matches all clients.
+
+ Views are processed sequentially. The first match is used so the last view should
+ match "any" - it's fallback and the most restricted view.
+
+ If named.conf contains any "view" clause, then all zones MUST be in a view.
+*/
+
+view "localhost_resolver"
+{
+/* This view sets up named to be a localhost resolver ( caching only nameserver ).
+ * If all you want is a caching-only nameserver, then you need only define this view:
+ */
+	match-clients 		{ localhost; };
+	recursion yes;
+
+	# all views must contain the root hints zone:
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+        /* these are zones that contain definitions for all the localhost
+         * names and addresses, as recommended in RFC1912 - these names should
+	 * not leak to the other nameservers:
+	 */
+	include "/etc/named.rfc1912.zones";
+};
+view "internal"
+{
+/* This view will contain zones you want to serve only to "internal" clients
+   that connect via your directly attached LAN interfaces - "localnets" .
+ */
+	match-clients		{ localnets; };
+	recursion yes;
+
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+        /* these are zones that contain definitions for all the localhost
+         * names and addresses, as recommended in RFC1912 - these names should
+	 * not leak to the other nameservers:
+	 */
+	include "/etc/named.rfc1912.zones";
+
+	// These are your "authoritative" internal zones, and would probably
+	// also be included in the "localhost_resolver" view above :
+
+	/*
+	  NOTE for dynamic DNS zones and secondary zones:
+
+	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
+
+	  If you are using views and DDNS/secondary zones it is strongly
+	  recommended to read FAQ on ISC site (www.isc.org), section
+	  "Configuration and Setup Questions", questions
+	  "How do I share a dynamic zone between multiple views?" and
+	  "How can I make a server a slave for both an internal and an external
+	   view at the same time?"
+	*/
+
+	zone "my.internal.zone" { 
+		type primary;
+		file "my.internal.zone.db";
+	};
+	zone "my.slave.internal.zone" {
+		type secondary;
+		file "slaves/my.slave.internal.zone.db";
+		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
+		// put slave zones in the slaves/ directory so named can update them
+	};	
+	zone "my.ddns.internal.zone" {
+		type primary;
+		allow-update { key ddns_key; };
+		file "dynamic/my.ddns.internal.zone.db";
+		// put dynamically updateable zones in the slaves/ directory so named can update them
+	};
+};
+
+key ddns_key
+{
+	algorithm hmac-sha256;
+	secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
+};
+
+view "external"
+{
+/* This view will contain zones you want to serve only to "external" clients
+ * that have addresses that are not match any above view:
+ */
+	match-clients		{ any; };
+
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+	recursion no;
+	// you'd probably want to deny recursion to external clients, so you don't
+        // end up providing free DNS service to all takers
+
+	// These are your "authoritative" external zones, and would probably
+        // contain entries for just your web and mail servers:
+
+	zone "my.external.zone" { 
+		type primary;
+		file "my.external.zone.db";
+	};
+};
+
+/* Trusted keys
+
+  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
+  should configure at least one trusted key.
+
+  Note that no key written below is valid. Especially root key because root zone
+  is not signed yet.
+*/
+/*
+trust-anchors {
+// Root Key
+. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		      +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		      ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		      0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		      oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		      RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		      R1AkUTV74bU=";
+
+// Key for forward zone
+example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
+				LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
+				LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
+				UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
+				yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
+				Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
+				Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
+				xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
+
+
+// Key for reverse zone.
+2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
+};
+*/

named.empty

@@ -0,0 +1,10 @@
+$TTL 3H
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1

named.localhost

@@ -0,0 +1,10 @@
+$TTL 1D
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1

named.logrotate

@@ -0,0 +1,12 @@
+/var/named/data/named.run {
+    missingok
+    su named named
+    create 0644 named named
+    postrotate
+        /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
+    endscript
+}

named.loopback

@@ -0,0 +1,11 @@
+$TTL 1D
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1
+	PTR	localhost.

named.rfc1912.zones

@@ -0,0 +1,45 @@
+// named.rfc1912.zones:
+//
+// Provided by Red Hat caching-nameserver package 
+//
+// ISC BIND named zone configuration for zones recommended by
+// RFC 1912 section 4.1 : localhost TLDs and address zones
+// and https://tools.ietf.org/html/rfc6303
+// (c)2007 R W Franks
+// 
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+// Note: empty-zones-enable yes; option is default.
+// If private ranges should be forwarded, add 
+// disable-empty-zone "."; into options
+// 
+
+zone "localhost.localdomain" IN {
+	type primary;
+	file "named.localhost";
+	allow-update { none; };
+};
+
+zone "localhost" IN {
+	type primary;
+	file "named.localhost";
+	allow-update { none; };
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
+	type primary;
+	file "named.loopback";
+	allow-update { none; };
+};
+
+zone "1.0.0.127.in-addr.arpa" IN {
+	type primary;
+	file "named.loopback";
+	allow-update { none; };
+};
+
+zone "0.in-addr.arpa" IN {
+	type primary;
+	file "named.empty";
+	allow-update { none; };
+};

