From f4c0cb4ca563eb225b0df39e39ae6e8cf08228a0 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 24 Feb 2025 07:10:11 +0000 Subject: [PATCH] import OL bind9.18-9.18.29-1.el9_5.1 --- .bind9.18.metadata | 1 + .fmf/version | 1 - .gitignore | 233 +-- Changes.md | 43 - README.md | 33 - .../bind-9.16-redhat_doc.patch | 0 .../bind-9.18-CVE-2024-11187-pre-test.patch | 68 + SOURCES/bind-9.18-CVE-2024-11187.patch | 228 +++ SOURCES/bind-9.18-CVE-2024-12705.patch | 1299 +++++++++++++++++ .../bind-9.18-unittest-netmgr-unstable.patch | 0 SOURCES/bind-9.18.29.tar.xz.asc | 16 + .../bind-9.5-PIE.patch | 0 bind.tmpfiles.d => SOURCES/bind.tmpfiles.d | 0 .../generate-rndc-key.sh | 0 isc-keyblock.asc => SOURCES/isc-keyblock.asc | 0 .../named-chroot-setup.service | 0 .../named-chroot.files | 0 .../named-chroot.service | 0 .../named-setup-rndc.service | 0 named.conf => SOURCES/named.conf | 0 .../named.conf.sample | 0 named.empty => SOURCES/named.empty | 0 named.localhost => SOURCES/named.localhost | 0 named.logrotate => SOURCES/named.logrotate | 0 named.loopback => SOURCES/named.loopback | 0 .../named.rfc1912.zones | 0 named.root => SOURCES/named.root | 0 named.root.key => SOURCES/named.root.key | 0 named.rwtab => SOURCES/named.rwtab | 0 named.service => SOURCES/named.service | 0 named.sysconfig => SOURCES/named.sysconfig | 0 .../setup-named-chroot.sh | 0 .../setup-named-softhsm.sh | 0 trusted-key.key => SOURCES/trusted-key.key | 0 bind9.18.spec => SPECS/bind9.18.spec | 11 +- bind-9.11.12.tar.gz.asc | 16 - bind-9.14.7.tar.gz.asc | 16 - bind97-exportlib.patch | 226 --- ci.fmf | 1 - codesign2019.txt | 252 ---- gating.yaml | 25 - ldap2zone.c | 411 ------ makefile-replace-libs.py | 143 -- plans.fmf | 39 - softhsm2.conf.in | 10 - sources | 2 - 46 files changed, 1623 insertions(+), 1451 deletions(-) create mode 100644 .bind9.18.metadata delete mode 100644 .fmf/version delete mode 100644 Changes.md delete mode 100644 README.md rename bind-9.16-redhat_doc.patch => SOURCES/bind-9.16-redhat_doc.patch (100%) create mode 100644 SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch create mode 100644 SOURCES/bind-9.18-CVE-2024-11187.patch create mode 100644 SOURCES/bind-9.18-CVE-2024-12705.patch rename bind-9.18-unittest-netmgr-unstable.patch => SOURCES/bind-9.18-unittest-netmgr-unstable.patch (100%) create mode 100644 SOURCES/bind-9.18.29.tar.xz.asc rename bind-9.5-PIE.patch => SOURCES/bind-9.5-PIE.patch (100%) rename bind.tmpfiles.d => SOURCES/bind.tmpfiles.d (100%) rename generate-rndc-key.sh => SOURCES/generate-rndc-key.sh (100%) rename isc-keyblock.asc => SOURCES/isc-keyblock.asc (100%) rename named-chroot-setup.service => SOURCES/named-chroot-setup.service (100%) rename named-chroot.files => SOURCES/named-chroot.files (100%) rename named-chroot.service => SOURCES/named-chroot.service (100%) rename named-setup-rndc.service => SOURCES/named-setup-rndc.service (100%) rename named.conf => SOURCES/named.conf (100%) rename named.conf.sample => SOURCES/named.conf.sample (100%) rename named.empty => SOURCES/named.empty (100%) rename named.localhost => SOURCES/named.localhost (100%) rename named.logrotate => SOURCES/named.logrotate (100%) rename named.loopback => SOURCES/named.loopback (100%) rename named.rfc1912.zones => SOURCES/named.rfc1912.zones (100%) rename named.root => SOURCES/named.root (100%) rename named.root.key => SOURCES/named.root.key (100%) rename named.rwtab => SOURCES/named.rwtab (100%) rename named.service => SOURCES/named.service (100%) rename named.sysconfig => SOURCES/named.sysconfig (100%) rename setup-named-chroot.sh => SOURCES/setup-named-chroot.sh (100%) rename setup-named-softhsm.sh => SOURCES/setup-named-softhsm.sh (100%) rename trusted-key.key => SOURCES/trusted-key.key (100%) rename bind9.18.spec => SPECS/bind9.18.spec (99%) delete mode 100644 bind-9.11.12.tar.gz.asc delete mode 100644 bind-9.14.7.tar.gz.asc delete mode 100644 bind97-exportlib.patch delete mode 100644 ci.fmf delete mode 100644 codesign2019.txt delete mode 100644 gating.yaml delete mode 100644 ldap2zone.c delete mode 100755 makefile-replace-libs.py delete mode 100644 plans.fmf delete mode 100644 softhsm2.conf.in delete mode 100644 sources diff --git a/.bind9.18.metadata b/.bind9.18.metadata new file mode 100644 index 0000000..1dcdb67 --- /dev/null +++ b/.bind9.18.metadata @@ -0,0 +1 @@ +33ff5a86e56d65859358749654ea848809bd4532 SOURCES/bind-9.18.29.tar.xz diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/.gitignore b/.gitignore index eb3cc4f..cda6a17 100644 --- a/.gitignore +++ b/.gitignore @@ -1,232 +1 @@ -bind-9.7.1-P2.tar.gz -config-8.tar.bz2 -bind-9.7.2b1.tar.gz -/config-8.tar.bz2 -/bind-9.7.2rc1.tar.gz -/bind-9.7.2.tar.gz -/bind-9.7.2-P2.tar.gz -/bind-9.7.2-P3.tar.gz -/bind-9.7.3b1.tar.gz -/bind-9.7.3rc1.tar.gz -/bind-9.7.3.tar.gz -/bind-9.8.0rc1.tar.gz -/bind-9.8.0.tar.gz -/bind-9.8.0-P1.tar.gz -/bind-9.8.0-P2.tar.gz -/bind-9.8.0-P4.tar.gz -/bind-9.8.1rc1.tar.gz -/bind-9.8.1.tar.gz -/bind-9.9.0b1.tar.gz -/bind-9.9.0b2.tar.gz -/bind-9.9.0rc1.tar.gz -/bind-9.9.0rc2.tar.gz -/bind-9.9.0.tar.gz -/bind-9.9.1.tar.gz -/bind-9.9.1-P1.tar.gz -/bind-9.9.1-P2.tar.gz -/bind-9.9.1-P3.tar.gz -/bind-9.9.2.tar.gz -/bind-9.9.2-P1.tar.gz -/config-9.tar.bz2 -/config-10.tar.bz2 -/bind-9.9.2-P2.tar.gz -/bind-9.9.3rc1.tar.gz -/config-11.tar.bz2 -/bind-9.9.3rc2.tar.gz -/bind-9.9.3.tar.gz -/bind-9.9.3-P1.tar.gz -/bind-9.9.4b1.tar.gz -/bind-9.9.4rc1.tar.gz -/bind-9.9.4rc2.tar.gz -/bind-9.9.4.tar.gz -/config-12.tar.bz2 -/bind-9.9.5b1.tar.gz -/bind-9.9.5rc2.tar.gz -/bind-9.9.5.tar.gz -/bind-9.9.5-P1.tar.gz -/bind-9.9.6.tar.gz -/bind-9.9.6-P1.tar.gz -/bind-9.10.1b2.tar.gz -/bind-9.10.1.tar.gz -/bind-9.10.1-P1.tar.gz -/bind-9.10.2rc1.tar.gz -/bind-9.10.2rc2.tar.gz -/bind-9.10.2.tar.gz -/config-13.tar.bz2 -/config-14.tar.bz2 -/bind-9.10.2-P1.tar.gz -/bind-9.10.2-P2.tar.gz -/bind-9.10.2-P3.tar.gz -/bind-9.10.3rc1.tar.gz -/bind-9.10.3.tar.gz -/bind-9.10.3-P2.tar.gz -/config-15.tar.bz2 -/bind-9.10.3-P3.tar.gz -/bind-9.10.3-P4.tar.gz -/bind-9.10.4-P1.tar.gz -/bind-9.10.4-P2.tar.gz -/bind-9.10.4-P3.tar.gz -/bind-9.10.4-P4.tar.gz -/bind-9.11.0-P1.tar.gz -/bind-9.11.0-P2.tar.gz -/bind-9.11.0-P3.tar.gz -/bind-9.11.0-P5.tar.gz -/config-16.tar.bz2 -/bind-9.11.1-P1.tar.gz -/bind-9.11.1-P2.tar.gz -/bind-9.11.1-P3.tar.gz -/bind-9.11.2b1.tar.gz -/bind-9.11.2.tar.gz -/config-17.tar.bz2 -/bind-9.11.2-P1.tar.gz -/bind-9.11.3b1.tar.gz -/bind-9.11.3.tar.gz -/config-18.tar.bz2 -/bind-9.11.4rc1.tar.gz -/bind-9.11.4.tar.gz -/bind-9.11.4-P1.tar.gz -/bind-9.11.4-P2.tar.gz -/bind-9.11.5.tar.gz -/bind-9.11.5-P1.tar.gz -/config-19.tar.bz2 -/bind-9.11.5-P4.tar.gz -/bind-9.11.6.tar.gz -/bind-9.11.6-P1.tar.gz -/bind-9.11.7.tar.gz -/bind-9.11.8.tar.gz -/bind-9.11.9.tar.gz -/bind-9.11.10.tar.gz -/bind-9.11.11.tar.gz -/bind-9.11.12.tar.gz -/bind-9.11.13.tar.gz -/bind-9.11.13.tar.gz.asc -/bind-9.11.14.tar.gz -/bind-9.11.14.tar.gz.asc -/bind-9.11.17.tar.gz -/bind-9.11.17.tar.gz.asc -/bind-9.11.18.tar.gz -/bind-9.11.18.tar.gz.asc -/bind-9.11.19.tar.gz -/bind-9.11.19.tar.gz.asc -/bind-9.11.20.tar.gz -/bind-9.11.20.tar.gz.asc -/bind-9.11.21.tar.gz -/bind-9.11.21.tar.gz.asc -/bind-9.11.22.tar.gz -/bind-9.11.22.tar.gz.asc -/bind-9.11.23.tar.gz -/bind-9.11.23.tar.gz.asc -/bind-9.11.24.tar.gz -/bind-9.11.24.tar.gz.asc -/bind-9.11.25.tar.gz -/bind-9.11.25.tar.gz.asc -/bind-9.11.26.tar.gz -/bind-9.11.26.tar.gz.asc -/bind-9.16.1.tar.xz -/bind-9.16.1.tar.xz.asc -/bind-9.16.2.tar.xz -/bind-9.16.2.tar.xz.asc -/bind-9.16.4.tar.xz -/bind-9.16.4.tar.xz.asc -/bind-9.16.5.tar.xz -/bind-9.16.5.tar.xz.asc -/bind-9.16.6.tar.xz -/bind-9.16.6.tar.xz.asc -/bind-9.16.7.tar.xz -/bind-9.16.7.tar.xz.asc -/bind-9.16.8.tar.xz -/bind-9.16.8.tar.xz.asc -/bind-9.16.9.tar.xz -/bind-9.16.9.tar.xz.asc -/bind-9.16.10.tar.xz -/bind-9.16.10.tar.xz.asc -/bind-9.16.11.tar.xz -/bind-9.16.11.tar.xz.asc -/bind-9.16.13.tar.xz -/bind-9.16.13.tar.xz.asc -/bind-9.16.15.tar.xz -/bind-9.16.15.tar.xz.asc -/bind-9.16.16.tar.xz -/bind-9.16.16.tar.xz.asc -/bind-9.16.17.tar.xz -/bind-9.16.17.tar.xz.asc -/bind-9.16.18.tar.xz -/bind-9.16.18.tar.xz.asc -/bind-9.16.19.tar.xz -/bind-9.16.19.tar.xz.asc -/bind-9.16.20.tar.xz -/bind-9.16.20.tar.xz.asc -/bind-9.16.21.tar.xz -/bind-9.16.21.tar.xz.asc -/bind-9.16.22.tar.xz -/bind-9.16.22.tar.xz.asc -/bind-9.16.23.tar.xz -/bind-9.16.23.tar.xz.asc -/bind-9.16.24.tar.xz -/bind-9.16.24.tar.xz.asc -/bind-9.16.25.tar.xz -/bind-9.16.25.tar.xz.asc -/bind-9.16.26.tar.xz -/bind-9.16.26.tar.xz.asc -/bind-9.16.27.tar.xz -/bind-9.16.27.tar.xz.asc -/bind-9.16.28.tar.xz -/bind-9.16.28.tar.xz.asc -/bind-9.16.29.tar.xz -/bind-9.16.29.tar.xz.asc -/bind-9.16.30.tar.xz -/bind-9.16.30.tar.xz.asc -/bind-9.18.0.tar.xz -/bind-9.18.0.tar.xz.asc -/bind-9.18.1.tar.xz -/bind-9.18.1.tar.xz.asc -/bind-9.18.2.tar.xz -/bind-9.18.2.tar.xz.asc -/bind-9.18.3.tar.xz -/bind-9.18.3.tar.xz.asc -/bind-9.18.4.tar.xz -/bind-9.18.4.tar.xz.asc -/bind-9.18.5.tar.xz -/bind-9.18.5.tar.xz.asc -/bind-9.18.6.tar.xz -/bind-9.18.6.tar.xz.asc -/bind-9.18.7.tar.xz -/bind-9.18.7.tar.xz.asc -/bind-9.18.8.tar.xz -/bind-9.18.8.tar.xz.asc -/bind-9.18.9.tar.xz -/bind-9.18.9.tar.xz.asc -/bind-9.18.10.tar.xz -/bind-9.18.10.tar.xz.asc -/bind-9.18.11.tar.xz -/bind-9.18.11.tar.xz.asc -/bind-9.18.12.tar.xz -/bind-9.18.12.tar.xz.asc -/bind-9.18.13.tar.xz -/bind-9.18.13.tar.xz.asc -/bind-9.18.14.tar.xz -/bind-9.18.14.tar.xz.asc -/bind-9.18.15.tar.xz -/bind-9.18.15.tar.xz.asc -/bind-9.18.16.tar.xz -/bind-9.18.16.tar.xz.asc -/bind-9.18.17.tar.xz -/bind-9.18.17.tar.xz.asc -/bind-9.18.18.tar.xz -/bind-9.18.18.tar.xz.asc -/bind-9.18.19.tar.xz -/bind-9.18.19.tar.xz.asc -/bind-9.18.20.tar.xz -/bind-9.18.20.tar.xz.asc -/bind-9.18.21.tar.xz -/bind-9.18.21.tar.xz.asc -/bind-9.18.24.tar.xz -/bind-9.18.24.tar.xz.asc -/bind-9.18.26.tar.xz -/bind-9.18.26.tar.xz.asc -/bind-9.18.27.tar.xz -/bind-9.18.27.tar.xz.asc -/bind-9.18.28.tar.xz -/bind-9.18.28.tar.xz.asc -/bind-9.18.29.tar.xz -/bind-9.18.29.tar.xz.asc +SOURCES/bind-9.18.29.tar.xz diff --git a/Changes.md b/Changes.md deleted file mode 100644 index 6661034..0000000 --- a/Changes.md +++ /dev/null @@ -1,43 +0,0 @@ -# Significant Changes in BIND9 package - -## BIND 9.16 - -### New features - -- *libuv* is used for network subsystem as a mandatory dependency -- *dnssec-policy* support in named.conf is introduced, providing a a key and signing policy - ([KASP](https://gitlab.isc.org/isc-projects/bind9/-/wikis/DNSSEC-Key-and-Signing-Policy-(KASP))) -- *trusted-keys* and *managed-keys* are deprecated, replaced by *trust-anchors* -- *trust-anchors* support also anchor in a *DS* format, in addition to *DNSKEY* format -- **dig, mdig** and **delv** support **+yaml** parameter to print detailed machine parseable output - -### Feature changes - -- Static trust anchor and *dnssec-validation auto;* are incompatible and cause fatal error, when used together. -- *DS* and *CDS* now generates only SHA-256 digest, SHA-1 is no longer generated by default -- SipHash 2-4 DNS Cookie ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873.html) is now default). - Only AES alternative algorithm is kept, HMAC-SHA cookie support were removed. -- **dnssec-signzone** and **dnssec-verify** commands print output to stdout, *-q* parameter can silence them - -### Features removed - -- *dnssec-enable* option is obsolete, DNSSEC support is always enabled -- *dnssec-lookaside* option is deprecated and support for it removed from all tools -- *cleaning-interval* option is removed - -### Upstream release notes - -- [9.16.10 notes](https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10) -- [9.16.0 notes](https://downloads.isc.org/isc/bind9/9.16.0/doc/arm/html/notes.html#notes-for-bind-9-16-0) - -## BIND 9.14 - -- single thread support removed. Cannot provide *bind-export-libs* for DHCP -- *lwres* support completely removed. Both daemon and library -- common parts of daemon moved into *libns* shared library -- introduced plugin for filtering aaaa responses -- some SDB utilities no longer supported - -### Upstream release notes - -- [9.14.7 notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html) diff --git a/README.md b/README.md deleted file mode 100644 index 42aad62..0000000 --- a/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# BIND 9 - -[BIND (Berkeley Internet Name Domain)](https://www.isc.org/downloads/bind/doc/) is a complete, highly portable -implementation of the DNS (Domain Name System) protocol. - -Internet Systems Consortium -([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit -corporation dedicated to providing software and services in support of the -Internet infrastructure, developed BIND 9 and is responsible for its -ongoing maintenance and improvement. - -More details about upstream project can be found on their -[gitlab](https://gitlab.isc.org/isc-projects/bind9). This repository contains -only upstream sources and packaging instructions for -[Fedora Project](https://fedoraproject.org). - -## Subpackages - -The package contains several subpackages, some of them can be disabled on rebuild. - -* **bind** -- *named* daemon providing DNS server -* **bind-utils** -- set of tools to analyse DNS responses or update entries (dig, host) -* **bind-doc** -- documentation for current bind, *BIND 9 Administrator Reference Manual*. -* **bind-license** -- Shared license for all packages but bind-export-libs. -* **bind-libs** -- Shared libraries used by some others programs -* **bind-devel** -- Development headers for libs. Can be disabled by `--without DEVEL` - - -## Optional features - -* *GSSTSIG* -- Support for Kerberos authentication in BIND. -* *LMDB* -- Support for dynamic database for managing runtime added zones. Provides