import OL bind9.18-9.18.29-5.el9_7.2

.bind9.18.metadata

@@ -0,0 +1 @@
+33ff5a86e56d65859358749654ea848809bd4532 SOURCES/bind-9.18.29.tar.xz

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,232 +1 @@
-bind-9.7.1-P2.tar.gz
-config-8.tar.bz2
-bind-9.7.2b1.tar.gz
-/config-8.tar.bz2
-/bind-9.7.2rc1.tar.gz
-/bind-9.7.2.tar.gz
-/bind-9.7.2-P2.tar.gz
-/bind-9.7.2-P3.tar.gz
-/bind-9.7.3b1.tar.gz
-/bind-9.7.3rc1.tar.gz
-/bind-9.7.3.tar.gz
-/bind-9.8.0rc1.tar.gz
-/bind-9.8.0.tar.gz
-/bind-9.8.0-P1.tar.gz
-/bind-9.8.0-P2.tar.gz
-/bind-9.8.0-P4.tar.gz
-/bind-9.8.1rc1.tar.gz
-/bind-9.8.1.tar.gz
-/bind-9.9.0b1.tar.gz
-/bind-9.9.0b2.tar.gz
-/bind-9.9.0rc1.tar.gz
-/bind-9.9.0rc2.tar.gz
-/bind-9.9.0.tar.gz
-/bind-9.9.1.tar.gz
-/bind-9.9.1-P1.tar.gz
-/bind-9.9.1-P2.tar.gz
-/bind-9.9.1-P3.tar.gz
-/bind-9.9.2.tar.gz
-/bind-9.9.2-P1.tar.gz
-/config-9.tar.bz2
-/config-10.tar.bz2
-/bind-9.9.2-P2.tar.gz
-/bind-9.9.3rc1.tar.gz
-/config-11.tar.bz2
-/bind-9.9.3rc2.tar.gz
-/bind-9.9.3.tar.gz
-/bind-9.9.3-P1.tar.gz
-/bind-9.9.4b1.tar.gz
-/bind-9.9.4rc1.tar.gz
-/bind-9.9.4rc2.tar.gz
-/bind-9.9.4.tar.gz
-/config-12.tar.bz2
-/bind-9.9.5b1.tar.gz
-/bind-9.9.5rc2.tar.gz
-/bind-9.9.5.tar.gz
-/bind-9.9.5-P1.tar.gz
-/bind-9.9.6.tar.gz
-/bind-9.9.6-P1.tar.gz
-/bind-9.10.1b2.tar.gz
-/bind-9.10.1.tar.gz
-/bind-9.10.1-P1.tar.gz
-/bind-9.10.2rc1.tar.gz
-/bind-9.10.2rc2.tar.gz
-/bind-9.10.2.tar.gz
-/config-13.tar.bz2
-/config-14.tar.bz2
-/bind-9.10.2-P1.tar.gz
-/bind-9.10.2-P2.tar.gz
-/bind-9.10.2-P3.tar.gz
-/bind-9.10.3rc1.tar.gz
-/bind-9.10.3.tar.gz
-/bind-9.10.3-P2.tar.gz
-/config-15.tar.bz2
-/bind-9.10.3-P3.tar.gz
-/bind-9.10.3-P4.tar.gz
-/bind-9.10.4-P1.tar.gz
-/bind-9.10.4-P2.tar.gz
-/bind-9.10.4-P3.tar.gz
-/bind-9.10.4-P4.tar.gz
-/bind-9.11.0-P1.tar.gz
-/bind-9.11.0-P2.tar.gz
-/bind-9.11.0-P3.tar.gz
-/bind-9.11.0-P5.tar.gz
-/config-16.tar.bz2
-/bind-9.11.1-P1.tar.gz
-/bind-9.11.1-P2.tar.gz
-/bind-9.11.1-P3.tar.gz
-/bind-9.11.2b1.tar.gz
-/bind-9.11.2.tar.gz
-/config-17.tar.bz2
-/bind-9.11.2-P1.tar.gz
-/bind-9.11.3b1.tar.gz
-/bind-9.11.3.tar.gz
-/config-18.tar.bz2
-/bind-9.11.4rc1.tar.gz
-/bind-9.11.4.tar.gz
-/bind-9.11.4-P1.tar.gz
-/bind-9.11.4-P2.tar.gz
-/bind-9.11.5.tar.gz
-/bind-9.11.5-P1.tar.gz
-/config-19.tar.bz2
-/bind-9.11.5-P4.tar.gz
-/bind-9.11.6.tar.gz
-/bind-9.11.6-P1.tar.gz
-/bind-9.11.7.tar.gz
-/bind-9.11.8.tar.gz
-/bind-9.11.9.tar.gz
-/bind-9.11.10.tar.gz
-/bind-9.11.11.tar.gz
-/bind-9.11.12.tar.gz
-/bind-9.11.13.tar.gz
-/bind-9.11.13.tar.gz.asc
-/bind-9.11.14.tar.gz
-/bind-9.11.14.tar.gz.asc
-/bind-9.11.17.tar.gz
-/bind-9.11.17.tar.gz.asc
-/bind-9.11.18.tar.gz
-/bind-9.11.18.tar.gz.asc
-/bind-9.11.19.tar.gz
-/bind-9.11.19.tar.gz.asc
-/bind-9.11.20.tar.gz
-/bind-9.11.20.tar.gz.asc
-/bind-9.11.21.tar.gz
-/bind-9.11.21.tar.gz.asc
-/bind-9.11.22.tar.gz