named.root

@@ -0,0 +1,92 @@
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:     December 20, 2023
+;       related version of root zone:     2023122001
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+; 
+; FORMERLY NS1.ISI.EDU 
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
+B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
+; 
+; FORMERLY C.PSI.NET 
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+; 
+; FORMERLY TERP.UMD.EDU 
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+; 
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+; 
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+; 
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+; 
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+; 
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+; 
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+; 
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+; 
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+; 
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file

named.root.key

@@ -0,0 +1,13 @@
+trust-anchors {
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+        # for current trust anchor information.
+        #
+        # This key (20326) was published in the root zone in 2017.
+        # Servers which were already using the old key (19036) should
+        # roll seamlessly to this new one via RFC 5011 rollover. Servers
+        # being set up for the first time can use the contents of this
+        # file as initializing keys; thereafter, the keys in the
+        # managed key database will be trusted and maintained
+        # automatically.
+        . initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
+};

named.rwtab

@@ -0,0 +1,6 @@
+dirs    /var/named
+
+files	/var/named/named.ca
+files	/var/named/named.empty
+files	/var/named/named.localhost
+files	/var/named/named.loopback

named.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=named-setup-rndc.service
+After=network.target
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+Restart=on-abnormal
+
+[Install]
+WantedBy=multi-user.target

named.sysconfig

@@ -0,0 +1,17 @@
+# BIND named process options
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# OPTIONS="whatever"     --  These additional options will be passed to named
+#                            at startup. Don't add -t here, enable proper
+#                            -chroot.service unit file.
+#
+# NAMEDCONF=/etc/named/alternate.conf
+#                        --  Don't use -c to change configuration file.
+#                            Extend systemd named.service instead or use this
+#                            variable.
+#
+# DISABLE_ZONE_CHECKING  --  By default, service file calls named-checkzone
+#                            utility for every zone to ensure all zones are
+#                            valid before named starts. If you set this option
+#                            to 'yes' then service file doesn't perform those
+#                            checks.

plans/all.fmf

@@ -0,0 +1,10 @@
+summary: Test plan with all beakerlib tests
+environment+:
+    PACKAGE: bind
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/bind.git
+execute:
+    how: tmt
+context:
+    component: bind

plans/tier1-public.fmf

@@ -0,0 +1,11 @@
+summary: Public (Fedora) Tier1 beakerlib tests
+environment+:
+    PACKAGE: bind
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/bind.git
+    filter: 'tier: 1'
+execute:
+    how: tmt
+context:
+    component: bind

setup-named-chroot.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+
+ROOTDIR="$1"
+CONFIG_FILES="${3:-/etc/named-chroot.files}"
+
+usage()
+{
+  echo
+  echo 'This script setups chroot environment for BIND'
+  echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
+}
+
+if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
+  echo 'Wrong number of arguments'
+  usage
+  exit 1
+fi
+
+# Exit if ROOTDIR doesn't exist
+if ! [ -d "$ROOTDIR" ]; then
+  echo "Root directory $ROOTDIR doesn't exist"
+  usage
+  exit 1
+fi
+
+if ! [ -r "$CONFIG_FILES" ]; then
+  echo "Files list $CONFIG_FILES doesn't exist" 2>&1
+  usage
+  exit 1
+fi
+
+dev_create()
+{
+  DEVNAME="$ROOTDIR/dev/$1"
+  shift
+  if ! [ -e "$DEVNAME" ]; then
+    /bin/mknod -m 0664 "$DEVNAME" $@
+    /bin/chgrp named "$DEVNAME"
+    if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
+      /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
+    fi
+  fi
+}
+
+dev_chroot_prep()
+{
+  dev_create random  c 1 8
+  dev_create urandom c 1 9
+  dev_create zero    c 1 5
+  dev_create null    c 1 3
+}
+
+files_comment_filter()
+{
+  if [ -d "$1" ]; then
+    grep -v '^[[:space:]]*#' "$1"/*.files
+  else
+    grep -v '^[[:space:]]*#' "$1"
+  fi
+}
+
+mount_chroot_conf()
+{
+  if [ -n "$ROOTDIR" ]; then
+    # Check devices are prepared
+    dev_chroot_prep
+    files_comment_filter "$CONFIG_FILES" | while read -r all; do
+      # Skip nonexistant files
+      [ -e "$all" ] || continue
+
+      # If mount source is a file
+      if ! [ -d "$all" ]; then
+        # mount it only if it is not present in chroot or it is empty
+        if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
+          touch "$ROOTDIR$all"
+          mount --bind "$all" "$ROOTDIR$all"
+        fi
+      else
+        # Mount source is a directory. Mount it only if directory in chroot is
+        # empty.
+        if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
+          mount --bind --make-private "$all" "$ROOTDIR$all"
+        fi
+      fi
+    done
+  fi
+}
+
+umount_chroot_conf()
+{
+  if [ -n "$ROOTDIR" ]; then
+    files_comment_filter "$CONFIG_FILES" | while read -r all; do
+      # Check if file is mount target. Do not use /proc/mounts because detecting
+      # of modified mounted files can fail.
+      if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
+        umount "$ROOTDIR$all"
+        # Remove temporary created files
+        [ -f "$all" ] && rm -f "$ROOTDIR$all"
+      fi
+    done
+  fi
+}
+
+case "$2" in
+  on)
+    mount_chroot_conf
+    ;;
+  off)
+    umount_chroot_conf
+    ;;
+  *)
+    echo 'Second argument has to be "on" or "off"'
+    usage
+    exit 1
+esac
+
+exit 0