faster removal of added zone with much less overhead. But requires lmdb linked to base libs. -* *DLZ* -- Support for dynamic loaded modules providing support for features *bind-sdb* provides, but only small module is required. diff --git a/bind-9.16-redhat_doc.patch b/SOURCES/bind-9.16-redhat_doc.patch similarity index 100% rename from bind-9.16-redhat_doc.patch rename to SOURCES/bind-9.16-redhat_doc.patch diff --git a/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch b/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch new file mode 100644 index 0000000..2e7d40f --- /dev/null +++ b/SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch @@ -0,0 +1,68 @@ +From f069fc156a1b0c756c240f2e5354a9fe6aa0386d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 7 Jan 2025 15:22:40 +0100 +Subject: [PATCH 1/3] Isolate using the -T noaa flag only for part of the + resolver test + +Instead of running the whole resolver/ns4 server with -T noaa flag, +use it only for the part where it is actually needed. The -T noaa +could interfere with other parts of the test because the answers don't +have the authoritative-answer bit set, and we could have false +positives (or false negatives) in the test because the authoritative +server doesn't follow the DNS protocol for all the tests in the resolver +system test. + +(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c) +--- + bin/tests/system/resolver/ns4/named.noaa | 12 ------------ + bin/tests/system/resolver/tests.sh | 8 ++++++++ + 2 files changed, 8 insertions(+), 12 deletions(-) + delete mode 100644 bin/tests/system/resolver/ns4/named.noaa + +diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa +deleted file mode 100644 +index be78cc2..0000000 +--- a/bin/tests/system/resolver/ns4/named.noaa ++++ /dev/null +@@ -1,12 +0,0 @@ +-Copyright (C) Internet Systems Consortium, Inc. ("ISC") +- +-SPDX-License-Identifier: MPL-2.0 +- +-This Source Code Form is subject to the terms of the Mozilla Public +-License, v. 2.0. If a copy of the MPL was not distributed with this +-file, you can obtain one at https://mozilla.org/MPL/2.0/. +- +-See the COPYRIGHT file distributed with this work for additional +-information regarding copyright ownership. +- +-Add -T noaa. +diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh +index d74b1be..f4831ca 100755 +--- a/bin/tests/system/resolver/tests.sh ++++ b/bin/tests/system/resolver/tests.sh +@@ -322,6 +322,10 @@ done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + ++stop_server ns4 ++touch ns4/named.noaa ++start_server --noclean --restart --port ${PORT} ns4 || ret=1 ++ + n=$((n + 1)) + echo_i "RT21594 regression test check setup ($n)" + ret=0 +@@ -358,6 +362,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) + ++stop_server ns4 ++rm ns4/named.noaa ++start_server --noclean --restart --port ${PORT} ns4 || ret=1 ++ + n=$((n + 1)) + echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" + ret=0 +-- +2.43.5 + diff --git a/SOURCES/bind-9.18-CVE-2024-11187.patch b/SOURCES/bind-9.18-CVE-2024-11187.patch new file mode 100644 index 0000000..f10036a --- /dev/null +++ b/SOURCES/bind-9.18-CVE-2024-11187.patch @@ -0,0 +1,228 @@ +From 68827f64106fdcb5cc33444bf8927b18c5f9029f Mon Sep 17 00:00:00 2001 +From: Alex Burmashev +Date: Thu, 20 Feb 2025 12:14:08 +0000 +Subject: [PATCH 2/3] Limit the additional processing for large RDATA sets + +When answering queries, don't add data to the additional section if +the answer has more than 13 names in the RDATA. This limits the +number of lookups into the database(s) during a single client query, +reducing query processing load. + +Also, don't append any additional data to type=ANY queries. The +answer to ANY is already big enough. + +(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408) +Modified-by: Alex Burmashev +Signed-off-by: Alex Burmashev +--- + bin/tests/system/additional/tests.sh | 2 +- + lib/dns/include/dns/rdataset.h | 10 +++++++++- + lib/dns/rbtdb.c | 2 +- + lib/dns/rdataset.c | 7 ++++++- + lib/dns/resolver.c | 19 ++++++++++++------- + lib/ns/query.c | 12 ++++++++---- + 6 files changed, 37 insertions(+), 15 deletions(-) + +diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh +index 193c9f9..e1b0cfb 100644 +--- a/bin/tests/system/additional/tests.sh ++++ b/bin/tests/system/additional/tests.sh +@@ -279,7 +279,7 @@ n=$((n + 1)) + echo_i "testing with 'minimal-any no;' ($n)" + ret=0 + $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1 +-grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1 ++grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 + if [ $ret -eq 1 ]; then + echo_i "failed" + status=$((status + 1)) +diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h +index f63591c..b28686a 100644 +--- a/lib/dns/include/dns/rdataset.h ++++ b/lib/dns/include/dns/rdataset.h +@@ -54,6 +54,8 @@ + #include + #include + ++#define DNS_RDATASET_MAXADDITIONAL 13 ++ + ISC_LANG_BEGINDECLS + + typedef enum { +@@ -453,7 +455,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset, + isc_result_t + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + const dns_name_t *owner_name, +- dns_additionaldatafunc_t add, void *arg); ++ dns_additionaldatafunc_t add, void *arg, ++ size_t limit); + /*%< + * For each rdata in rdataset, call 'add' for each name and type in the + * rdata which is subject to additional section processing. +@@ -472,10 +475,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + *\li If a call to dns_rdata_additionaldata() is not successful, the + * result returned will be the result of dns_rdataset_additionaldata(). + * ++ *\li If 'limit' is non-zero and the number of the rdatasets is larger ++ * than 'limit', no additional data will be processed. ++ * + * Returns: + * + *\li #ISC_R_SUCCESS + * ++ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit' ++ * + *\li Any error that dns_rdata_additionaldata() can return. + */ + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 5c2f0b2..c4db047 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -10317,7 +10317,7 @@ no_glue: + idx = hash_32(hash, rbtversion->glue_table_bits); + + (void)dns_rdataset_additionaldata(rdataset, dns_rootname, +- glue_nsdname_cb, &ctx); ++ glue_nsdname_cb, &ctx, 0); + + cur = isc_mem_get(rbtdb->common.mctx, sizeof(*cur)); + +diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c +index 4d48203..0b450a9 100644 +--- a/lib/dns/rdataset.c ++++ b/lib/dns/rdataset.c +@@ -577,7 +577,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name, + isc_result_t + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + const dns_name_t *owner_name, +- dns_additionaldatafunc_t add, void *arg) { ++ dns_additionaldatafunc_t add, void *arg, ++ size_t limit) { + dns_rdata_t rdata = DNS_RDATA_INIT; + isc_result_t result; + +@@ -589,6 +590,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, + REQUIRE(DNS_RDATASET_VALID(rdataset)); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); + ++ if (limit != 0 && dns_rdataset_count(rdataset) > limit) { ++ return DNS_R_TOOMANYRECORDS; ++ } ++ + result = dns_rdataset_first(rdataset); + if (result != ISC_R_SUCCESS) { + return (result); +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index f8f53d2..bb0bfa1 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -8904,7 +8904,7 @@ rctx_answer_any(respctx_t *rctx) { + rdataset->trust = rctx->trust; + + (void)dns_rdataset_additionaldata(rdataset, rctx->aname, +- check_related, rctx); ++ check_related, rctx, 0); + } + + return (ISC_R_SUCCESS); +@@ -8952,7 +8952,7 @@ rctx_answer_match(respctx_t *rctx) { + rctx->ardataset->attributes |= DNS_RDATASETATTR_CACHE; + rctx->ardataset->trust = rctx->trust; + (void)dns_rdataset_additionaldata(rctx->ardataset, rctx->aname, +- check_related, rctx); ++ check_related, rctx, 0); + + for (sigrdataset = ISC_LIST_HEAD(rctx->aname->list); + sigrdataset != NULL; +@@ -9159,7 +9159,7 @@ rctx_authority_positive(respctx_t *rctx) { + */ + (void)dns_rdataset_additionaldata( + rdataset, name, check_related, +- rctx); ++ rctx, 0); + done = true; + } + } +@@ -9666,8 +9666,12 @@ rctx_referral(respctx_t *rctx) { + */ + INSIST(rctx->ns_rdataset != NULL); + FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING); ++ ++ /* ++ * Mark the glue records in the additional section to be cached. ++ */ + (void)dns_rdataset_additionaldata(rctx->ns_rdataset, rctx->ns_name, +- check_related, rctx); ++ check_related, rctx, 0); + #if CHECK_FOR_GLUE_IN_ANSWER + /* + * Look in the answer section for "glue" that is incorrectly +@@ -9679,8 +9683,9 @@ rctx_referral(respctx_t *rctx) { + if (rctx->glue_in_answer && + (fctx->type == dns_rdatatype_aaaa || fctx->type == dns_rdatatype_a)) + { +- (void)dns_rdataset_additionaldata( +- rctx->ns_rdataset, rctx->ns_name, check_answer, fctx); ++ (void)dns_rdataset_additionaldata(rctx->ns_rdataset, ++ rctx->ns_name, check_answer, ++ fctx, 0); + } + #endif /* if CHECK_FOR_GLUE_IN_ANSWER */ + FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING); +@@ -9782,7 +9787,7 @@ again: + if (CHASE(rdataset)) { + rdataset->attributes &= ~DNS_RDATASETATTR_CHASE; + (void)dns_rdataset_additionaldata( +- rdataset, name, check_related, rctx); ++ rdataset, name, check_related, rctx, 0); + rescan = true; + } + } +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 5549e20..ded1eae 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -2094,7 +2094,8 @@ addname: + if (trdataset != NULL && dns_rdatatype_followadditional(type)) { + if (client->additionaldepth++ < client->view->max_restarts) { + eresult = dns_rdataset_additionaldata( +- trdataset, fname, query_additional_cb, qctx); ++ trdataset, fname, query_additional_cb, qctx, ++ DNS_RDATASET_MAXADDITIONAL); + } + client->additionaldepth--; + } +@@ -2194,7 +2195,7 @@ regular: + * We don't care if dns_rdataset_additionaldata() fails. + */ + (void)dns_rdataset_additionaldata(rdataset, name, query_additional_cb, +- qctx); ++ qctx, DNS_RDATASET_MAXADDITIONAL); + CTRACE(ISC_LOG_DEBUG(3), "query_additional: done"); + } + +@@ -2220,7 +2221,8 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep, + * To the current response for 'client', add the answer RRset + * '*rdatasetp' and an optional signature set '*sigrdatasetp', with + * owner name '*namep', to section 'section', unless they are +- * already there. Also add any pertinent additional data. ++ * already there. Also add any pertinent additional data, unless ++ * the query was for type ANY. + * + * If 'dbuf' is not NULL, then '*namep' is the name whose data is + * stored in 'dbuf'. In this case, query_addrrset() guarantees that +@@ -2275,7 +2277,9 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep, + */ + query_addtoname(mname, rdataset); + query_setorder(qctx, mname, rdataset); +- query_additional(qctx, mname, rdataset); ++ if (qctx->qtype != dns_rdatatype_any) { ++ query_additional(qctx, mname, rdataset); ++ } + + /* + * Note: we only add SIGs if we've added the type they cover, so +-- +2.43.5 + diff --git a/SOURCES/bind-9.18-CVE-2024-12705.patch b/SOURCES/bind-9.18-CVE-2024-12705.patch new file mode 100644 index 0000000..231d7ee --- /dev/null +++ b/SOURCES/bind-9.18-CVE-2024-12705.patch @@ -0,0 +1,1299 @@ +From 21404824fb0cf16230302d6dcd7dca817b5e0cfe Mon Sep 17 00:00:00 2001 +From: Alex Burmashev +Date: Thu, 20 Feb 2025 12:25:26 +0000 +Subject: [PATCH 3/3] Implement TCP manual read timer control functionality + +This commit adds a manual TCP read timer control mode which is +supposed to override automatic resetting of the timer when any data is +received. That can be accomplished by +`isc__nmhandle_set_manual_timer()`. + +This functionality is supposed to be used by multilevel networking +transports which require finer grained control over the read +timer (TLS Stream, DoH). + +The commit is essentially an implementation of the functionality from +newer versions of BIND. + +Modified-by: Alex Burmashev +Signed-off-by: Alex Burmashev +--- + lib/isc/netmgr/http.c | 448 +++++++++++++++++++++++++++++++++--- + lib/isc/netmgr/netmgr-int.h | 81 ++++++- + lib/isc/netmgr/netmgr.c | 78 +++++++ + lib/isc/netmgr/tcp.c | 26 ++- + lib/isc/netmgr/tlsstream.c | 137 +++++++++-- + 5 files changed, 720 insertions(+), 50 deletions(-) + +diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c +index 1d4b82f..2002848 100644 +--- a/lib/isc/netmgr/http.c ++++ b/lib/isc/netmgr/http.c +@@ -85,6 +85,37 @@ + + #define INITIAL_DNS_MESSAGE_BUFFER_SIZE (512) + ++/* ++ * The value should be small enough to not allow a server to open too ++ * many streams at once. It should not be too small either because ++ * the incoming data will be split into too many chunks with each of ++ * them processed asynchronously. ++ */ ++#define INCOMING_DATA_CHUNK_SIZE (256) ++ ++/* ++ * Often processing a chunk does not change the number of streams. In ++ * that case we can process more than once, but we still should have a ++ * hard limit on that. ++ */ ++#define INCOMING_DATA_MAX_CHUNKS_AT_ONCE (4) ++ ++/* ++ * These constants define the grace period to help detect flooding clients. ++ * ++ * The first one defines how much data can be processed before opening ++ * a first stream and received at least some useful (=DNS) data. ++ * ++ * The second one defines how much data from a client we read before ++ * trying to drop a clients who sends not enough useful data. ++ * ++ * The third constant defines how many streams we agree to process ++ * before checking if there was at least one DNS request received. ++ */ ++#define INCOMING_DATA_INITIAL_STREAM_SIZE (1536) ++#define INCOMING_DATA_GRACE_SIZE (MAX_ALLOWED_DATA_IN_HEADERS) ++#define MAX_STREAMS_BEFORE_FIRST_REQUEST (50) ++ + typedef struct isc_nm_http_response_status { + size_t code; + size_t content_length; +@@ -143,6 +174,7 @@ struct isc_nm_http_session { + ISC_LIST(http_cstream_t) cstreams; + ISC_LIST(isc_nmsocket_h2_t) sstreams; + size_t nsstreams; ++ uint64_t total_opened_sstreams; + + isc_nmhandle_t *handle; + isc_nmhandle_t *client_httphandle; +@@ -155,6 +187,18 @@ struct isc_nm_http_session { + + isc__nm_http_pending_callbacks_t pending_write_callbacks; + isc_buffer_t *pending_write_data; ++ ++ /* ++ * The statistical values below are for usage on server-side ++ * only. They are meant to detect clients that are taking too many ++ * resources from the server. ++ */ ++ uint64_t received; /* How many requests have been received. */ ++ uint64_t submitted; /* How many responses were submitted to send */ ++ uint64_t processed; /* How many responses were processed. */ ++ ++ uint64_t processed_incoming_data; ++ uint64_t processed_useful_data; /* DNS data */ + }; + + typedef enum isc_http_error_responses { +@@ -177,6 +221,7 @@ typedef struct isc_http_send_req { + void *cbarg; + isc_buffer_t *pending_write_data; + isc__nm_http_pending_callbacks_t pending_write_callbacks; ++ uint64_t submitted; + } isc_http_send_req_t; + + #define HTTP_ENDPOINTS_MAGIC ISC_MAGIC('H', 'T', 'E', 'P') +@@ -189,10 +234,26 @@ static bool + http_send_outgoing(isc_nm_http_session_t *session, isc_nmhandle_t *httphandle, + isc_nm_cb_t cb, void *cbarg); + ++static void ++http_log_flooding_peer(isc_nm_http_session_t *session); ++ ++static bool ++http_is_flooding_peer(isc_nm_http_session_t *session); ++ ++static ssize_t ++http_process_input_data(isc_nm_http_session_t *session, ++ isc_buffer_t *input_data); ++ ++static inline bool ++http_too_many_active_streams(isc_nm_http_session_t *session); ++ + static void + http_do_bio(isc_nm_http_session_t *session, isc_nmhandle_t *send_httphandle, + isc_nm_cb_t send_cb, void *send_cbarg); + ++static void ++http_do_bio_async(isc_nm_http_session_t *session); ++ + static void + failed_httpstream_read_cb(isc_nmsocket_t *sock, isc_result_t result, + isc_nm_http_session_t *session); +@@ -494,6 +555,16 @@ finish_http_session(isc_nm_http_session_t *session) { + if (!session->closed) { + session->closed = true; + isc_nm_cancelread(session->handle); ++ isc__nmsocket_timer_stop(session->handle->sock); ++ } ++ ++ /* ++ * Free any unprocessed incoming data in order to not process ++ * it during indirect calls to http_do_bio() that might happen ++ * when calling the failed callbacks. ++ */ ++ if (session->buf != NULL) { ++ isc_buffer_free(&session->buf); + } + + if (session->client) { +@@ -567,6 +638,7 @@ on_server_data_chunk_recv_callback(int32_t stream_id, const uint8_t *data, + if (new_bufsize <= MAX_DNS_MESSAGE_SIZE && + new_bufsize <= h2->content_length) + { ++ session->processed_useful_data += len; + isc_buffer_putmem(&h2->rbuf, data, len); + break; + } +@@ -615,6 +687,9 @@ call_unlink_cstream_readcb(http_cstream_t *cstream, + isc_buffer_usedregion(cstream->rbuf, &read_data); + cstream->read_cb(session->client_httphandle, result, &read_data, + cstream->read_cbarg); ++ if (result == ISC_R_SUCCESS) { ++ isc__nmsocket_timer_restart(session->handle->sock); ++ } + put_http_cstream(session->mctx, cstream); + } + +@@ -656,6 +731,9 @@ on_server_stream_close_callback(int32_t stream_id, + + ISC_LIST_UNLINK(session->sstreams, &sock->h2, link); + session->nsstreams--; ++ if (sock->h2.request_received) { ++ session->submitted++; ++ } + + /* + * By making a call to isc__nmsocket_prep_destroy(), we ensure that +@@ -967,6 +1045,182 @@ client_submit_request(isc_nm_http_session_t *session, http_cstream_t *stream) { + return (ISC_R_SUCCESS); + } + ++static ssize_t ++http_process_input_data(isc_nm_http_session_t *session, ++ isc_buffer_t *input_data) { ++ ssize_t readlen = 0; ++ ssize_t processed = 0; ++ isc_region_t chunk = { 0 }; ++ size_t before, after; ++ size_t i; ++ ++ REQUIRE(VALID_HTTP2_SESSION(session)); ++ REQUIRE(input_data != NULL); ++ ++ if (!http_session_active(session)) { ++ return 0; ++ } ++ ++ /* ++ * For clients that initiate request themselves just process ++ * everything. ++ */ ++ if (session->client) { ++ isc_buffer_remainingregion(input_data, &chunk); ++ if (chunk.length == 0) { ++ return 0; ++ } ++ ++ readlen = nghttp2_session_mem_recv(session->ngsession, ++ chunk.base, chunk.length); ++ ++ if (readlen >= 0) { ++ isc_buffer_forward(input_data, readlen); ++ session->processed_incoming_data += readlen; ++ } ++ ++ return readlen; ++ } ++ ++ /* ++ * If no streams are created during processing, we might process ++ * more than one chunk at a time. Still we should not overdo that ++ * to avoid processing too much data at once as such behaviour is ++ * known for trashing the memory allocator at times. ++ */ ++ for (before = after = session->nsstreams, i = 0; ++ after <= before && i < INCOMING_DATA_MAX_CHUNKS_AT_ONCE; ++ after = session->nsstreams, i++) ++ { ++ const uint64_t active_streams = ++ (session->received - session->processed); ++ ++ /* ++ * If there are non completed send requests in flight -let's ++ * not process any incoming data, as it could lead to piling ++ * up too much send data in send buffers. With many clients ++ * connected it can lead to excessive memory consumption on ++ * the server instance. ++ */ ++ if (session->sending > 0) { ++ break; ++ } ++ ++ /* ++ * If we have reached the maximum number of streams used, we ++ * might stop processing for now, as nghttp2 will happily ++ * consume as much data as possible. ++ */ ++ if (session->nsstreams >= session->max_concurrent_streams && ++ active_streams > 0) ++ { ++ break; ++ } ++ ++ if (http_too_many_active_streams(session)) { ++ break; ++ } ++ ++ isc_buffer_remainingregion(input_data, &chunk); ++ if (chunk.length == 0) { ++ break; ++ } ++ ++ chunk.length = ISC_MIN(chunk.length, INCOMING_DATA_CHUNK_SIZE); ++ ++ readlen = nghttp2_session_mem_recv(session->ngsession, ++ chunk.base, chunk.length); ++ ++ if (readlen >= 0) { ++ isc_buffer_forward(input_data, readlen); ++ session->processed_incoming_data += readlen; ++ processed += readlen; ++ } else { ++ isc_buffer_clear(input_data); ++ return readlen; ++ } ++ } ++ ++ return processed; ++} ++ ++static void ++http_log_flooding_peer(isc_nm_http_session_t *session) { ++ const int log_level = ISC_LOG_DEBUG(1); ++ if (session->handle != NULL && isc_log_wouldlog(isc_lctx, log_level)) { ++ char client_sabuf[ISC_SOCKADDR_FORMATSIZE]; ++ char local_sabuf[ISC_SOCKADDR_FORMATSIZE]; ++ ++ isc_sockaddr_format(&session->handle->sock->peer, client_sabuf, ++ sizeof(client_sabuf)); ++ isc_sockaddr_format(&session->handle->sock->iface, local_sabuf, ++ sizeof(local_sabuf)); ++ isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ++ ISC_LOGMODULE_NETMGR, log_level, ++ "Dropping a flooding HTTP/2 peer " ++ "%s (on %s) - processed: %" PRIu64 ++ " bytes, of them useful: %" PRIu64 "", ++ client_sabuf, local_sabuf, ++ session->processed_incoming_data, ++ session->processed_useful_data); ++ } ++} ++ ++static bool ++http_is_flooding_peer(isc_nm_http_session_t *session) { ++ if (session->client) { ++ return false; ++ } ++ ++ /* ++ * A flooding client can try to open a lot of streams before ++ * submitting a request. Let's drop such clients. ++ */ ++ if (session->received == 0 && ++ session->total_opened_sstreams > MAX_STREAMS_BEFORE_FIRST_REQUEST) ++ { ++ return true; ++ } ++ ++ /* ++ * We have processed enough data to open at least one stream and ++ * get some useful data. ++ */ ++ if (session->processed_incoming_data > ++ INCOMING_DATA_INITIAL_STREAM_SIZE && ++ (session->total_opened_sstreams == 0 || ++ session->processed_useful_data == 0)) ++ { ++ return true; ++ } ++ ++ if (session->processed_incoming_data < INCOMING_DATA_GRACE_SIZE) { ++ return false; ++ } ++ ++ /* ++ * The overhead of DoH per DNS message can be minimum 160-180 ++ * bytes. We should allow more for extra information that can be ++ * included in headers, so let's use 256 bytes. Minimum DNS ++ * message size is 12 bytes. So, (256+12)/12=22. Even that can be ++ * too restricting for some edge cases, but should be good enough ++ * for any practical purposes. Not to mention that HTTP/2 may ++ * include legitimate data that is completely useless for DNS ++ * purposes... ++ * ++ * Anyway, at that point we should have processed enough requests ++ * for such clients (if any). ++ */ ++ if (session->processed_useful_data == 0 || ++ (session->processed_incoming_data / ++ session->processed_useful_data) > 22) ++ { ++ return true; ++ } ++ ++ return false; ++} ++ + /* + * Read callback from TLS socket. + */ +@@ -976,6 +1230,7 @@ http_readcb(isc_nmhandle_t *handle, isc_result_t result, isc_region_t *region, + isc_nm_http_session_t *session = (isc_nm_http_session_t *)data; + isc_nm_http_session_t *tmpsess = NULL; + ssize_t readlen; ++ isc_buffer_t input; + + REQUIRE(VALID_HTTP2_SESSION(session)); + +@@ -994,11 +1249,17 @@ http_readcb(isc_nmhandle_t *handle, isc_result_t result, isc_region_t *region, + goto done; + } + +- readlen = nghttp2_session_mem_recv(session->ngsession, region->base, +- region->length); ++ isc_buffer_init(&input, region->base, region->length); ++ isc_buffer_add(&input, region->length); ++ ++ readlen = http_process_input_data(session, &input); + if (readlen < 0) { + failed_read_cb(ISC_R_UNEXPECTED, session); + goto done; ++ } else if (http_is_flooding_peer(session)) { ++ http_log_flooding_peer(session); ++ failed_read_cb(ISC_R_RANGE, session); ++ goto done; + } + + if ((size_t)readlen < region->length) { +@@ -1011,11 +1272,12 @@ http_readcb(isc_nmhandle_t *handle, isc_result_t result, isc_region_t *region, + isc_buffer_putmem(session->buf, region->base + readlen, + unread_size); + isc_nm_pauseread(session->handle); ++ http_do_bio_async(session); ++ } else { ++ /* We might have something to receive or send, do IO */ ++ http_do_bio(session, NULL, NULL, NULL); + } + +- /* We might have something to receive or send, do IO */ +- http_do_bio(session, NULL, NULL, NULL); +- + done: + isc__nm_httpsession_detach(&tmpsess); + } +@@ -1053,14 +1315,18 @@ http_writecb(isc_nmhandle_t *handle, isc_result_t result, void *arg) { + } + + isc_buffer_free(&req->pending_write_data); ++ session->processed += req->submitted; + isc_mem_put(session->mctx, req, sizeof(*req)); + + session->sending--; +- http_do_bio(session, NULL, NULL, NULL); +- isc_nmhandle_detach(&transphandle); +- if (result != ISC_R_SUCCESS && session->sending == 0) { ++ ++ if (result == ISC_R_SUCCESS) { ++ http_do_bio(session, NULL, NULL, NULL); ++ } else { + finish_http_session(session); + } ++ isc_nmhandle_detach(&transphandle); ++ + isc__nm_httpsession_detach(&session); + } + +@@ -1206,7 +1472,9 @@ http_send_outgoing(isc_nm_http_session_t *session, isc_nmhandle_t *httphandle, + *send = (isc_http_send_req_t){ .pending_write_data = + session->pending_write_data, + .cb = cb, +- .cbarg = cbarg }; ++ .cbarg = cbarg, ++ .submitted = session->submitted }; ++ session->submitted = 0; + session->pending_write_data = NULL; + move_pending_send_callbacks(session, send); + +@@ -1227,6 +1495,27 @@ nothing_to_send: + return (false); + } + ++static inline bool ++http_too_many_active_streams(isc_nm_http_session_t *session) { ++ const uint64_t active_streams = session->received - session->processed; ++ const uint64_t max_active_streams = ISC_MIN( ++ STREAM_CLIENTS_PER_CONN, session->max_concurrent_streams); ++ ++ if (session->client) { ++ return false; ++ } ++ ++ /* ++ * Do not process incoming data if there are too many active DNS ++ * clients (streams) per connection. ++ */ ++ if (active_streams >= max_active_streams) { ++ return true; ++ } ++ ++ return false; ++} ++ + static void + http_do_bio(isc_nm_http_session_t *session, isc_nmhandle_t *send_httphandle, + isc_nm_cb_t send_cb, void *send_cbarg) { +@@ -1242,59 +1531,140 @@ http_do_bio(isc_nm_http_session_t *session, isc_nmhandle_t *send_httphandle, + finish_http_session(session); + } + return; +- } else if (nghttp2_session_want_read(session->ngsession) == 0 && +- nghttp2_session_want_write(session->ngsession) == 0 && +- session->pending_write_data == NULL) +- { +- session->closing = true; ++ } ++ ++ if (send_cb != NULL) { ++ INSIST(VALID_NMHANDLE(send_httphandle)); ++ (void)http_send_outgoing(session, send_httphandle, send_cb, ++ send_cbarg); ++ return; ++ } ++ ++ INSIST(send_httphandle == NULL); ++ INSIST(send_cb == NULL); ++ INSIST(send_cbarg == NULL); ++ ++ if (session->pending_write_data != NULL && session->sending == 0) { ++ (void)http_send_outgoing(session, NULL, NULL, NULL); + return; + } + + if (nghttp2_session_want_read(session->ngsession) != 0) { + if (!session->reading) { + /* We have not yet started reading from this handle */ ++ isc__nmsocket_timer_start(session->handle->sock); + isc_nm_read(session->handle, http_readcb, session); + session->reading = true; + } else if (session->buf != NULL) { + size_t remaining = + isc_buffer_remaininglength(session->buf); + /* Leftover data in the buffer, use it */ +- size_t readlen = nghttp2_session_mem_recv( +- session->ngsession, +- isc_buffer_current(session->buf), remaining); ++ size_t remaining_after = 0; ++ ssize_t readlen = 0; ++ isc_nm_http_session_t *tmpsess = NULL; + +- if (readlen == remaining) { ++ /* ++ * Let's ensure that HTTP/2 session and its associated ++ * data will not go "out of scope" too early. ++ */ ++ isc__nm_httpsession_attach(session, &tmpsess); ++ ++ readlen = http_process_input_data(session, ++ session->buf); ++ ++ remaining_after = ++ isc_buffer_remaininglength(session->buf); ++ ++ if (readlen < 0) { ++ failed_read_cb(ISC_R_UNEXPECTED, session); ++ } else if (http_is_flooding_peer(session)) { ++ http_log_flooding_peer(session); ++ failed_read_cb(ISC_R_RANGE, session); ++ } else if ((size_t)readlen == remaining) { + isc_buffer_free(&session->buf); ++ http_do_bio(session, NULL, NULL, NULL); ++ } else if (remaining_after > 0 && ++ remaining_after < remaining) ++ { ++ /* ++ * We have processed a part of the data, now ++ * let's delay processing of whatever is left ++ * here. We want it to be an async operation so ++ * that we will: ++ * ++ * a) let other things run; ++ * b) have finer grained control over how much ++ * data is processed at once, because nghttp2 ++ * would happily consume as much data we pass to ++ * it and that could overwhelm the server. ++ */ ++ http_do_bio_async(session); + } else { +- isc_buffer_forward(session->buf, readlen); ++ (void)http_send_outgoing(session, NULL, NULL, ++ NULL); + } + +- http_do_bio(session, send_httphandle, send_cb, +- send_cbarg); ++ isc__nm_httpsession_detach(&tmpsess); + return; + } else { + /* Resume reading, it's idempotent, wait for more */ + isc_nm_resumeread(session->handle); ++ isc__nmsocket_timer_start(session->handle->sock); + } + } else { + /* We don't want more data, stop reading for now */ + isc_nm_pauseread(session->handle); + } + +- if (send_cb != NULL) { +- INSIST(VALID_NMHANDLE(send_httphandle)); +- (void)http_send_outgoing(session, send_httphandle, send_cb, +- send_cbarg); +- } else { +- INSIST(send_httphandle == NULL); +- INSIST(send_cb == NULL); +- INSIST(send_cbarg == NULL); +- (void)http_send_outgoing(session, NULL, NULL, NULL); ++ /* we might have some data to send after processing */ ++ (void)http_send_outgoing(session, NULL, NULL, NULL); ++ ++ if (nghttp2_session_want_read(session->ngsession) == 0 && ++ nghttp2_session_want_write(session->ngsession) == 0 && ++ session->pending_write_data == NULL) ++ { ++ session->closing = true; ++ isc_nm_pauseread(session->handle); ++ if (session->sending == 0) { ++ finish_http_session(session); ++ } + } + + return; + } + ++static void ++http_do_bio_async_cb(void *arg) { ++ isc_nm_http_session_t *session = arg; ++ ++ REQUIRE(VALID_HTTP2_SESSION(session)); ++ ++ if (session->handle != NULL && ++ !isc__nmsocket_closing(session->handle->sock)) ++ { ++ http_do_bio(session, NULL, NULL, NULL); ++ } ++ ++ isc__nm_httpsession_detach(&session); ++} ++ ++static void ++http_do_bio_async(isc_nm_http_session_t *session) { ++ isc_nm_http_session_t *tmpsess = NULL; ++ ++ REQUIRE(VALID_HTTP2_SESSION(session)); ++ ++ if (session->handle == NULL || ++ isc__nmsocket_closing(session->handle->sock)) ++ { ++ return; ++ } ++ isc__nm_httpsession_attach(session, &tmpsess); ++ isc__nm_async_run( ++ &session->handle->sock->mgr->workers[session->handle->sock->tid], ++ http_do_bio_async_cb, tmpsess); ++} ++ + static isc_result_t + get_http_cstream(isc_nmsocket_t *sock, http_cstream_t **streamp) { + http_cstream_t *cstream = sock->h2.connect.cstream; +@@ -1424,6 +1794,7 @@ transport_connect_cb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { + } + + http_transpost_tcp_nodelay(handle); ++ isc__nmhandle_set_manual_timer(session->handle, true); + + http_call_connect_cb(http_sock, session, result); + +@@ -1670,6 +2041,7 @@ server_on_begin_headers_callback(nghttp2_session *ngsession, + socket->tid = session->handle->sock->tid; + ISC_LINK_INIT(&socket->h2, link); + ISC_LIST_APPEND(session->sstreams, &socket->h2, link); ++ session->total_opened_sstreams++; + + nghttp2_session_set_stream_user_data(ngsession, frame->hd.stream_id, + socket); +@@ -1730,6 +2102,8 @@ server_handle_path_header(isc_nmsocket_t *socket, const uint8_t *value, + socket->mgr->mctx, dns_value, + dns_value_len, + &socket->h2.query_data_len); ++ socket->h2.session->processed_useful_data += ++ dns_value_len; + } else { + socket->h2.query_too_large = true; + return (ISC_HTTP_ERROR_PAYLOAD_TOO_LARGE); +@@ -2038,6 +2412,12 @@ server_call_cb(isc_nmsocket_t *socket, const isc_result_t result, + handle = isc__nmhandle_get(socket, NULL, NULL); + if (result != ISC_R_SUCCESS) { + data = NULL; ++ } else if (socket->h2.session->handle != NULL) { ++ isc__nmsocket_timer_restart(socket->h2.session->handle->sock); ++ } ++ if (result == ISC_R_SUCCESS) { ++ socket->h2.request_received = true; ++ socket->h2.session->received++; + } + socket->h2.cb(handle, result, data, socket->h2.cbarg); + isc_nmhandle_detach(&handle); +@@ -2054,6 +2434,12 @@ isc__nm_http_bad_request(isc_nmhandle_t *handle) { + REQUIRE(!atomic_load(&sock->client)); + REQUIRE(VALID_HTTP2_SESSION(sock->h2.session)); + ++ if (sock->h2.response_submitted || ++ !http_session_active(sock->h2.session)) ++ { ++ return; ++ } ++ + (void)server_send_error_response(ISC_HTTP_ERROR_BAD_REQUEST, + sock->h2.session->ngsession, sock); + } +@@ -2475,6 +2861,8 @@ httplisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { + isc__nmsocket_attach(httplistensock, &session->serversocket); + server_send_connection_header(session); + ++ isc__nmhandle_set_manual_timer(session->handle, true); ++ + /* TODO H2 */ + http_do_bio(session, NULL, NULL, NULL); + return (ISC_R_SUCCESS); +diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h +index cc635e3..79e970a 100644 +--- a/lib/isc/netmgr/netmgr-int.h ++++ b/lib/isc/netmgr/netmgr-int.h +@@ -337,6 +337,7 @@ typedef enum isc__netievent_type { + netievent_privilegedtask, + + netievent_settlsctx, ++ netievent_asyncrun, + + /* + * event type values higher than this will be treated +@@ -708,6 +709,42 @@ typedef struct isc__netievent__tlsctx { + } + + #ifdef HAVE_LIBNGHTTP2 ++typedef void (*isc__nm_asyncrun_cb_t)(void *); ++ ++typedef struct isc__netievent__asyncrun { ++ isc__netievent_type type; ++ ISC_LINK(isc__netievent_t) link; ++ isc__nm_asyncrun_cb_t cb; ++ void *cbarg; ++} isc__netievent__asyncrun_t; ++ ++#define NETIEVENT_ASYNCRUN_TYPE(type) \ ++ typedef isc__netievent__asyncrun_t isc__netievent_##type##_t; ++ ++#define NETIEVENT_ASYNCRUN_DECL(type) \ ++ isc__netievent_##type##_t *isc__nm_get_netievent_##type( \ ++ isc_nm_t *nm, isc__nm_asyncrun_cb_t cb, void *cbarg); \ ++ void isc__nm_put_netievent_##type(isc_nm_t *nm, \ ++ isc__netievent_##type##_t *ievent); ++ ++#define NETIEVENT_ASYNCRUN_DEF(type) \ ++ isc__netievent_##type##_t *isc__nm_get_netievent_##type( \ ++ isc_nm_t *nm, isc__nm_asyncrun_cb_t cb, void *cbarg) { \ ++ isc__netievent_##type##_t *ievent = \ ++ isc__nm_get_netievent(nm, netievent_##type); \ ++ ievent->cb = cb; \ ++ ievent->cbarg = cbarg; \ ++ \ ++ return (ievent); \ ++ } \ ++ \ ++ void isc__nm_put_netievent_##type(isc_nm_t *nm, \ ++ isc__netievent_##type##_t *ievent) { \ ++ ievent->cb = NULL; \ ++ ievent->cbarg = NULL; \ ++ isc__nm_put_netievent(nm, ievent); \ ++ } ++ + typedef struct isc__netievent__http_eps { + NETIEVENT__SOCKET; + isc_nm_http_endpoints_t *endpoints; +@@ -752,6 +789,7 @@ typedef union { + isc__netievent_tlsconnect_t nitc; + isc__netievent__tlsctx_t nitls; + #ifdef HAVE_LIBNGHTTP2 ++ isc__netievent__asyncrun_t niasync; + isc__netievent__http_eps_t nihttpeps; + #endif /* HAVE_LIBNGHTTP2 */ + } isc__netievent_storage_t; +@@ -944,6 +982,7 @@ typedef struct isc_nmsocket_h2 { + + isc_nm_http_endpoints_t *peer_endpoints; + ++ bool request_received; + bool response_submitted; + struct { + char *uri; +@@ -1228,6 +1267,7 @@ struct isc_nmsocket { + + isc_barrier_t barrier; + bool barrier_initialised; ++ atomic_bool manual_read_timer; + #ifdef NETMGR_TRACE + void *backtrace[TRACE_SIZE]; + int backtrace_size; +@@ -1546,6 +1586,9 @@ isc__nm_tcp_settimeout(isc_nmhandle_t *handle, uint32_t timeout); + * Set the read timeout for the TCP socket associated with 'handle'. + */ + ++void ++isc__nmhandle_tcp_set_manual_timer(isc_nmhandle_t *handle, const bool manual); ++ + void + isc__nm_async_tcpconnect(isc__networker_t *worker, isc__netievent_t *ev0); + void +@@ -1788,6 +1831,9 @@ isc__nm_tls_cleartimeout(isc_nmhandle_t *handle); + * around. + */ + ++void ++isc__nmhandle_tls_set_manual_timer(isc_nmhandle_t *handle, const bool manual); ++ + const char * + isc__nm_tls_verify_tls_peer_result_string(const isc_nmhandle_t *handle); + +@@ -1805,6 +1851,15 @@ void + isc__nmhandle_tls_setwritetimeout(isc_nmhandle_t *handle, + uint64_t write_timeout); + ++bool ++isc__nmsocket_tls_timer_running(isc_nmsocket_t *sock); ++ ++void ++isc__nmsocket_tls_timer_restart(isc_nmsocket_t *sock); ++ ++void ++isc__nmsocket_tls_timer_stop(isc_nmsocket_t *sock); ++ + void + isc__nm_http_stoplistening(isc_nmsocket_t *sock); + +@@ -1897,7 +1952,10 @@ void + isc__nm_http_set_max_streams(isc_nmsocket_t *listener, + const uint32_t max_concurrent_streams); + +-#endif ++void ++isc__nm_async_asyncrun(isc__networker_t *worker, isc__netievent_t *ev0); ++ ++#endif /* HAVE_LIBNGHTTP2 */ + + void + isc__nm_async_settlsctx(isc__networker_t *worker, isc__netievent_t *ev0); +@@ -2093,6 +2151,8 @@ NETIEVENT_SOCKET_TYPE(tlsdnscycle); + NETIEVENT_SOCKET_REQ_TYPE(httpsend); + NETIEVENT_SOCKET_TYPE(httpclose); + NETIEVENT_SOCKET_HTTP_EPS_TYPE(httpendpoints); ++ ++NETIEVENT_ASYNCRUN_TYPE(asyncrun); + #endif /* HAVE_LIBNGHTTP2 */ + + NETIEVENT_SOCKET_REQ_TYPE(tcpconnect); +@@ -2167,6 +2227,8 @@ NETIEVENT_SOCKET_DECL(tlsdnscycle); + NETIEVENT_SOCKET_REQ_DECL(httpsend); + NETIEVENT_SOCKET_DECL(httpclose); + NETIEVENT_SOCKET_HTTP_EPS_DECL(httpendpoints); ++ ++NETIEVENT_ASYNCRUN_DECL(asyncrun); + #endif /* HAVE_LIBNGHTTP2 */ + + NETIEVENT_SOCKET_REQ_DECL(tcpconnect); +@@ -2283,3 +2345,20 @@ isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult); + + void + isc__nmsocket_log_tls_session_reuse(isc_nmsocket_t *sock, isc_tls_t *tls); ++ ++void ++isc__nmhandle_set_manual_timer(isc_nmhandle_t *handle, const bool manual); ++/* ++ * Set manual read timer control mode - so that it will not get reset ++ * automatically on read nor get started when read is initiated. ++ */ ++ ++#if HAVE_LIBNGHTTP2 ++void ++isc__nm_async_run(isc__networker_t *worker, isc__nm_asyncrun_cb_t cb, ++ void *cbarg); ++/* ++ * Call the given callback asynchronously by the give network manager ++ * worker, pass the given argument to it. ++ */ ++#endif /* HAVE_LIBNGHTTP2 */ +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index a42ca90..1a93d3b 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -998,6 +998,8 @@ process_netievent(isc__networker_t *worker, isc__netievent_t *ievent) { + NETIEVENT_CASE(httpsend); + NETIEVENT_CASE(httpclose); + NETIEVENT_CASE(httpendpoints); ++ ++ NETIEVENT_CASE(asyncrun); + #endif + NETIEVENT_CASE(settlsctx); + NETIEVENT_CASE(sockstop); +@@ -1116,6 +1118,8 @@ NETIEVENT_SOCKET_DEF(tlsdnsshutdown); + NETIEVENT_SOCKET_REQ_DEF(httpsend); + NETIEVENT_SOCKET_DEF(httpclose); + NETIEVENT_SOCKET_HTTP_EPS_DEF(httpendpoints); ++ ++NETIEVENT_ASYNCRUN_DEF(asyncrun); + #endif /* HAVE_LIBNGHTTP2 */ + + NETIEVENT_SOCKET_REQ_DEF(tcpconnect); +@@ -1627,6 +1631,7 @@ isc___nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type, + atomic_init(&sock->keepalive, false); + atomic_init(&sock->connected, false); + atomic_init(&sock->timedout, false); ++ atomic_init(&sock->manual_read_timer, false); + + atomic_init(&sock->active_child_connections, 0); + +@@ -2136,6 +2141,15 @@ void + isc__nmsocket_timer_restart(isc_nmsocket_t *sock) { + REQUIRE(VALID_NMSOCK(sock)); + ++ switch (sock->type) { ++#if HAVE_LIBNGHTTP2 ++ case isc_nm_tlssocket: ++ return isc__nmsocket_tls_timer_restart(sock); ++#endif /* HAVE_LIBNGHTTP2 */ ++ default: ++ break; ++ } ++ + if (uv_is_closing((uv_handle_t *)&sock->read_timer)) { + return; + } +@@ -2170,6 +2184,15 @@ bool + isc__nmsocket_timer_running(isc_nmsocket_t *sock) { + REQUIRE(VALID_NMSOCK(sock)); + ++ switch (sock->type) { ++#if HAVE_LIBNGHTTP2 ++ case isc_nm_tlssocket: ++ return isc__nmsocket_tls_timer_running(sock); ++#endif /* HAVE_LIBNGHTTP2 */ ++ default: ++ break; ++ } ++ + return (uv_is_active((uv_handle_t *)&sock->read_timer)); + } + +@@ -2190,6 +2213,15 @@ isc__nmsocket_timer_stop(isc_nmsocket_t *sock) { + + REQUIRE(VALID_NMSOCK(sock)); + ++ switch (sock->type) { ++#if HAVE_LIBNGHTTP2 ++ case isc_nm_tlssocket: ++ return isc__nmsocket_tls_timer_stop(sock); ++#endif /* HAVE_LIBNGHTTP2 */ ++ default: ++ break; ++ } ++ + /* uv_timer_stop() is idempotent, no need to check if running */ + + r = uv_timer_stop(&sock->read_timer); +@@ -3946,6 +3978,52 @@ isc__nmsocket_log_tls_session_reuse(isc_nmsocket_t *sock, isc_tls_t *tls) { + client_sabuf, local_sabuf); + } + ++void ++isc__nmhandle_set_manual_timer(isc_nmhandle_t *handle, const bool manual) { ++ REQUIRE(VALID_NMHANDLE(handle)); ++ REQUIRE(VALID_NMSOCK(handle->sock)); ++ ++ isc_nmsocket_t *sock = handle->sock; ++ ++ switch (sock->type) { ++ case isc_nm_tcpsocket: ++ isc__nmhandle_tcp_set_manual_timer(handle, manual); ++ return; ++#if HAVE_LIBNGHTTP2 ++ case isc_nm_tlssocket: ++ isc__nmhandle_tls_set_manual_timer(handle, manual); ++ return; ++#endif /* HAVE_LIBNGHTTP2 */ ++ default: ++ break; ++ }; ++ ++ UNREACHABLE(); ++} ++ ++#if HAVE_LIBNGHTTP2 ++void ++isc__nm_async_run(isc__networker_t *worker, isc__nm_asyncrun_cb_t cb, ++ void *cbarg) { ++ isc__netievent__asyncrun_t *ievent = NULL; ++ REQUIRE(worker != NULL); ++ REQUIRE(cb != NULL); ++ ++ ievent = isc__nm_get_netievent_asyncrun(worker->mgr, cb, cbarg); ++ isc__nm_enqueue_ievent(worker, (isc__netievent_t *)ievent); ++} ++ ++void ++isc__nm_async_asyncrun(isc__networker_t *worker, isc__netievent_t *ev0) { ++ isc__netievent_asyncrun_t *ievent = (isc__netievent_asyncrun_t *)ev0; ++ ++ UNUSED(worker); ++ ++ ievent->cb(ievent->cbarg); ++} ++ ++#endif /* HAVE_LIBNGHTTP2 */ ++ + #ifdef NETMGR_TRACE + /* + * Dump all active sockets in netmgr. We output to stderr +diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c +index 37d44bd..925bc85 100644 +--- a/lib/isc/netmgr/tcp.c ++++ b/lib/isc/netmgr/tcp.c +@@ -784,7 +784,9 @@ isc__nm_async_tcpstartread(isc__networker_t *worker, isc__netievent_t *ev0) { + return; + } + +- isc__nmsocket_timer_start(sock); ++ if (!atomic_load(&sock->manual_read_timer)) { ++ isc__nmsocket_timer_start(sock); ++ } + } + + void +@@ -822,7 +824,9 @@ isc__nm_async_tcppauseread(isc__networker_t *worker, isc__netievent_t *ev0) { + REQUIRE(sock->tid == isc_nm_tid()); + UNUSED(worker); + +- isc__nmsocket_timer_stop(sock); ++ if (!atomic_load(&sock->manual_read_timer)) { ++ isc__nmsocket_timer_stop(sock); ++ } + isc__nm_stop_reading(sock); + } + +@@ -931,8 +935,10 @@ isc__nm_tcp_read_cb(uv_stream_t *stream, ssize_t nread, const uv_buf_t *buf) { + } + } + +- /* The timer will be updated */ +- isc__nmsocket_timer_restart(sock); ++ if (!atomic_load(&sock->manual_read_timer)) { ++ /* The timer will be updated */ ++ isc__nmsocket_timer_restart(sock); ++ } + } + + free: +@@ -1521,3 +1527,15 @@ isc__nm_tcp_listener_nactive(isc_nmsocket_t *listener) { + INSIST(nactive >= 0); + return (nactive); + } ++ ++void ++isc__nmhandle_tcp_set_manual_timer(isc_nmhandle_t *handle, const bool manual) { ++ isc_nmsocket_t *sock; ++ ++ REQUIRE(VALID_NMHANDLE(handle)); ++ sock = handle->sock; ++ REQUIRE(VALID_NMSOCK(sock)); ++ REQUIRE(sock->type == isc_nm_tcpsocket); ++ ++ atomic_store(&sock->manual_read_timer, manual); ++} +diff --git a/lib/isc/netmgr/tlsstream.c b/lib/isc/netmgr/tlsstream.c +index 4fef598..3d78df6 100644 +--- a/lib/isc/netmgr/tlsstream.c ++++ b/lib/isc/netmgr/tlsstream.c +@@ -60,6 +60,12 @@ tls_error_to_result(const int tls_err, const int tls_state, isc_tls_t *tls) { + } + } + ++static void ++tls_read_start(isc_nmsocket_t *sock); ++ ++static void ++tls_read_stop(isc_nmsocket_t *sock); ++ + static void + tls_failed_read_cb(isc_nmsocket_t *sock, const isc_result_t result); + +@@ -203,8 +209,13 @@ tls_failed_read_cb(isc_nmsocket_t *sock, const isc_result_t result) { + tls_call_connect_cb(sock, handle, result); + isc__nmsocket_clearcb(sock); + isc_nmhandle_detach(&handle); +- } else if (sock->recv_cb != NULL && sock->statichandle != NULL && +- (sock->recv_read || result == ISC_R_TIMEDOUT)) ++ goto do_destroy; ++ } ++ ++ isc__nmsocket_timer_stop(sock); ++ ++ if (sock->recv_cb != NULL && sock->statichandle != NULL && ++ (sock->recv_read || result == ISC_R_TIMEDOUT)) + { + isc__nm_uvreq_t *req = NULL; + INSIST(VALID_NMHANDLE(sock->statichandle)); +@@ -218,13 +229,13 @@ tls_failed_read_cb(isc_nmsocket_t *sock, const isc_result_t result) { + } + isc__nm_readcb(sock, req, result); + if (result == ISC_R_TIMEDOUT && +- (sock->outerhandle == NULL || +- isc__nmsocket_timer_running(sock->outerhandle->sock))) ++ isc__nmsocket_timer_running(sock)) + { + destroy = false; + } + } + ++do_destroy: + if (destroy) { + isc__nmsocket_prep_destroy(sock); + } +@@ -344,6 +355,8 @@ tls_try_handshake(isc_nmsocket_t *sock, isc_result_t *presult) { + INSIST(sock->statichandle == NULL); + isc__nmsocket_log_tls_session_reuse(sock, sock->tlsstream.tls); + tlshandle = isc__nmhandle_get(sock, &sock->peer, &sock->iface); ++ isc__nmsocket_timer_stop(sock); ++ tls_read_stop(sock); + + if (isc__nm_closing(sock)) { + result = ISC_R_SHUTTINGDOWN; +@@ -437,6 +450,7 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data, + sock->tlsstream.state = TLS_HANDSHAKE; + rv = tls_try_handshake(sock, NULL); + INSIST(SSL_is_init_finished(sock->tlsstream.tls) == 0); ++ isc__nmsocket_timer_restart(sock); + } else if (sock->tlsstream.state == TLS_CLOSED) { + return; + } else { /* initialised and doing I/O */ +@@ -502,6 +516,7 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data, + !atomic_load(&sock->readpaused) && + sock->statichandle != NULL && !finish) + { ++ bool was_new_data = false; + uint8_t recv_buf[TLS_BUF_SIZE]; + INSIST(sock->tlsstream.state > TLS_HANDSHAKE); + while ((rv = SSL_read_ex(sock->tlsstream.tls, recv_buf, +@@ -510,7 +525,7 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data, + isc_region_t region; + region = (isc_region_t){ .base = &recv_buf[0], + .length = len }; +- ++ was_new_data = true; + INSIST(VALID_NMHANDLE(sock->statichandle)); + sock->recv_cb(sock->statichandle, ISC_R_SUCCESS, + ®ion, sock->recv_cbarg); +@@ -547,8 +562,29 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data, + break; + } + } ++ ++ if (was_new_data && !sock->manual_read_timer) { ++ /* ++ * Some data has been decrypted, it is the right ++ * time to stop the read timer as it will be ++ * restarted on the next read attempt. ++ */ ++ isc__nmsocket_timer_stop(sock); ++ } + } + } ++ ++ /* ++ * Setting 'finish' to 'true' means that we are about to close the ++ * TLS stream (we intend to send TLS shutdown message to the ++ * remote side). After that no new data can be received, so we ++ * should stop the timer regardless of the ++ * 'sock->manual_read_timer' value. ++ */ ++ if (finish) { ++ isc__nmsocket_timer_stop(sock); ++ } ++ + errno = 0; + tls_status = SSL_get_error(sock->tlsstream.tls, rv); + saved_errno = errno; +@@ -601,14 +637,7 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data, + return; + } + +- INSIST(VALID_NMHANDLE(sock->outerhandle)); +- +- if (sock->tlsstream.reading) { +- isc_nm_resumeread(sock->outerhandle); +- } else if (sock->tlsstream.state == TLS_HANDSHAKE) { +- sock->tlsstream.reading = true; +- isc_nm_read(sock->outerhandle, tls_readcb, sock); +- } ++ tls_read_start(sock); + return; + default: + result = tls_error_to_result(tls_status, sock->tlsstream.state, +@@ -743,6 +772,7 @@ tlslisten_acceptcb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { + RUNTIME_CHECK(result == ISC_R_SUCCESS); + /* TODO: catch failure code, detach tlssock, and log the error */ + ++ isc__nmhandle_set_manual_timer(tlssock->outerhandle, true); + tls_do_bio(tlssock, NULL, NULL, false); + return (result); + } +@@ -898,6 +928,29 @@ isc__nm_tls_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) { + (isc__netievent_t *)ievent); + } + ++static void ++tls_read_start(isc_nmsocket_t *sock) { ++ INSIST(VALID_NMHANDLE(sock->outerhandle)); ++ ++ if (sock->tlsstream.reading) { ++ isc_nm_resumeread(sock->outerhandle); ++ } else if (sock->tlsstream.state == TLS_HANDSHAKE) { ++ sock->tlsstream.reading = true; ++ isc_nm_read(sock->outerhandle, tls_readcb, sock); ++ } ++ ++ if (!sock->manual_read_timer) { ++ isc__nmsocket_timer_start(sock); ++ } ++} ++ ++static void ++tls_read_stop(isc_nmsocket_t *sock) { ++ if (sock->outerhandle != NULL) { ++ isc_nm_pauseread(sock->outerhandle); ++ } ++} ++ + void + isc__nm_tls_pauseread(isc_nmhandle_t *handle) { + REQUIRE(VALID_NMHANDLE(handle)); +@@ -906,9 +959,11 @@ isc__nm_tls_pauseread(isc_nmhandle_t *handle) { + if (atomic_compare_exchange_strong(&handle->sock->readpaused, + &(bool){ false }, true)) + { +- if (handle->sock->outerhandle != NULL) { +- isc_nm_pauseread(handle->sock->outerhandle); ++ if (!atomic_load(&handle->sock->manual_read_timer)) { ++ isc__nmsocket_timer_stop(handle->sock); + } ++ ++ tls_read_stop(handle->sock); + } + } + +@@ -937,6 +992,7 @@ tls_close_direct(isc_nmsocket_t *sock) { + * external references, we can close everything. + */ + if (sock->outerhandle != NULL) { ++ isc__nmsocket_timer_stop(sock); + isc_nm_pauseread(sock->outerhandle); + isc__nmsocket_clearcb(sock->outerhandle->sock); + isc_nmhandle_detach(&sock->outerhandle); +@@ -1085,6 +1141,7 @@ tcp_connected(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) { + */ + handle->sock->tlsstream.tlssocket = tlssock; + ++ isc__nmhandle_set_manual_timer(tlssock->outerhandle, true); + tls_do_bio(tlssock, NULL, NULL, false); + return; + error: +@@ -1251,6 +1308,44 @@ isc__nmhandle_tls_setwritetimeout(isc_nmhandle_t *handle, + } + } + ++bool ++isc__nmsocket_tls_timer_running(isc_nmsocket_t *sock) { ++ REQUIRE(VALID_NMSOCK(sock)); ++ REQUIRE(sock->type == isc_nm_tlssocket); ++ ++ if (sock->outerhandle != NULL) { ++ INSIST(VALID_NMHANDLE(sock->outerhandle)); ++ REQUIRE(VALID_NMSOCK(sock->outerhandle->sock)); ++ return isc__nmsocket_timer_running(sock->outerhandle->sock); ++ } ++ ++ return false; ++} ++ ++void ++isc__nmsocket_tls_timer_restart(isc_nmsocket_t *sock) { ++ REQUIRE(VALID_NMSOCK(sock)); ++ REQUIRE(sock->type == isc_nm_tlssocket); ++ ++ if (sock->outerhandle != NULL) { ++ INSIST(VALID_NMHANDLE(sock->outerhandle)); ++ REQUIRE(VALID_NMSOCK(sock->outerhandle->sock)); ++ isc__nmsocket_timer_restart(sock->outerhandle->sock); ++ } ++} ++ ++void ++isc__nmsocket_tls_timer_stop(isc_nmsocket_t *sock) { ++ REQUIRE(VALID_NMSOCK(sock)); ++ REQUIRE(sock->type == isc_nm_tlssocket); ++ ++ if (sock->outerhandle != NULL) { ++ INSIST(VALID_NMHANDLE(sock->outerhandle)); ++ REQUIRE(VALID_NMSOCK(sock->outerhandle->sock)); ++ isc__nmsocket_timer_stop(sock->outerhandle->sock); ++ } ++} ++ + const char * + isc__nm_tls_verify_tls_peer_result_string(const isc_nmhandle_t *handle) { + isc_nmsocket_t *sock = NULL; +@@ -1351,3 +1446,15 @@ tls_try_shutdown(isc_tls_t *tls, const bool force) { + (void)SSL_shutdown(tls); + } + } ++ ++void ++isc__nmhandle_tls_set_manual_timer(isc_nmhandle_t *handle, const bool manual) { ++ isc_nmsocket_t *sock; ++ ++ REQUIRE(VALID_NMHANDLE(handle)); ++ sock = handle->sock; ++ REQUIRE(VALID_NMSOCK(sock)); ++ REQUIRE(sock->type == isc_nm_tlssocket); ++ ++ atomic_store(&sock->manual_read_timer, manual); ++} +-- +2.43.5 + diff --git a/bind-9.18-unittest-netmgr-unstable.patch b/SOURCES/bind-9.18-unittest-netmgr-unstable.patch similarity index 100% rename from bind-9.18-unittest-netmgr-unstable.patch rename to SOURCES/bind-9.18-unittest-netmgr-unstable.patch diff --git a/SOURCES/bind-9.18.29.tar.xz.asc b/SOURCES/bind-9.18.29.tar.xz.asc new file mode 100644 index 0000000..ecf6dc3 --- /dev/null +++ b/SOURCES/bind-9.18.29.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAma+DmEACgkQGC4jV5Ri +76q1FQ/8CXrIA21FAdnGuGqC53EVOzFl3QptFMThoVTO0kzp7rQcwv8xE/gphXnT +j4DWMAZ/tDW6ZalDbmCh6t+z/0pXewHB+43CILSkzU9Gi5gnAUHdIdlGQnYH/x2N +eyHBKuB9Wubmi87Yu8zjtF+Xu43qgcYqNKP/QqU9YwsqPQ+7GgcKAETVidFMB9/4 +QZiMT4gMawguft+BwFZ1eYvk0Bemk0OkKhofyWDcVnl5r93pvTIK3SsIHyEHx7xu +dbG9Z5HhoaJ8b48djahrrYSQCQ0Dn9KbEVLu+/BS5tz+k+V1VI1pk4OS15wn7yBZ +8EqAGc5xj4MEKW7PEteOK7QQQE59yKY6SGwt+tQwokUZ/Rq4bAx2bHXY83oRBULo +BIRDdgoxc9X44YQ/a55La+7/xq2eCYwW2s364R4To3K58nPCNlkdEQUziY1V7guR +3zOcHPAZNe5bK7bN3BMDusQgtoerfSUC1x+zj5Nm9Xnb/yAtVUyiP/k/zlIds9W3 +rKSCM5FAuacZdWQKeVpRa1EaXhObm08qLO9a/Dc/Qvll8GKAmrMoll2WwEoUVlZ3 +HwZPRsPIWYSCemtHmp36b7nOZ0vo4NMXjb2nV7xW3a8BqOD3RW0XiTlC814qmqsU +x16eOHowvtDw58abeBzPJ2k1yne1Ic2zBdJzUM9wqdJCoBN5g0A= +=2EW2 +-----END PGP SIGNATURE----- diff --git a/bind-9.5-PIE.patch b/SOURCES/bind-9.5-PIE.patch similarity index 100% rename from bind-9.5-PIE.patch rename to SOURCES/bind-9.5-PIE.patch diff --git a/bind.tmpfiles.d b/SOURCES/bind.tmpfiles.d similarity index 100% rename from bind.tmpfiles.d rename to SOURCES/bind.tmpfiles.d diff --git a/generate-rndc-key.sh b/SOURCES/generate-rndc-key.sh similarity index 100% rename from generate-rndc-key.sh rename to SOURCES/generate-rndc-key.sh diff --git a/isc-keyblock.asc b/SOURCES/isc-keyblock.asc similarity index 100% rename from isc-keyblock.asc rename to SOURCES/isc-keyblock.asc diff --git a/named-chroot-setup.service b/SOURCES/named-chroot-setup.service similarity index 100% rename from named-chroot-setup.service rename to SOURCES/named-chroot-setup.service diff --git a/named-chroot.files b/SOURCES/named-chroot.files similarity index 100% rename from named-chroot.files rename to SOURCES/named-chroot.files diff --git a/named-chroot.service b/SOURCES/named-chroot.service similarity index 100% rename from named-chroot.service rename to SOURCES/named-chroot.service diff --git a/named-setup-rndc.service b/SOURCES/named-setup-rndc.service similarity index 100% rename from named-setup-rndc.service rename to SOURCES/named-setup-rndc.service diff --git a/named.conf b/SOURCES/named.conf similarity index 100% rename from named.conf rename to SOURCES/named.conf diff --git a/named.conf.sample b/SOURCES/named.conf.sample similarity index 100% rename from named.conf.sample rename to SOURCES/named.conf.sample diff --git a/named.empty b/SOURCES/named.empty similarity index 100% rename from named.empty rename to SOURCES/named.empty diff --git a/named.localhost b/SOURCES/named.localhost similarity index 100% rename from named.localhost rename to SOURCES/named.localhost diff --git a/named.logrotate b/SOURCES/named.logrotate similarity index 100% rename from named.logrotate rename to SOURCES/named.logrotate diff --git a/named.loopback b/SOURCES/named.loopback similarity index 100% rename from named.loopback rename to SOURCES/named.loopback diff --git a/named.rfc1912.zones b/SOURCES/named.rfc1912.zones similarity index 100% rename from named.rfc1912.zones rename to SOURCES/named.rfc1912.zones diff --git a/named.root b/SOURCES/named.root similarity index 100% rename from named.root rename to SOURCES/named.root diff --git a/named.root.key b/SOURCES/named.root.key similarity index 100% rename from named.root.key rename to SOURCES/named.root.key diff --git a/named.rwtab b/SOURCES/named.rwtab similarity index 100% rename from named.rwtab rename to SOURCES/named.rwtab diff --git a/named.service b/SOURCES/named.service similarity index 100% rename from named.service rename to SOURCES/named.service diff --git a/named.sysconfig b/SOURCES/named.sysconfig similarity index 100% rename from named.sysconfig rename to SOURCES/named.sysconfig diff --git a/setup-named-chroot.sh b/SOURCES/setup-named-chroot.sh similarity index 100% rename from setup-named-chroot.sh rename to SOURCES/setup-named-chroot.sh diff --git a/setup-named-softhsm.sh b/SOURCES/setup-named-softhsm.sh similarity index 100% rename from setup-named-softhsm.sh rename to SOURCES/setup-named-softhsm.sh diff --git a/trusted-key.key b/SOURCES/trusted-key.key similarity index 100% rename from trusted-key.key rename to SOURCES/trusted-key.key diff --git a/bind9.18.spec b/SPECS/bind9.18.spec similarity index 99% rename from bind9.18.spec rename to SPECS/bind9.18.spec index 385faab..2e6c94d 100644 --- a/bind9.18.spec +++ b/SPECS/bind9.18.spec @@ -77,7 +77,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0 Version: 9.18.29 -Release: 1%{?dist} +Release: 1%{?dist}.1 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -115,6 +115,11 @@ Patch16: bind-9.16-redhat_doc.