-/bind-9.11.22.tar.gz.asc
-/bind-9.11.23.tar.gz
-/bind-9.11.23.tar.gz.asc
-/bind-9.11.24.tar.gz
-/bind-9.11.24.tar.gz.asc
-/bind-9.11.25.tar.gz
-/bind-9.11.25.tar.gz.asc
-/bind-9.11.26.tar.gz
-/bind-9.11.26.tar.gz.asc
-/bind-9.16.1.tar.xz
-/bind-9.16.1.tar.xz.asc
-/bind-9.16.2.tar.xz
-/bind-9.16.2.tar.xz.asc
-/bind-9.16.4.tar.xz
-/bind-9.16.4.tar.xz.asc
-/bind-9.16.5.tar.xz
-/bind-9.16.5.tar.xz.asc
-/bind-9.16.6.tar.xz
-/bind-9.16.6.tar.xz.asc
-/bind-9.16.7.tar.xz
-/bind-9.16.7.tar.xz.asc
-/bind-9.16.8.tar.xz
-/bind-9.16.8.tar.xz.asc
-/bind-9.16.9.tar.xz
-/bind-9.16.9.tar.xz.asc
-/bind-9.16.10.tar.xz
-/bind-9.16.10.tar.xz.asc
-/bind-9.16.11.tar.xz
-/bind-9.16.11.tar.xz.asc
-/bind-9.16.13.tar.xz
-/bind-9.16.13.tar.xz.asc
-/bind-9.16.15.tar.xz
-/bind-9.16.15.tar.xz.asc
-/bind-9.16.16.tar.xz
-/bind-9.16.16.tar.xz.asc
-/bind-9.16.17.tar.xz
-/bind-9.16.17.tar.xz.asc
-/bind-9.16.18.tar.xz
-/bind-9.16.18.tar.xz.asc
-/bind-9.16.19.tar.xz
-/bind-9.16.19.tar.xz.asc
-/bind-9.16.20.tar.xz
-/bind-9.16.20.tar.xz.asc
-/bind-9.16.21.tar.xz
-/bind-9.16.21.tar.xz.asc
-/bind-9.16.22.tar.xz
-/bind-9.16.22.tar.xz.asc
-/bind-9.16.23.tar.xz
-/bind-9.16.23.tar.xz.asc
-/bind-9.16.24.tar.xz
-/bind-9.16.24.tar.xz.asc
-/bind-9.16.25.tar.xz
-/bind-9.16.25.tar.xz.asc
-/bind-9.16.26.tar.xz
-/bind-9.16.26.tar.xz.asc
-/bind-9.16.27.tar.xz
-/bind-9.16.27.tar.xz.asc
-/bind-9.16.28.tar.xz
-/bind-9.16.28.tar.xz.asc
-/bind-9.16.29.tar.xz
-/bind-9.16.29.tar.xz.asc
-/bind-9.16.30.tar.xz
-/bind-9.16.30.tar.xz.asc
-/bind-9.18.0.tar.xz
-/bind-9.18.0.tar.xz.asc
-/bind-9.18.1.tar.xz
-/bind-9.18.1.tar.xz.asc
-/bind-9.18.2.tar.xz
-/bind-9.18.2.tar.xz.asc
-/bind-9.18.3.tar.xz
-/bind-9.18.3.tar.xz.asc
-/bind-9.18.4.tar.xz
-/bind-9.18.4.tar.xz.asc
-/bind-9.18.5.tar.xz
-/bind-9.18.5.tar.xz.asc
-/bind-9.18.6.tar.xz
-/bind-9.18.6.tar.xz.asc
-/bind-9.18.7.tar.xz
-/bind-9.18.7.tar.xz.asc
-/bind-9.18.8.tar.xz
-/bind-9.18.8.tar.xz.asc
-/bind-9.18.9.tar.xz
-/bind-9.18.9.tar.xz.asc
-/bind-9.18.10.tar.xz
-/bind-9.18.10.tar.xz.asc
-/bind-9.18.11.tar.xz
-/bind-9.18.11.tar.xz.asc
-/bind-9.18.12.tar.xz
-/bind-9.18.12.tar.xz.asc
-/bind-9.18.13.tar.xz
-/bind-9.18.13.tar.xz.asc
-/bind-9.18.14.tar.xz
-/bind-9.18.14.tar.xz.asc
-/bind-9.18.15.tar.xz
-/bind-9.18.15.tar.xz.asc
-/bind-9.18.16.tar.xz
-/bind-9.18.16.tar.xz.asc
-/bind-9.18.17.tar.xz
-/bind-9.18.17.tar.xz.asc
-/bind-9.18.18.tar.xz
-/bind-9.18.18.tar.xz.asc
-/bind-9.18.19.tar.xz
-/bind-9.18.19.tar.xz.asc
-/bind-9.18.20.tar.xz
-/bind-9.18.20.tar.xz.asc
-/bind-9.18.21.tar.xz
-/bind-9.18.21.tar.xz.asc
-/bind-9.18.24.tar.xz
-/bind-9.18.24.tar.xz.asc
-/bind-9.18.26.tar.xz
-/bind-9.18.26.tar.xz.asc
-/bind-9.18.27.tar.xz
-/bind-9.18.27.tar.xz.asc
-/bind-9.18.28.tar.xz
-/bind-9.18.28.tar.xz.asc
-/bind-9.18.29.tar.xz
-/bind-9.18.29.tar.xz.asc
+SOURCES/bind-9.18.29.tar.xz