setup-named-softhsm.sh

@@ -0,0 +1,124 @@
+#!/bin/sh
+#
+# This script will initialise token storage of softhsm PKCS11 provider
+# in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Quotes around eval are mandatory!
+# Recommended use:
+# eval "$(bash setup-named-softhsm.sh -A)"
+#
+
+SOFTHSM2_CONF="$1"
+TOKENPATH="$2"
+GROUPNAME="$3"
+# Do not use this script for real keys worth protection
+# This is intended for crypto accelerators using PKCS11 interface.
+# Uninitialized token would fail any crypto operation.
+PIN=1234
+SO_PIN=1234
+LABEL=rpm
+
+set -e
+
+echo_i()
+{
+	echo "#" $@
+}
+
+random()
+{
+	if [ -x "$(which openssl 2>/dev/null)" ]; then
+		openssl rand -base64 $1
+	else
+		dd if=/dev/urandom bs=1c count=$1 | base64
+	fi
+}
+
+usage()
+{
+	echo "Usage: $0 -A [token directory] [group]"
+	echo "   or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
+if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
+	usage >&2
+	exit 1
+fi
+
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+	# Automagic mode instead
+	MODE=secure
+	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+	PIN_SOURCE="$TOKENPATH/pin"
+	SOPIN_SOURCE="$TOKENPATH/so-pin"
+	TOKENPATH="$TOKENPATH/tokens"
+else
+	MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
+if ! [ -f "$SOFTHSM2_CONF" ]; then
+cat  << SED > "$SOFTHSM2_CONF"
+# SoftHSM v2 configuration file
+
+directories.tokendir = ${TOKENPATH}
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+SED
+else
+	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
+fi
+
+if [ -n "$PIN_SOURCE" ]; then
+	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+	if [ -n "$GROUPNAME" ]; then
+		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+	fi
+fi
+
+export SOFTHSM2_CONF
+
+if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
+then
+	echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
+else
+	PIN=$(random 6)
+	SO_PIN=$(random 18)
+	if [ -n "$PIN_SOURCE" ]; then
+		echo -n "$PIN" > "$PIN_SOURCE"
+		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+	fi
+
+	echo_i "Initializing tokens to ${TOKENPATH}..."
+	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
+
+	if [ -n "$GROUPNAME" ]; then
+		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
+		chmod -R -- g=rX,o= "$TOKENPATH"
+	fi
+fi
+
+echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""

softhsm2.conf.in

@@ -0,0 +1,10 @@
+# SoftHSM v2 configuration file
+
+directories.tokendir = @TOKENPATH@
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false

sources

@@ -0,0 +1,2 @@
+SHA512 (bind-9.18.24.tar.xz) = 465f5b01570fdde5c95adfb780f54e0585814bd25baf914bb95bf5972f15a672e3e7b743a55f1804e69e17609d5a0cd66cc2bbab9174238b3c89e5ad732dc085
+SHA512 (bind-9.18.24.tar.xz.asc) = ee16356b2f523bea1a98fb74216aafa134af3dca42e64438f1c89d8a971919614274af316a170ff9d6f952a5101f44ec1f9fe2c460de42797b06a361c994fb6d

trusted-key.key

@@ -0,0 +1 @@
+. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=