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2122010 Patch26: bind-9.18-unittest-netmgr-unstable.patch +#Oracle patches +Patch1000: bind-9.18-CVE-2024-11187-pre-test.patch +Patch1001: bind-9.18-CVE-2024-11187.patch +Patch1002: bind-9.18-CVE-2024-12705.patch + %{?systemd_ordering} Requires: coreutils Requires(pre): shadow-utils @@ -961,6 +966,10 @@ fi; %endif %changelog +* Thu Feb 20 2025 Alex Burmashev - 32:9.18.29-1.el9_5.1 +- Fix CVE-2024-11187 bind: bind9: Many records in the additional section cause CPU exhaustion +- Fix CVE-2024-12705 bind: bind9: DNS-over-HTTPS implementation suffers from multiple issues under heavy query load + * Wed Aug 21 2024 Petr Menšík - 32:9.18.29-1 - Update to 9.18.29 (RHEL-53015) diff --git a/bind-9.11.12.tar.gz.asc b/bind-9.11.12.tar.gz.asc deleted file mode 100644 index 6d7992f..0000000 --- a/bind-9.11.12.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMooACgkQdLtrmky7 -PThv2RAAnXNLYTzXtH6ls29tRm5Hc+D6UaeqcWDNQ4BpkRVhrFxtukalGCi9mmB6 -NPJzFyXmaOW654pypCIuEgqJNFUpDtLzLzT7SUF+mhm+5plsaRSBnh4mq87l5KSp -twODAPnfCJV+HBk5RmToLEstAbGQ7xEBTyQtZoFkY+V7zEFwENKiCvWsoSWOkYR3 -zXo3sKjc83HV9ShbW/mCtbZf5L0qlbrKOAzqJfAFMhNNJi8kMbmr/Zi2sIfN+Rhv -g8HQo89Epv6r51yAdeED8idIX4rKjjcEtHrZeDmLdCcdHgSEj2sIlH92Joce6vL0 -S59A0rItIXm6fW8sz6WNpcj4tVtWYbIYjXZ4SPFNkaUrHv8cUekq+5vbI+v07Gh3 -2bhtDsDyTY5I1/AsY/EFmwkCAjUS00jZryBnuJpLB3v5JtUog4ek32yLBzPrqRBo -1876j4nlXAia8mG0OgJNWZ0gHyUPe/TgfR8fQDLmHxHHlKrJNTEwY6bLW8jzFTX1 -zk510fI1K7J9tiQgf5wcBQ2h3EBlqzDNIJDovoATzLYIf0HKyVegh/vnQdtdEhUR -1DzJAt3bsBfAP1AFfWPD/ACu5Zdm7SxY1wE/pjkwttDU3sRZqOfuwNBGeolu3cVN -O9/h1zsyVeVS0ui2vu4+V4EvNitmXsVbG2doDq9L5yBiIKGO2Ew= -=GCy6 ------END PGP SIGNATURE----- diff --git a/bind-9.14.7.tar.gz.asc b/bind-9.14.7.tar.gz.asc deleted file mode 100644 index 1134ae1..0000000 --- a/bind-9.14.7.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMpEACgkQdLtrmky7 -PTh/sg//QbNRAQvADQfwF1PPo+JxB+3WzQ9oJAWeHbOoiubwkUwO9xE+BEnTNd5o -oM1lSLqFxNykOTaoeJlqPftPod1cxo7lSzkwflugGyB/59wliCpqCg053YV4x9mO -QggvA/E50+0FI/Om/7v4GHGADu/JE83FovOueWAB0LgqfDSD6QFcNFF9sUJJ4P7r -FcEXSWj8QbrHMWBKncZUOpD2ECotvtrYmi0DTHl1XfigESDQpWtsnTFuabCCsvkh -ch9wQRplAes2Mf/aS5tl1y0QKKBFuEjtGiTdgrDl6o9GLnx6CueX5saZehu2EVkr -fq2vEYUC2lRQSjuxSMMJ3L0TGUcl7+ixlAIISS2K9L5Xx7MhBXt/EH5KiKPfsEet -3EH+DhxV5uXjDU7MgvREnxT+ssV23e0HWTz4tVVQ9LpvYmWPIgLcSOhHCc57yoQF -c46V0f69dMWbMAlQ93EZSG274ZvpIszpK8+3hGI3/TuDFFgiQJeJJBFVtYJMle69 -3mEEclfzO7fBiXZFec6nVx2309bL64bafN7zszPKXl4XgoefOfD0v0eWqQT4fxfm -dnGC0qMqSZs5F+d0fISV5JUUNYzt9PZjvnzqLLGOeTF6l3/n9G1mmNsXcxJ1OEIF -6qh1oO7JTPjt0MFhKac4QjNQi/Bnp25O3I/PRyWZCbiwXkyvyQU= -=ZT7s ------END PGP SIGNATURE----- diff --git a/bind97-exportlib.patch b/bind97-exportlib.patch deleted file mode 100644 index 4468ef5..0000000 --- a/bind97-exportlib.patch +++ /dev/null @@ -1,226 +0,0 @@ -diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in -diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in ---- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/dns/Makefile.in 2013-05-13 10:45:22.574089729 +0200 -@@ -35,9 +35,9 @@ CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_ - - CWARNINGS = - --ISCLIBS = ../isc/libisc.@A@ -+ISCLIBS = ../isc/libisc-export.@A@ - --ISCDEPLIBS = ../isc/libisc.@A@ -+ISCDEPLIBS = ../isc/libisc-export.@A@ - - LIBS = @LIBS@ - -@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libdns.@SA@: ${OBJS} -+libdns-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libdns.la: ${OBJS} -+libdns-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} - --timestamp: libdns.@A@ -+timestamp: libdns-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libdns.@A@ timestamp -+ rm -f libdns-export.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - -diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in ---- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/irs/Makefile.in 2013-05-13 10:45:22.575089729 +0200 -@@ -43,9 +43,9 @@ SRCS = context.c \ - gai_sterror.c getaddrinfo.c getnameinfo.c \ - resconf.c - --ISCLIBS = ../isc/libisc.@A@ --DNSLIBS = ../dns/libdns.@A@ --ISCCFGLIBS = ../isccfg/libisccfg.@A@ -+ISCLIBS = ../isc/libisc-export.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ -+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@ - - LIBS = @LIBS@ - -@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libirs.@SA@: ${OBJS} version.@O@ -+libirs-export.@SA@: ${OBJS} version.@O@ - ${AR} ${ARFLAGS} $@ ${OBJS} version.@O@ - ${RANLIB} $@ - --libirs.la: ${OBJS} version.@O@ -+libirs-export.la: ${OBJS} version.@O@ - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} - --timestamp: libirs.@A@ -+timestamp: libirs-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libirs.@A@ libirs.la timestamp -+ rm -f libirs-export.@A@ libirs-export.la timestamp -diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in ---- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in 2013-05-13 10:45:22.576089729 +0200 -@@ -30,11 +30,11 @@ CINCLUDES = -I. ${DNS_INCLUDES} -I${expo - CDEFINES = - CWARNINGS = - --ISCLIBS = ../isc/libisc.@A@ --DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -+ISCLIBS = ../isc/libisc-export.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@ - - ISCDEPLIBS = ../../lib/isc/libisc.@A@ --ISCCFGDEPLIBS = libisccfg.@A@ -+ISCCFGDEPLIBS = libisccfg-export.@A@ - - LIBS = @LIBS@ - -@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libisccfg.@SA@: ${OBJS} -+libisccfg-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libisccfg.la: ${OBJS} -+libisccfg-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS} - --timestamp: libisccfg.@A@ -+timestamp: libisccfg-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libisccfg.@A@ timestamp -+ rm -f libisccfg-export.@A@ timestamp -diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in ---- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/isc/Makefile.in 2013-05-13 10:45:22.576089729 +0200 -@@ -100,6 +100,10 @@ SRCS = @ISC_EXTRA_SRCS@ \ - - LIBS = @LIBS@ - -+# Note: the order of SUBDIRS is important. -+# Attempt to disable parallel processing. -+.NOTPARALLEL: -+.NO_PARALLEL: - SUBDIRS = include unix nls @ISC_THREAD_DIR@ - TARGETS = timestamp - -@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libisc.@SA@: ${OBJS} -+libisc-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libisc.la: ${OBJS} -+libisc-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${LIBS} - --timestamp: libisc.@A@ -+timestamp: libisc-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \ - ${DESTDIR}${export_libdir} - - clean distclean:: -- rm -f libisc.@A@ libisc.la timestamp -+ rm -f libisc-export.@A@ libisc-export.la timestamp -diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in ---- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/samples/Makefile.in 2013-05-13 10:45:22.577089729 +0200 -@@ -31,15 +31,15 @@ CINCLUDES = -I${srcdir}/include -I../dns - CDEFINES = - CWARNINGS = - --DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ --ISCLIBS = ../isc/libisc.@A@ --ISCCFGLIBS = ../isccfg/libisccfg.@A@ --IRSLIBS = ../irs/libirs.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@ -+ISCLIBS = ../isc/libisc-export.@A@ -+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@ -+IRSLIBS = ../irs/libirs-export.@A@ - --DNSDEPLIBS = ../dns/libdns.@A@ --ISCDEPLIBS = ../isc/libisc.@A@ --ISCCFGDEPLIBS = ../isccfg/libisccfg.@A@ --IRSDEPLIBS = ../irs/libirs.@A@ -+DNSDEPLIBS = ../dns/libdns-export.@A@ -+ISCDEPLIBS = ../isc/libisc-export.@A@ -+ISCCFGDEPLIBS = ../isccfg/libisccfg-export.@A@ -+IRSDEPLIBS = ../irs/libirs-export.@A@ - - DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} - diff --git a/ci.fmf b/ci.fmf deleted file mode 100644 index c5aa0e0..0000000 --- a/ci.fmf +++ /dev/null @@ -1 +0,0 @@ -resultsdb-testcase: separate diff --git a/codesign2019.txt b/codesign2019.txt deleted file mode 100644 index 1807b58..0000000 --- a/codesign2019.txt +++ /dev/null @@ -1,252 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Comment: GPGTools - http://gpgtools.org - -mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m -r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk -pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI -yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG -ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0 -/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh -qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF -UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv -SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D -o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt -LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB -tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 -LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln -EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB -Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA -1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj -tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+ -5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn -Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF -JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI -hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa -xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd -gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX -pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP -vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf -6f2op3tMiQEzBBABCAAdFiEEFcm6uMUTPAcGawLtlumWUDlMmawFAlwuSqAACgkQ -lumWUDlMmaz+igf/ZW8OY5aWjRk7QiXp93jkWRIbMi8kB9jW5u6tfYXFjMADpqiQ -yYdzEHFayRF92PQwj81UzIWzOWjErFWLDE2xol9sP5LdzeqoyED+XTqKggpVsIs+ -Lq672qnumQoZKp1YGb8MDocU2DNg/VsMdi7kCnEnPbcSuBxksmxGYomusXNrAF94 -1OJ2sqd9BuFamLIyn8XUCGGYlsvMoe4kTCg6Cc1sQvx0lDG8urKN57jBKWbP4alV -+JBV5KQcf74gzPmE3ypgY1tMEwxyH/WyS9ekDbai0qauX6eUAsM1bduH8fIcknLS -Zl5hrJTrzWFF9/DKOth8QOwhJ9zoIF1fcAsx9okBMwQQAQgAHRYhBHpqR7X54SM6 -0lUrXL2X3GOe6MR7BQJcLktcAAoJEL2X3GOe6MR7jwEH/iaolMeno1oeWAgzN6Mg -bx3maweh/9Vqty1fwk7Crq1G78X5i1OCkknEL2p0Bfle4ApwcC4HZVcqCgoYpRV3 -/EEXtwkMNy3plWdBbLCQSev/E1D39GzgAHiMnv7NUJnkoJbvMrvrAiUTXPTtARMM -gjEpvgEs60wuJxS8ESomRhe/KW4myxDoBxF+K+e5bOkOvvWVcAYJHWZ1BIZs4n6b -+C2vO8q5aKTkQ/XvNT7utbTOqj1SGhItRaAQKXHBdzkQ1Et3wTA4+uRg4gK12624 -9LperYs26w9X9UzApl+qVxQhtWUw3tnUXMastDfQrRcvJgq1xpv++OqX5Uc93RTf -SNWJAjMEEAEIAB0WIQS+DpdItxglOii7if/xsRvwXPAuVwUCXC5LlQAKCRDxsRvw -XPAuV29KEACEwlTVVKe4gnBYHnlAD7csoQ0+gJ6C+Ofzlw+UItRIcFeVCAknSGBs -NPxr9JStIvKpmsbSKpCNUEAYnRP2immh94y/C6BuTe1uUUmqBGr1f4OAUwZpmI29 -ixYeY/uUs9FZO3bS0/WtG46tdcJK41qtM0DYAGT3oeZhJMTW15dfvMGlFukauSOU -+BbR+6sZhqdbWl/AOTE/6x5otnAaW0GObY/BW240Xq/KTgBrzVdK5qNoYsMVsiTd -0im0JKvFG08ED+ZfcILhlO6G9jRhoTkhtYuf8CKN1dPf2IoB5FrRFf0xqRr9hNlk -X7ViNMP9OPb8i3BubWvRi5rNSquCwrFATSiAgaA9Yi1BNzQsmQxOql9lsh7eCH7m -+8zzUg9umWI6PkSv8vHBo2kPX73wmtEsF6vxJlk0yDBuQw7y0uuKh406tEEk4cP2 -8U4baq+ihpioupDhNuEII1h1Eh/RBE408RAOpcr+2F0m/fKOoJyz7u+AxyV81Ia6 -fyBnUfZnlfKo16w87c1HJRs9dKkRa5yGziBf9TcED3sru58Pftes2Nr80/iOh26i -P2pRihcIyrmeAqDWnneErVCmPMDTe6zkMrm/0iZ25/Jfq+M8IHEzFEw3Y1FBOeFg -9TyMDwYG2biJPTNTDO0BQ+Rrvs4SjFWEYSxgJSvG1jMfSPt5AR6MJrkCDQRcKvQU -ARAAufZX5WzJr0lZAhxaGpHY6JMBr4jVOCP4TrDZhwC2K4CXNM/PLLNisWzquiWa -FvUDhB89kCxrEhipwVFYhBr16CDQxrr8yhah3RIxrBMYhRTxgIAkANgkhGWfDJSE -zXauA7krYtS3rYwhfXe4cNsTkLPbnMUlyLJcqj2wnZcZIt97aL+NFRPyfIw1KfUb -9u3tB9seDYbvTEULeL07aTnHpWM5f3bTwJrJ2OFPzXseCCzPiVNh3Bv+YtJ1pMTr -c/UHO5DoJuHLsF0wicPSrpD0twspFdR/0rT6eNycsaCtV4GQzBcMPvY7qai5XrZm -Cqgluo1W6l6+F5YrKvRMtyyFkUNGcPywdjSlP44JyRrS2uzvFUViSsJArcmFG2TJ -LCohnse8wqjw0dIUVbmDbE4zjaG56zkvu0k+04Wwp3XPgOZrbl6cbhX3yLhu/Gt0 -dzd9EReoNfKXk32hBzKas/vdeB5DZejbOOOWYftqyZC1LvDvvrYFhFK6VGozfZ6L -Fml1hzn+xPahp5tRv93/T9zXeVPm9zilGMqm/gjRgh8ojWxNQoNzJyqTPWIvWmbu -EIP3T3cTFq6lJpJsg3+sfzofGWZCGnBZQGqm8rEOoUWiaKe1BvQCX1x8p4/x8/tX -TaVDpQCGoqxXt09plkDuGMuiDICxBlaHWUR2jLoHc2cLrB8AEQEAAYkCPAQYAQgA -JhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcKvQUAhsMBQkD7JcAAAoJEHS7a5pM -uz04pB8P/Amfg54IFeALiPOrKbjC3bVAQzrsf09IL8sUln/LCZIx9HgGAJj/f35S -Q35sK2ucjWiDX6qCxVrWmC6caQXFgXOFSKIlqladmmgj4sIdLM5wj4nbomHChpB5 -rqV/GgkFwWBQ3kPCatXvc8Bg+zKJ+wXgTuPFXefyE9R+SLuas2grQ9hAjvTGHYbq -iYxSlNDFc1aHLAQ3bS76351MHuMHOpLzoB0OkZDCVNW4GNEqrLbINdr50RAK+Loo -Z2UBIobEZjXYor9A2FWkSvdjyz6X1QKMdQMath6R91k/O0abBa7ly4/805eAGXM3 -w1Xf2eMlpiUs69BeYoJBklK8aNMntpDREunJjhiPU4JoDzSxl5Qv7LuXylyo0YJA -9YmydKhTTcRdwsKc//nGr/ckg4BRl+VbtJBYvd3xGB7IQ+pT/TOakv9qCospAhr3 -EQjVP/XpnWJRd+x+dq8UXqwWmTenWDE42cNr7BDFJdOqS5ZWy4sIz4sdjpSxXMB9 -8iiRtKSpKRCJgXScB7SYebh835EgG2YyQGdhJMO7C6ok9POYQBqL8sBqRzImJKoT -VDvOH42WArKwJWTHa4mPdiDHEIZlkONerec3JXtl4Mfv8cwZ5Lb8fSiB/x8AWvqs -puc/7hQtkus4TcgutS1fwhAwpnFItpVF6+73CMQrJsblBdTjW0T+uQINBFxbVHwB -EADebZOJbhPdhHeBPdlZYE3rRjB8scDpWdjrCupfmeTC9MM6JgCE4DEMBtBXk+h1 -+7wfpblYYNFwGVFvytG5nvGRDtHWxwd1Z9O8Fx4Zqu0Fx/wAn7ZL3ryE+tdHR7JK -7SLxOa2X49T/8LY0U8Q65I4ZRo/b4VMcXApCmncw3QSRqHT/mYdNnf+HHPvi3jza -md3iVptCS4Iaisc079DFda+htWXspBc13lmPi2vGQkWjjS3B4yO8JackyQPVhpsg -KYbRBzOH0Kii8bXmyA6O5uIJYEddp5Veged4FE/ej3CrgGP1D0Yk1epx8lLbi9RB -kwFS7DA5rQ23UnbSy1WyV1ZgPrWqQAWuGpjMTVTWN0ElI3AGxAnE8lZlSXyE+XyV -uHjjIVrayBjLKVqDuSLdKZeCvI4QsyHH6F0NKJQkngvXxLZYxO6s0c2EFFLzdVWT -1V9GMP8UsDrrb+JsZjUVmPR1tTP4xqEQG6KjfFoQm5XWpGtFwh91OK1lwf/Bx2/C -j+PquLLFcj7hEP79VDTUZPQAduTTxIeTzHXH+x1PCHFB10xxH3e82VSdJeBUrJxn -riXzK50SKTTmF+uYpHqE8Jg1N2Y1n5ksuxeYUy8PFjhAeBCqZ6ZcldUDf4999e/z -PT8bwfCDr8jRdqJHrq7RxTJiP5RsMudWpKeohzJGwQ5uZwARAQABiQRyBBgBCAAm -FiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVHwCGwIFCQO9IQACQAkQdLtrmky7 -PTjBdCAEGQEIAB0WIQSVztolaxygoV8wL7WVIaftXazpGAUCXFtUfAAKCRCVIaft -XazpGPeMEACm9nxA/VKf8RxDo2ZuTgyuSwlR8tCjAE4k3+UoiYUbamkW4pjx9Vgd -1zC5bNxSWZ5vlJ4CH8ArKFqNK5LBVDZqhYureAo/1Af2b9vRJw0/QQHhuXz/jqeT -wwrLuKpy796Gpt+aFfcmS0ZC4QXfxJERhAP6tu1p6YmAsSb+bjziQVkKrt9mhOrL -dtz6WP0Fg1joRj33FgnnLtayHvtgQrNFI3ztCjk/B2FjYZxqbBGfk5gyo0cTE2Fi -oLhG/XrxIoZepFMJkGYETnYQXrOt2KuJLvawV70YQmG8EqHYY8drKA0XDZs8TVdT -5cvGvtm8ERz5znsssRBxQMI5Ml6O2ahrXp8Eq4htCzlvO8t2MOtzvqAJRiyAd6bA -Uo+MGVRpnvePOR1SAgBXCd416rF0iCXc1utZxnqwdq9kJAZ+8mCLx4N4jk6AdGpX -zcNkLg7QmUzXn75RxZ6GrIUYZJNMlswXq5XhSW4o8ePlaxWjh9+QTtU964AZhpA1 -uoHsKGTBxHJs0w6McZm14kb2PuaO2/rpf8s8IZyc93+Y5O/gHZ6/agBjA9qN6wkQ -R1d5UhJC4QS/m35rBGBKK9X3fqQxaBCio6Qz+m4A3GchrztJpq+2P+ma5ylsTq5j -V4njky26WNtrV7+N0C4Moj3I4Qn6YU/eSManTXzHzoiPZCEH/IOxgXIiD/9Zm3Zz -I+h4NCfSGyP11/w1gEzlTHQ4at/FXIIDh0Y2ZNpWPffuFQLtcER2vyKPwhDYpGMy -NNHXks4azfrXVCv0wmSNBbeS8pJrYtopZpCEBrAbg/YLv9m5lpDSRHaR3gv/qMZ7 -QxY+NwqciqTwGq68PuF4mDSvtfuFmbEES9Iybiie+eL/6DU2knfBjgshUe6vElR+ -LYoPQ45GY2IxRTJ1pMXaZw1+evwH3UvseRGkRygiaBgoU/qR4prynvjMQcacCa+C -aRnXZJYp/usVBeY0xut9toc9/OcLGoBr5h9l5YjruO2vu8VHou8N0tarVQn3YbQR -Fi+YtNtclWJa8Pq1AsKRTCFwDwP6eODv6mNOrEFydNRcpiQmzp47VWF/YHRfHzCq -A1wHLxLUrpQTaVw6J4FqedAQ31aAO4faA7MS+ZMNBqZCZ7lTGC6TvojqqBAN2yX7 -AnnYpZHM+lGpi2/ukVzLqSkGmdNOgbu+UZvoej3YnHYig4yWP+z2xrlJl8bkhU/d -r9IQE5aRCEPB/JWhHJ2/GqYl9qjshlB52+6X2KDarwptOtzT9ooArYhpMwKIYh34 -c7X8tlAKYk7V5j7txIRFDKKAftC7dM82PntXJxSkWyR70GYnYjiXyrqqerqT7xIC -mDEQgFOPpy09zFW62paO9uiZw6qwybwqgGpoX7kCDQRcW1TbARAA3ERo2mPv2VVg -ZUFr4MtPDm4UG00YJW/LYa3D3k0e9tdSScACXprk1sAoxUlQx/CSdErPKwXG4rax -iN4t5nICUUNYSC0dh09G25jC7nwsWc0AYyZu+h/FzfvpOm3fBwmBlzILlGh0URwH -Ffj9fHt6hos4C+3PFZZ/X24aMJF/cov1oYi9rqFwt/l0mgtPE88Iyj2/Vp3Lergg -QMzKfEuyluj9fL2cgU0Qa7oAPXmaxhHtua4cvbM5SXGo3FXjIgzH9OfM+2orebeN -wH1M3ec6w+nPmRmCJLvPKGOeS7GVXL5/aOyPlDWzSXYnpCKS2ntw4K4nt0IA8n8z -1db109l/C2noDrDSJEqOo843ShNGTYOMVUrj3a+Y7o2ATc9pNZalf0PwnKas7NDb -IJ152PEQw665iYXcv2awjLF6W0yuSq8kfiaAxIrsie2Dto0zgqOs0Ot9Y74u11Hh -wBSHUO3mEZJScAAcI/yDF2PvjvCQSzu4mdXb77t6X2O6YHULz4A7bVQCMazcTDI9 -/S0W2+ixPnnJVnE3xgjK9zuizji8JDJw1hJCQM+yTLVqq9pfvcRfQ6uwpMRzz/O3 -S0zDRiA69/GyfNwkpgz5QaGpY02IK5WrQU1doRjIz4BHAYzoIOkMkRqTtjdElQZw -/D3wSO2uwsEMNwRzibR/Lz1JF2aGn6EAEQEAAYkEcgQYAQgAJhYhBK4/rHlnEexZ -/AB6pHS7a5pMuz04BQJcW1TbAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkBCAAd -FiEE1wyE5ktVjlvM7AchMuIXXx11eioFAlxbVNsACgkQMuIXXx11eiqCfQ//SFDf -rOIEoslp6n6vlCuavOg02wvjskKQGP1P1Q4v40Fw1Gl87n9uXAoMpeF4H+pzUxOi -BHYCQi+EemwocSThzaWfPzd3JG/0OcRymf+ZOcBb+58VJL7p88QdMFIAi5J+KMuA -fEG0zLkc9anEnXoVMmQJX5K+6PyeVDvBbYGjLjQAsWTZTiVuQI0w3WxFtDGWqQII -8e/qE0DA7c/auGn7j2hid308+FcdfpmLefW9YesWjE1yYvHoCRdFOJ/7Sft4MQCI -Re7UET3TRMBvtisP2DcqyzGPp22s4ZYFCCJJNiB92bXdEl5zXe4Ff7JTfNE/QrR7 -Wg5R9hZHgHdbp8p8bA3f0y29YCx3puYg7BbmQWiMh3rXWE5b090pSpw0K9BQU3vO -irr+5/2TaFOJXHl4VF03GrWsSncShCbdsdRIv4TB0lY2mN4q+e7bjlAzJJeoaS97 -GIqu3DBlAJyx/ZwWW23DXXwoQ4jNuJhpl2jaCE7rVQB0uLjbp0i9Zdd4SdYZxmO/ -Y+JfgoJz8eyx8wZi4eDz1ijN0WKsIGjxJH5VUK9STjijDMeG6ZZRLc6b1QCGhe97 -ZbDkEUTdQGoeu4L5Fiqoma13NEsf8ofBDv+myJm/O67Va9JI3gxhIrhmF7LMzQQp -lYx2peZC1CmhEnn83dtt83mhXvX6Dth657BW/Qd+GQ//SVuTPuNkBXfrTi4dbnv+ -cU6IsoIBodTF/WsQ6h4kbtsPhO5DbrsLNuNumrqVEN8jw+HUsEeNvFNeMrTPdG2V -87ShQ4BQGkCf+GFRBj0myxxXOFZYQx6RpY5fCe7yOcTzpkbnPWmm7V8HdOuZ0NnL -JNQ5YogOI6UvXVKv35R9qBo+G9jkhhb0eaAu6BERzKVANKfsGN7545ElZ1qlffMh -AQhXGb6TsvCeSg2cWGb2cnVL2d58uVukD4PDiq4qqwgClkF3bOO70SIgGrCteHbi -4Hseopex5m6GqqjoUYXr7QQBwSaQdc+gKtEjMHCsHbUyHRk0qEHdEe+2RmL0d0ra -QMJfKyYQjcCR7tnrgN4WD1h4NKRdC/KRW31MDmH9XVPrkOMQCUCnArXkOwdKWsKf -h8af9HqweXOT1FHJN/M3tWaBpv6KoduF2f2pj1VhPZ2EqFUycJ26lrHyOpsynQR6 -+TD+c1uXotDwKN5RW+YL1cydk6mhib64fdOyPUeTcHehjMAFgM2f5wi35Ujcj8id -37cWOqRsggSbMnGO4AUA/YtcVNG8TjZbakson8ENK7e8q4sEiNFUZ7/CtzNokwHQ -5uOG1+qB85Y4ImGnIZVeiBpjt73VVawg4Zvm/omtW50P9R+4rVhMJZZFAgrWg8BH -H/KNznW0vUuShG8B+2FA/eu5Ag0EXFtVDAEQAL5ftI1GgVJEFgX5VsuFnfBnH95c -zqmwEXaTP4s7Xm3O0Wy579EzRUD1eEw/UaD/q2OHScwvMP65cZYQ9w4hnCN6H96P -96Teo7LOMCssvSXIO7gqP33LKTqDzsIoAFHwWE3dq1jbyP6T1Je85mr0Edvk8kOC -B1hudswAARno/7X9zGulhhwuEHk5Iey7R59yRUQqBctdNcetGyaiFjjX0evuVADi -/z/s07XhDLDt7+3Vglh1/7XGC64QhB9QjZ8j0u7+0xfmLLjhi+7EpkDlAHIJXX1H -0wAsPOGKlYruQUmIsMNfBINZeulHEBZ4cAd30xsM296DzJ6QL9sAGfYMhRs0YHB/ -EJ10Zv0iw1pU2jCCUv/9Kf4F4nwgHQWQP7JAbfhOIUOUq/YlxjTLnkd25+7vD3KH -NQ6UiRDROR9Jwetpd/zokpf5O5iTBpVL+sCq+NsTZyDOjITve2sY0V8v10M+Z+pL -cp/cUZ4JEDS/WJ4/ovBNJP8b+YwN/RBgCjl8UBX/N+e7AA52eYP2H9GK9XPkzSCE -VxEf5PyjGrwedpoLkzagrHsDuWo3uBquLyneT/ozihqKQAuInUy5B7rWU4mpKHe5 -Vto5o6Zuj+6MgHgIQzRK6Da2ziMNEmroxwZibcYCtUPdvcvxGh+byclnzBclKjOw -kAalFPx0SxEbHmzPABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9 -OAUCXFtVDAIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBK7WIv4CB360 -tcFGwUKiedJIzcMQBQJcW1UMAAoJEEKiedJIzcMQH+cQAIQYXDnqi4Hl21LtAgky -pZxug+x/LECVlwkrIfaQF337+fG+H9J7SdU87Sn1Xe/YUgQnF0XP/fjIVFM0e/Tb -xVlmTFqiejLnIwJJDgUaHO3POT2sGEyO3tc0mqSzyRBxtMQ8yvApccBhL5QODv3h -hlRWgk5MXU0IPeXw134IWm+o/PRiPBoXPawvVfEVIBlUFaiSZASf4BAiSad4aJQe -P8PyP7FPvQB1xiib0iSetn6ZmNeN2OSUJPiPA8aE9JCKuFtomVQEDM0BqQDl5A7h -5O2uyf0Li+/ArqBvfBjrH03e5zbID02dO3D2BjsV3jUeVPQ5WDgVg8LH+nfg/rRy -wfCsx9zFp1mt3K4xN2v7IKwxGndApgCcx17gsjzMvLz0J7sSGov4MNjzqvGEDKCl -uUvNKXqy7je9xcQLpoyvWtoWFXWTbQAcK5Vv+hC67r9bHpjI1KuqA8hYqNKxsv7s -wiLZdd4SK9SIuwf0j8/XTZwmoFfGolJil0ZNxyqBF39+CMVpaHdLM1qKZz99TVzS -h4obOOjkUjK458xSo0XCbJ4qXYp7PgxyWK6GIbTozbbG/1ldw+LUnqxt8Shf797L -J9lbI3ICuR2P5PYlKJf3b6D9GyfqyrP387fKAKhHsYkZ1XD54/8wIgTrdfeNPtL0 -1mjWDjw5KvO9kuPBjcmzgt+NrtsQAJwKeZsiqLLcY8kJ9xP+/xtTlh2iVuZMfxwq -hwlo4MMCzpobLDZ/JKU398m77eboTKJSBfeUYxQd4ATn1L8NLKjLxKAaBkjEk0nN -8w9OUQbFlhQ/asLzzF7Z9IGGh9/SEgBZ8V67a0O3Qw9Xdi3ARK3bbZ8RIVJ0+P9G -CGrfq9j4ZmGA2L4irLjsvDAv7CSMb4WBKW8j0Jz5LFMwOMJgG1TT5c6lNqFj6y09 -rZcVLnt8+lUv2Bw3LC0oI1TjFkrrCzIdfg++mPi3K/ZFc50bvnWF4eCOjgZ5U9Vb -sxFZq3+vTRcIfI9z2lZ9CNDRA1O5jGvuVtEGLiSLF2aJ6kiNriLuuGTlXfg/Fpgh -GTvyppOTzF7PtHzHBQ/ZjnhWojnc/jyJRwLK8cCl6+EOc887v8BDmqgFWtmycsE2 -5fDJ7UFGP13g/eDL3ZUgMDty5dQaUOTX145t2KT+lMqpY6ZK2EC+eoqrnIGJ+tYy -0l4RRxi10mbNhuPIIDdph7X+mUHgCeA9gyF0Y+LqiB6CX+zFg7ovLvnCbMPxdGXq -z7AjfwqZBKI+BVuBeDtyW4onmElCu5cXNKsg3W0IlQlZf9PMDU6Ht0XLUs7EPfbQ -sH1Vqi1XE1W/tGnkmjcpG/qlt9Gx1uwFGLP6iomqUBc2c0GZ6R1xplXvd3w3yC8d -8lAgPGImuQINBFxbVToBEADkuxhQx9gxlzzCc0nUu2v82XsD+GzONp9irt14gslx -te96eKaTXTi0t5eya0X5TIY3wbREwjlfAeM9AfcAmWcsM4izrfPtANM6WOxB2Tbz -EY2cqv7NBQii7Z5aqPyjcIiT0b0Gs2evlDkn3xEBBqTSrNcnGSA29bZPIkaUb7Qo -p/Ani0S3/tgcR21gXsJwkgpfNKwvPT03Lz3/o5rXAyag0M/25adgk9SVKNcXc8h2 -HSGv5ENjwUKNNnowVbNLw4287mFUM2Vd6unGJ2MBj7aUwTrfBl7gNV96mMdDJWcB -hGKYkxUvibuHCa2KH7gTrnV6X7sdrgD5CbJMPq6OZNSP6n6bUVg22eHxoETplFwT -4NvV3clRMWIAG1XgXR1l99LAh7PPnPMM1pHQGPwYHQskoBFS4g5knzHpB9h9TfZ3 -MM4cDZR5NgWmE0fYVnWe5ax+wW0/IOklUoHv3qoL4yiN9wFJq2oLzUNQd9+tsqiy -vxSTh8iYmHegyn5KuBPsrMPgvqiKOdalTZKkak9DOx4cGQL2qHspKxiBOb6uox2v -fjMQ5bDeUn+4DYMdnZNHeywCUegJmDakUtlfvN+136IDHGwfdGcitqzswzd3+PI2 -qlwPE19gkrp9NUaD3Qj2ZtDP7sU2cThc6Gra5KRFW8f98bI77j1Wu6pCnYFLqPz4 -QQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVToCGwIF -CQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQR5HX64jryNAThDSqwz3zWa56YK -eQUCXFtVOgAKCRAz3zWa56YKeSWOEADK8u03LESGSQlZQqnnCAI8iYs1s+XRMEnG -2tAQ1OK7/4eNgr1yZckmaW4FBMgeEgYIBJ7v3SlW7Hf7dE10TYPNGbP6UxVW8HIP -rA4CINcGZXWWwpS374JNMS6A5eb6viuEgEMEi00jx0MmLvCMZKypmwXQUl5YJ5nB -ytpQ1681mCQxGBMhT1eKQt3B4nAsoEnP+HnqVM/nKxBemSBNXX+C0b/YeQoLC3sD -L+Z0NRI8U6PZl9Rokod3uynH0vfBYCEJd6MvsjtnJlVVaseYIA3ESNrFG12tw95I -wKNrVCANZ1DBSyK4ovmmWsDrH+uFTHSLNjlxIuVxUfmXcLfgcepVCmd/7Z7UrWYr -SXSvP0VG4ZmEPE7tNb8bfyADftO1cVsmcHBQeSrgvpSrTv9L8MocojpR5vJc1f+a -sBT7rAeGzZP9riz1GmryXawaZgdLfaaJfzRQkc1uTChb7kMN+UMhVUdCAXmho0XO -SfcsW84u/LpjdYh2Ww41xQO6EWvbZDNgD/Fdmp8Uh1MqJ1Dejri6kjNn6wPImXJd -Eu6nHqWDRdYsfT4XUB18tB+4aIpFzCyIgpf7p1uaVU7Oqip5sZkc/WXKr77lV23m -PQvpGRNCzgU2TJY7ktR3LOvUVN6wNfLMHzeQk18NdmcEGUrJ0YYtl9vE5/Eg9L6x -LBH9PKt17IQ8D/9DLwQX8pl3fuTM8ZbzIPLxiXhbgzBBTXKRE2u1888+RIq9xE7c -aVFjwq4qpgqZ5SFonTcG4Pi5ck3mFAzyA5zLRF+ckpmBpwSPMpLwCpv10369D1jh -AF3JsUwt6DIb2BISMhh2ThSUMSKO75q8GSotsKjJyjD6vl1x4L7WXubTWxEiNuwD -3kAjFWS1Z1VWtA9SURWAbsDaCV4VmwCCpSIwRr9OTbyu9XuMdMxGNpl8SwW7MVQb -x4aYNvR7Hl/wIR71AHAXoSfrKp3p12anXjYYASHmbm16ugP4H7HLMBfznKet2f76 -gIxJr1CsAMTSqypcC1UoVb6Gz8djeIR+GU+6efHI4TIUMy5uMIUx8tYbwSEeo/y6 -NnjpJFYYjJa671iSABInNxs4+X+1zrFa+wl45EnaFxziEet2Qzv/VsusoLvLwnYi -BZckclAS5xoVGFW0WJ01OfLUDHxGMt9GSheL8c+GLMaMtaCWunpmmt9zZ9WdpBOu -AGluMG1Cee50TrhXaGE8CdNr8nOdSeLNAveBAPmuVa0JDSe20/D/RuYJLKeG9Vsq -BZvjuGlOUsfl6UjtiGRbgS9OWpxeez5ugc9yyV+rBGIpmnIb+9quz2HmGxE65eA2 -cRNsZRIjFLzeAx/0RMaT1nlLFTBbUuZ+tJ+fgFtRGMhifZn1pb2dMQo0N7kCDQRc -W1VuARAAv4LYaNq2Zev/v7M5DnxLpgHRcMkG7TOQpycrlK5653llpZzTy3mh5peW -vcq3IDmdeUIJxQ+WDh2f0vS+NIKDC/HAddfHrZPbhO7zLxLcMW5KmV05ancaRSP0 -s0+IyQmvVxUNrgPinZiphlvRGoLXS6pdgfc4jIR9B2umPecfvfu/6EWFPnXZgG8K -yY3Z+mwrmEO0FaXHBQuu6nactiPe79N4bLe8hk9RW6yIxLBeJzIoOlIcJmuRHapt -nS2lV3mfhZdFnkAp1o6a2TL5BwgMY0wZUKZr78HEMKh6LbPN9rPepf0neUeq/k1l -NJU7V6XMS+rezF31vgSJ5KoNGYhxtWZ54uksH2rcw7+ltpSVtqY91G/vibpRCJG3 -LdX/kxHni1NEWyZlpS/6ntuH6HSoNYsR9IMsbESs3QVCH74ApK88CxYCRB0SEo0M -yAElbQ3bfEKCKl/FwC4IzAYAJ2arWKwBHRSJlsrNCtczrjG7j3EyJrn8+Tm5yjO6 -0THQjvc/nBxrNE09r1Lzz7jrDWC9Rl+BH6wqdniymoYyUAQsX2rZ+Jhah1Zkf+Gu -76qtY+EH494dPM+0FazcBlgBd6/J5mh3Wk9JuecXLTEUGtzd1GmI9CENPAklCauX -tNOWeTop27djuKWsZxuP1GyV6UYixFVOSWteyAbA32cncVv/2ZUAEQEAAYkEcgQY -AQgAJhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcW1VuAhsCBQkDvSEAAkAJEHS7 -a5pMuz04wXQgBBkBCAAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlxbVW4ACgkQ -F8xdsfAIhAd4jxAAiO9+VRQQ3eBOsJRgANdgL/l51kq7qE3u8xnSqNkrmdYDdT2H -TYH5W4n2AmGo50BDafdjd6tut0qtzA3/hGWCooydxKFOsnIYziUeoHvlICj3RkHO -y7utcFhAgRWi+kzFwnnXGf13dMU9iG7yvKrCrCEw44gzoQ1KnY1Xsj18n5JkqxeT -94bzcSbz20OpOSIMfSQPrpy18WrZYwHodcIZ3IUUACCpMZdfTa9c/qHRQ/rcwl+B -0JlHx0V4AYiSAsiMVgflO1Eqi7apPuwxPPd5nnHkrdDM9CYC3LdBORBXwncG3oZ5 -eTSXmsvFxHXH41JHsm/1QFcVmFAYhu9qJFCGiD+8UeTFtT+nnHU69BszgtUskqX8 -k9PqLdK7Vxkp16wc6WOp1NeIQ6Fd4PxTGrPqs9bJk7TlYtTFWpA0X+EMj/San+Ku -PxqLEa4Ab12R4vs1pCrn/g1z3C/6ujH4B70HOrRTIeTjULJ6xdwXGtwUA09hio0r -pHhtyZhAh5irUJNto4ZOk/Qyd+dfMsNvRJfbVIK2mmeRaBnp902AsQNgYVdi2Aki -0h4kz3bVLGw7iD/xV2hV69+JwLSijkkmOpz/EjMwj0hDDYrHH3Y3o0dV3dNdk/5i -6lQgcxSVsl9kWlHcoEllKbf0Hb1muKVwoGGYxFYna2jsLFVjG29M7iPSgrHjmg/+ -I3fmsLZ0VI9kmxniUlZ6gz5NB5PJ3RXmwKO9LkBgE5C1wpuZbNEQ1NsR2bprlJPm -++GNSo8HaheuTRJn42kkOgfIJwjuvXih3FE/NtRA/W8H2uF6YLDjBKGZJbxQcmsd -CTEuCRCVP8X7C5n3rl1YqzfWfNr8QFxvH7ivG7KOlSxvyTKcYatWb9uDUPrnr74f -ZaMljHGsNyKj70MzZcrrsmt61yWGR0h+02rmIKlskl4hkh+qF5ehI+Bkd7eblsBy -rxEREHq/ij2Vd7l0Z606YCE8vj8WfcsJj8JjwR3A+nND/oNJTTbQ3b8OvasvqIey -WqqmGg73nbHjd/VIAUsfvnsEYatDk4pAA/wQr9c4T4s5Q/QRwDrAsa4J89FrDjWC -hQBPL7TaP8Af/3Y3/86jLCN4lnW1qjPXv5rhBFeI0EVi1k1qdV06qr5HOk7CwQTT -uc4rCdFcEnw8kVKZa/yFnlJfRa0Z4IwSahdp5fdFEuad6LpOcFFnYxWtIWhcg4GT -RcMha/OZnsfqOqiAt6In+1IwuJBz3uMM7xw2AMaxzAejGEL63F81C5iJ6Ld6kQK+ -XblDW0G643bVbzkBb46MAT+UnLuWQUs3NDtk1FEioJyWUgbO/srMH4MoWM7rG8ZT -nQPohNmPBrqL2phmE27HQsQ0rTjH2Z2ol7iy9OFMtT0= -=MkGo ------END PGP PUBLIC KEY BLOCK----- diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index 8085288..0000000 --- a/gating.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- !Policy -product_versions: - - fedora-* -decision_context: bodhi_update_push_testing -subject_type: koji_build -rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} - -#Rawhide ---- !Policy -product_versions: - - fedora-* -decision_context: bodhi_update_push_stable -subject_type: koji_build -rules: - - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional} - -#gating rhel ---- !Policy -product_versions: - - rhel-* -decision_context: osci_compose_gate -rules: - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional} - - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional} diff --git a/ldap2zone.c b/ldap2zone.c deleted file mode 100644 index 80e7919..0000000 --- a/ldap2zone.c +++ /dev/null @@ -1,411 +0,0 @@ -/* - * Copyright (C) 2004, 2005 Stig Venaas - * $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $ - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - */ - -#define LDAP_DEPRECATED 1 - -#include -#include -#include -#include - -#include - -struct string { - void *data; - size_t len; -}; - -struct assstack_entry { - struct string key; - struct string val; - struct assstack_entry *next; -}; - -struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key); -void assstack_push(struct assstack_entry **stack, struct assstack_entry *item); -void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item); -void printsoa(struct string *soa); -void printrrs(char *defaultttl, struct assstack_entry *item); -void print_zone(char *defaultttl, struct assstack_entry *stack); -void usage(char *name); -void err(char *name, const char *msg); -int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val); - -struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) { - for (; stack; stack = stack->next) - if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len)) - return stack; - return NULL; -} - -void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) { - item->next = *stack; - *stack = item; -} - -void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) { - struct assstack_entry *p; - - item->next = NULL; - if (!