Changes.md

@@ -1,43 +0,0 @@
-# Significant Changes in BIND9 package
-
-## BIND 9.16
-
-### New features
-
-- *libuv* is used for network subsystem as a mandatory dependency
-- *dnssec-policy* support in named.conf is introduced, providing a a key and signing policy
-  ([KASP](https://gitlab.isc.org/isc-projects/bind9/-/wikis/DNSSEC-Key-and-Signing-Policy-(KASP)))
-- *trusted-keys* and *managed-keys* are deprecated, replaced by *trust-anchors*
-- *trust-anchors* support also anchor in a *DS* format, in addition to *DNSKEY* format
-- **dig, mdig** and **delv** support **+yaml** parameter to print detailed machine parseable output
-
-### Feature changes
-
-- Static trust anchor and *dnssec-validation auto;* are incompatible and cause fatal error, when used together.
-- *DS* and *CDS* now generates only SHA-256 digest, SHA-1 is no longer generated by default
-- SipHash 2-4 DNS Cookie ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873.html) is now default).
-  Only AES alternative algorithm is kept, HMAC-SHA cookie support were removed.
-- **dnssec-signzone** and **dnssec-verify** commands print output to stdout, *-q* parameter can silence them
-
-### Features removed
-
-- *dnssec-enable* option is obsolete, DNSSEC support is always enabled
-- *dnssec-lookaside* option is deprecated and support for it removed from all tools
-- *cleaning-interval* option is removed
-
-### Upstream release notes
-
-- [9.16.10 notes](https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10)
-- [9.16.0 notes](https://downloads.isc.org/isc/bind9/9.16.0/doc/arm/html/notes.html#notes-for-bind-9-16-0)
-
-## BIND 9.14
-
-- single thread support removed. Cannot provide *bind-export-libs* for DHCP
-- *lwres* support completely removed. Both daemon and library
-- common parts of daemon moved into *libns* shared library
-- introduced plugin for filtering aaaa responses
-- some SDB utilities no longer supported
-
-### Upstream release notes
-
-- [9.14.7 notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html)

README.md

@@ -1,33 +0,0 @@
-# BIND 9
-
-[BIND (Berkeley Internet Name Domain)](https://www.isc.org/downloads/bind/doc/) is a complete, highly portable
-implementation of the DNS (Domain Name System) protocol.
-
-Internet Systems Consortium
-([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
-corporation dedicated to providing software and services in support of the
-Internet infrastructure, developed BIND 9 and is responsible for its
-ongoing maintenance and improvement.
-
-More details about upstream project can be found on their
-[gitlab](https://gitlab.isc.org/isc-projects/bind9). This repository contains
-only upstream sources and packaging instructions for
-[Fedora Project](https://fedoraproject.org).
-
-## Subpackages
-
-The package contains several subpackages, some of them can be disabled on rebuild.
-
-* **bind** -- *named* daemon providing DNS server
-* **bind-utils** -- set of tools to analyse DNS responses or update entries (dig, host)
-* **bind-doc** -- documentation for current bind, *BIND 9 Administrator Reference Manual*.
-* **bind-license** -- Shared license for all packages but bind-export-libs.
-* **bind-libs** -- Shared libraries used by some others programs
-* **bind-devel** -- Development headers for libs. Can be disabled by `--without DEVEL`
-
-
-## Optional features
-
-* *GSSTSIG* -- Support for Kerberos authentication in BIND.
-* *LMDB* -- Support for dynamic database for managing runtime added zones. Provides faster removal of added zone with much less overhead. But requires lmdb linked to base libs.
-* *DLZ* -- Support for dynamic loaded modules providing support for features *bind-sdb* provides, but only small module is required.

SOURCES/bind-9.18-CVE-2024-11187-pre-test.patch

@@ -0,0 +1,68 @@
+From cd48dcb0f87f8bed8138cbc4635a6a46f3148620 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Tue, 7 Jan 2025 15:22:40 +0100
+Subject: [PATCH] Isolate using the -T noaa flag only for part of the resolver
+ test
+
+Instead of running the whole resolver/ns4 server with -T noaa flag,
+use it only for the part where it is actually needed.  The -T noaa
+could interfere with other parts of the test because the answers don't
+have the authoritative-answer bit set, and we could have false
+positives (or false negatives) in the test because the authoritative
+server doesn't follow the DNS protocol for all the tests in the resolver
+system test.
+
+(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
+---
+ bin/tests/system/resolver/ns4/named.noaa | 12 ------------
+ bin/tests/system/resolver/tests.sh       |  8 ++++++++
+ 2 files changed, 8 insertions(+), 12 deletions(-)
+ delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
+
+diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
+deleted file mode 100644
+index be78cc2c949..00000000000
+--- a/bin/tests/system/resolver/ns4/named.noaa
++++ /dev/null
+@@ -1,12 +0,0 @@
+-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+-
+-SPDX-License-Identifier: MPL-2.0
+-
+-This Source Code Form is subject to the terms of the Mozilla Public
+-License, v. 2.0.  If a copy of the MPL was not distributed with this
+-file, you can obtain one at https://mozilla.org/MPL/2.0/.
+-
+-See the COPYRIGHT file distributed with this work for additional
+-information regarding copyright ownership.
+-
+-Add -T noaa.
+diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
+index 982ff9761be..23b42f728cd 100755
+--- a/bin/tests/system/resolver/tests.sh
++++ b/bin/tests/system/resolver/tests.sh
+@@ -322,6 +322,10 @@ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+ 
++stop_server ns4
++touch ns4/named.noaa
++start_server --noclean --restart --port ${PORT} ns4 || ret=1
++
+ n=$((n + 1))
+ echo_i "RT21594 regression test check setup ($n)"
+ ret=0
+@@ -358,6 +362,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+ 
++stop_server ns4
++rm ns4/named.noaa
++start_server --noclean --restart --port ${PORT} ns4 || ret=1
++
+ n=$((n + 1))
+ echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
+ ret=0
+-- 
+2.48.1
+