*stack) { - *stack = item; - return; - } - /* find end, should keep track of end somewhere */ - /* really a queue, not a stack */ - p = *stack; - while (p->next) - p = p->next; - p->next = item; -} - -void printsoa(struct string *soa) { - char *s; - size_t i; - - s = (char *)soa->data; - i = 0; - while (i < soa->len) { - putchar(s[i]); - if (s[i++] == ' ') - break; - } - while (i < soa->len) { - putchar(s[i]); - if (s[i++] == ' ') - break; - } - printf("(\n\t\t\t\t"); - while (i < soa->len) { - putchar(s[i]); - if (s[i++] == ' ') - break; - } - printf("; Serialnumber\n\t\t\t\t"); - while (i < soa->len) { - if (s[i] == ' ') - break; - putchar(s[i++]); - } - i++; - printf("\t; Refresh\n\t\t\t\t"); - while (i < soa->len) { - if (s[i] == ' ') - break; - putchar(s[i++]); - } - i++; - printf("\t; Retry\n\t\t\t\t"); - while (i < soa->len) { - if (s[i] == ' ') - break; - putchar(s[i++]); - } - i++; - printf("\t; Expire\n\t\t\t\t"); - while (i < soa->len) { - putchar(s[i++]); - } - printf(" )\t; Minimum TTL\n"); -} - -void printrrs(char *defaultttl, struct assstack_entry *item) { - struct assstack_entry *stack; - char *s; - int first; - size_t i; - char *ttl, *type; - int top; - - s = (char *)item->key.data; - - if (item->key.len == 1 && *s == '@') { - top = 1; - printf("@\t"); - } else { - top = 0; - for (i = 0; i < item->key.len; i++) - putchar(s[i]); - if (item->key.len < 8) - putchar('\t'); - putchar('\t'); - } - - first = 1; - for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) { - ttl = (char *)stack->key.data; - s = strchr(ttl, ' '); - *s++ = '\0'; - type = s; - - if (first) - first = 0; - else - printf("\t\t"); - - if (strcmp(defaultttl, ttl)) - printf("%s", ttl); - putchar('\t'); - - if (top) { - top = 0; - printf("IN\t%s\t", type); - /* Should always be SOA here */ - if (!strcmp(type, "SOA")) { - printsoa(&stack->val); - continue; - } - } else - printf("%s\t", type); - - s = (char *)stack->val.data; - for (i = 0; i < stack->val.len; i++) - putchar(s[i]); - putchar('\n'); - } -} - -void print_zone(char *defaultttl, struct assstack_entry *stack) { - printf("$TTL %s\n", defaultttl); - for (; stack; stack = stack->next) - printrrs(defaultttl, stack); -}; - -void usage(char *name) { - fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name); - exit(1); -}; - -void err(char *name, const char *msg) { - fprintf(stderr, "%s: %s\n", name, msg); - exit(1); -}; - -int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) { - struct string key; - struct assstack_entry *rr, *rrdata; - - /* Do nothing if name or value have 0 length */ - if (!name->bv_len || !val->bv_len) - return 0; - - /* see if already have an entry for this name */ - key.len = name->bv_len; - key.data = name->bv_val; - - rr = assstack_find(*stack, &key); - if (!rr) { - /* Not found, create and push new entry */ - rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry)); - if (!rr) - return -1; - rr->key.len = name->bv_len; - rr->key.data = (void *) malloc(rr->key.len); - if (!rr->key.data) { - free(rr); - return -1; - } - memcpy(rr->key.data, name->bv_val, name->bv_len); - rr->val.len = sizeof(void *); - rr->val.data = NULL; - if (name->bv_len == 1 && *(char *)name->bv_val == '@') - assstack_push(stack, rr); - else - assstack_insertbottom(stack, rr); - } - - rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry)); - if (!rrdata) { - free(rr->key.data); - free(rr); - return -1; - } - rrdata->key.len = strlen(type) + strlen(ttl) + 1; - rrdata->key.data = (void *) malloc(rrdata->key.len); - if (!rrdata->key.data) { - free(rrdata); - free(rr->key.data); - free(rr); - return -1; - } - sprintf((char *)rrdata->key.data, "%s %s", ttl, type); - - rrdata->val.len = val->bv_len; - rrdata->val.data = (void *) malloc(val->bv_len); - if (!rrdata->val.data) { - free(rrdata->key.data); - free(rrdata); - free(rr->key.data); - free(rr); - return -1; - } - memcpy(rrdata->val.data, val->bv_val, val->bv_len); - - if (!strcmp(type, "SOA")) - assstack_push((struct assstack_entry **) &(rr->val.data), rrdata); - else - assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata); - return 0; -} - -int main(int argc, char **argv) { - char *s, *hostporturl, *base = NULL; - char *ttl, *defaultttl; - LDAP *ld; - char *fltr = NULL; - LDAPMessage *res, *e; - char *a, **ttlvals, **soavals, *serial; - struct berval **vals, **names; - char type[64]; - BerElement *ptr; - int i, j, rc, msgid; - struct assstack_entry *zone = NULL; - - if (argc < 4 || argc > 5) - usage(argv[0]); - - hostporturl = argv[2]; - - if (hostporturl != strstr( hostporturl, "ldap")) - err(argv[0], "Not an LDAP URL"); - - s = strchr(hostporturl, ':'); - - if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/') - err(argv[0], "Not an LDAP URL"); - - s = strchr(s+3, '/'); - if (s) { - *s++ = '\0'; - base = s; - s = strchr(base, '?'); - if (s) - err(argv[0], "LDAP URL can only contain host, port and base"); - } - - defaultttl = argv[3]; - - rc = ldap_initialize(&ld, hostporturl); - if (rc != LDAP_SUCCESS) - err(argv[0], "ldap_initialize() failed"); - - if (argc == 5) { - /* serial number specified, check if different from one in SOA */ - fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1); - sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]); - msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0); - if (msgid == -1) - err(argv[0], "ldap_search() failed"); - - while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) { - /* not supporting continuation references at present */ - if (rc != LDAP_RES_SEARCH_ENTRY) - err(argv[0], "ldap_result() returned cont.ref? Exiting"); - - /* only one entry per result message */ - e = ldap_first_entry(ld, res); - if (e == NULL) { - ldap_msgfree(res); - err(argv[0], "ldap_first_entry() failed"); - } - - soavals = ldap_get_values(ld, e, "SOARecord"); - if (soavals) - break; - } - - ldap_msgfree(res); - if (!soavals) { - err(argv[0], "No SOA Record found"); - } - - /* We have a SOA, compare serial numbers */ - /* Only checkinf first value, should be only one */ - s = strchr(soavals[0], ' '); - s++; - s = strchr(s, ' '); - s++; - serial = s; - s = strchr(s, ' '); - *s = '\0'; - if (!strcmp(serial, argv[4])) { - ldap_value_free(soavals); - err(argv[0], "serial numbers match"); - } - ldap_value_free(soavals); - } - - if (!fltr) - fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1); - if (!fltr) - err(argv[0], "Malloc failed"); - sprintf(fltr, "(zoneName=%s)", argv[1]); - - msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0); - if (msgid == -1) - err(argv[0], "ldap_search() failed"); - - while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) { - /* not supporting continuation references at present */ - if (rc != LDAP_RES_SEARCH_ENTRY) - err(argv[0], "ldap_result() returned cont.ref? Exiting"); - - /* only one entry per result message */ - e = ldap_first_entry(ld, res); - if (e == NULL) { - ldap_msgfree(res); - err(argv[0], "ldap_first_entry() failed"); - } - - names = ldap_get_values_len(ld, e, "relativeDomainName"); - if (!names) - continue; - - ttlvals = ldap_get_values(ld, e, "dNSTTL"); - ttl = ttlvals ? ttlvals[0] : defaultttl; - - for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) { - char *s; - - for (s = a; *s; s++) - *s = toupper(*s); - s = strstr(a, "RECORD"); - if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) { - ldap_memfree(a); - continue; - } - - strncpy(type, a, s - a); - type[s - a] = '\0'; - vals = ldap_get_values_len(ld, e, a); - if (vals) { - for (i = 0; vals[i]; i++) - for (j = 0; names[j]; j++) - if (putrr(&zone, names[j], type, ttl, vals[i])) - err(argv[0], "malloc failed"); - ldap_value_free_len(vals); - } - ldap_memfree(a); - } - - if (ptr) - ber_free(ptr, 0); - if (ttlvals) - ldap_value_free(ttlvals); - ldap_value_free_len(names); - /* free this result */ - ldap_msgfree(res); - } - - /* free final result */ - ldap_msgfree(res); - - print_zone(defaultttl, zone); - return 0; -} diff --git a/makefile-replace-libs.py b/makefile-replace-libs.py deleted file mode 100755 index 90cb0de..0000000 --- a/makefile-replace-libs.py +++ /dev/null @@ -1,143 +0,0 @@ -#!/usr/bin/python3 -# -# Makefile modificator -# -# Should help in building bin/tests/system tests standalone, -# linked to libraries installed into the system. -# TODO: -# - Fix top_srcdir, because dyndb/driver/Makefile uses $TOPSRC/mkinstalldirs -# - Fix conf.sh to contain paths to system tools -# - Export $TOP/version somewhere, where it would be used -# - system tests needs bin/tests code. Do not include just bin/tests/system -# -# Possible solution: -# -# sed -e 's/$TOP\/s\?bin\/\(delv\|confgen\|named\|nsupdate\|pkcs11\|python\|rndc\|check\|dig\|dnssec\|tools\)\/\([[:alnum:]-]\+\)/`type -p \2`/' conf.sh -# sed -e 's,../../../../\(isc-config.sh\),\1,' builtin/tests.sh -# or use: $NAMED -V | head -1 | cut -d ' ' -f 2 - -import re -import argparse - -""" -Script for replacing Makefile ISC_INCLUDES with runtime flags. - -Should translate part of Makefile to use isc-config.sh instead static linked sources. -ISC_INCLUDES = -I/home/pemensik/rhel/bind/bind-9.11.12/build/lib/isc/include \ - -I${top_srcdir}/lib/isc \ - -I${top_srcdir}/lib/isc/include \ - -I${top_srcdir}/lib/isc/unix/include \ - -I${top_srcdir}/lib/isc/pthreads/include \ - -I${top_srcdir}/lib/isc/x86_32/include - -Should be translated to: -ISC_INCLUDES = $(shell isc-config.sh --cflags isc) -""" - -def isc_config(mode, lib): - if mode: - return '$(shell isc-config.sh {mode} {lib})'.format(mode=mode, lib=lib) - else: - return '' - -def check_match(match, debug=False): - """ - Check this definition is handled by internal library - """ - if not match: - return False - lib = match.group(2).lower() - ok = not lib_filter or lib in lib_filter - if debug: - print('{status} {lib}: {text}'.format(status=ok, lib=lib, text=match.group(1))) - return ok - -def fix_line(match, mode): - lib = match.group(2).lower() - return match.group(1)+isc_config(mode, lib)+"\n" - -def fix_file_lines(path, debug=False): - """ - Opens file and scans fixes selected parameters - - Returns list of lines if something should be changed, - None if no action is required - """ - fixed = [] - changed = False - with open(path, 'r') as fin: - fout = None - - line = next(fin, None) - while line: - appended = False - while line.endswith("\\\n"): - line += next(fin, None) - - inc = re_includes.match(line) - deplibs = re_deplibs.match(line) - libs = re_libs.match(line) - newline = None - if check_match(inc, debug=debug): - newline = fix_line(inc, '--cflags') - elif check_match(deplibs, debug=debug): - newline = fix_line(libs, None) - elif check_match(libs, debug=debug): - newline = fix_line(libs, '--libs') - - if newline and line != newline: - changed = True - line = newline - - fixed.append(line) - line = next(fin, None) - - if not changed: - return None - else: - return fixed - -def write_lines(path, lines): - fout = open(path, 'w') - for line in lines: - fout.write(line) - fout.close() - -def print_lines(lines): - for line in lines: - print(line, end='') - -if __name__ == '__main__': - parser = argparse.ArgumentParser(description='Makefile multiline include replacer') - parser.add_argument('files', nargs='+') - parser.add_argument('--filter', type=str, - default='isc isccc isccfg dns lwres bind9 irs', - help='List of libraries supported by isc-config.sh') - parser.add_argument('--check', action='store_true', - help='Test file only') - parser.add_argument('--print', action='store_true', - help='Print changed file only') - parser.add_argument('--debug', action='store_true', - help='Enable debug outputs') - - args = parser.parse_args() - lib_filter = None - - re_includes = re.compile(r'^\s*((\w+)_INCLUDES\s+=\s*).*') - re_deplibs = re.compile(r'^\s*((\w+)DEPLIBS\s*=).*') - re_libs = re.compile(r'^\s*((\w+)LIBS\s*=).*') - - if args.filter: - lib_filter = set(args.filter.split(' ')) - pass - - for path in args.files: - lines = fix_file_lines(path, debug=args.debug) - if lines: - if args.print: - print_lines(lines) - elif not args.check: - write_lines(path, lines) - print('File {path} was fixed'.format(path=path)) - else: - print('File {path} does not need fixing'.format(path=path)) diff --git a/plans.fmf b/plans.fmf deleted file mode 100644 index a15a672..0000000 --- a/plans.fmf +++ /dev/null @@ -1,39 +0,0 @@ -environment+: - PACKAGE: bind9.18 - -/tier1-internal: - plan: - import: - url: https://src.fedoraproject.org/tests/bind.git - name: /plans/bind9.18/tier1/internal - -/tier1-public: - plan: - import: - url: https://src.fedoraproject.org/tests/bind.git - name: /plans/bind9.18/tier1/public - - -/tier2-tier3-internal: - plan: - import: - url: https://src.fedoraproject.org/tests/bind.git - name: /plans/bind9.18/tier2-tier3/internal - -/tier2-tier3-public: - plan: - import: - url: https://src.fedoraproject.org/tests/bind.git - name: /plans/bind9.18/tier2-tier3/public - -/others-internal: - plan: - import: - url: https://src.fedoraproject.org/tests/bind.git - name: /plans/bind9.18/others/internal - -/others-public: - plan: - import: - url: https://src.fedoraproject.org/tests/bind.git - name: /plans/bind9.18/others/public diff --git a/softhsm2.conf.in b/softhsm2.conf.in deleted file mode 100644 index 1f39320..0000000 --- a/softhsm2.conf.in +++ /dev/null @@ -1,10 +0,0 @@ -# SoftHSM v2 configuration file - -directories.tokendir = @TOKENPATH@ -objectstore.backend = file - -# ERROR, WARNING, INFO, DEBUG -log.level = ERROR - -# If CKF_REMOVABLE_DEVICE flag should be set -slots.removable = false diff --git a/sources b/sources deleted file mode 100644 index f0ecde1..0000000 --- a/sources +++ /dev/null @@ -1,2 +0,0 @@ -SHA512 (bind-9.18.29.tar.xz) = 6c2676e2e2cb90f3bd73afb367813c54d1c961e12df1e12e41b9d0ee5a1d5cdf368d81410469753eaef37e43358b56796f078f3b2f20c3b247c4bef91d56c716 -SHA512 (bind-9.18.29.tar.xz.asc) = 6612c7151c4c1736e0237b8219cefbafbc1dcd4b04ad9b12b99cba703e6debde90d2f9838dd1465a47b9a002a598d9b8f3221dfe1a3bdc41436a92e6d06db472