SOURCES/bind-9.18-CVE-2024-11187.patch

@@ -0,0 +1,226 @@
+From 7ded6b358ced23bb6214c7309cff0850b7d1b77d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 14 Nov 2024 10:37:29 +0100
+Subject: [PATCH] Limit the additional processing for large RDATA sets
+
+When answering queries, don't add data to the additional section if
+the answer has more than 13 names in the RDATA.  This limits the
+number of lookups into the database(s) during a single client query,
+reducing query processing load.
+
+Also, don't append any additional data to type=ANY queries. The
+answer to ANY is already big enough.
+
+(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
+---
+ bin/tests/system/additional/tests.sh |  2 +-
+ lib/dns/include/dns/rdataset.h       | 10 +++++++++-
+ lib/dns/rbtdb.c                      |  2 +-
+ lib/dns/rdataset.c                   |  7 ++++++-
+ lib/dns/resolver.c                   | 19 ++++++++++++-------
+ lib/ns/query.c                       | 12 ++++++++----
+ 6 files changed, 37 insertions(+), 15 deletions(-)
+
+diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
+index 193c9f9..e1b0cfb 100644
+--- a/bin/tests/system/additional/tests.sh
++++ b/bin/tests/system/additional/tests.sh
+@@ -279,7 +279,7 @@ n=$((n + 1))
+ echo_i "testing with 'minimal-any no;' ($n)"
+ ret=0
+ $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1
+-grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1
++grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
+ if [ $ret -eq 1 ]; then
+   echo_i "failed"
+   status=$((status + 1))
+diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
+index f63591c..b28686a 100644
+--- a/lib/dns/include/dns/rdataset.h
++++ b/lib/dns/include/dns/rdataset.h
+@@ -54,6 +54,8 @@
+ #include <dns/rdatastruct.h>
+ #include <dns/types.h>
+ 
++#define DNS_RDATASET_MAXADDITIONAL 13
++
+ ISC_LANG_BEGINDECLS
+ 
+ typedef enum {
+@@ -453,7 +455,8 @@ dns_rdataset_towirepartial(dns_rdataset_t   *rdataset,
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t	    *rdataset,
+ 			    const dns_name_t	    *owner_name,
+-			    dns_additionaldatafunc_t add, void *arg);
++			    dns_additionaldatafunc_t add, void *arg,
++			    size_t limit);
+ /*%<
+  * For each rdata in rdataset, call 'add' for each name and type in the
+  * rdata which is subject to additional section processing.
+@@ -472,10 +475,15 @@ dns_rdataset_additionaldata(dns_rdataset_t	    *rdataset,
+  *\li	If a call to dns_rdata_additionaldata() is not successful, the
+  *	result returned will be the result of dns_rdataset_additionaldata().
+  *
++ *\li	If 'limit' is non-zero and the number of the rdatasets is larger
++ *	than 'limit', no additional data will be processed.
++ *
+  * Returns:
+  *
+  *\li	#ISC_R_SUCCESS
+  *
++ *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
++ *
+  *\li	Any error that dns_rdata_additionaldata() can return.
+  */
+ 
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index 5c2f0b2..c4db047 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -10317,7 +10317,7 @@ no_glue:
+ 	idx = hash_32(hash, rbtversion->glue_table_bits);
+ 
+ 	(void)dns_rdataset_additionaldata(rdataset, dns_rootname,
+-					  glue_nsdname_cb, &ctx);
++					  glue_nsdname_cb, &ctx, 0);
+ 
+ 	cur = isc_mem_get(rbtdb->common.mctx, sizeof(*cur));
+ 
+diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
+index 4d48203..0b450a9 100644
+--- a/lib/dns/rdataset.c
++++ b/lib/dns/rdataset.c
+@@ -577,7 +577,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+ isc_result_t
+ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 			    const dns_name_t *owner_name,
+-			    dns_additionaldatafunc_t add, void *arg) {
++			    dns_additionaldatafunc_t add, void *arg,
++			    size_t limit) {
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_result_t result;
+ 
+@@ -589,6 +590,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+ 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+ 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ 
++	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
++		return DNS_R_TOOMANYRECORDS;
++	}
++
+ 	result = dns_rdataset_first(rdataset);
+ 	if (result != ISC_R_SUCCESS) {
+ 		return (result);
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index f8f53d2..bb0bfa1 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -8904,7 +8904,7 @@ rctx_answer_any(respctx_t *rctx) {
+ 		rdataset->trust = rctx->trust;
+ 
+ 		(void)dns_rdataset_additionaldata(rdataset, rctx->aname,
+-						  check_related, rctx);
++						  check_related, rctx, 0);
+ 	}
+ 
+ 	return (ISC_R_SUCCESS);
+@@ -8952,7 +8952,7 @@ rctx_answer_match(respctx_t *rctx) {
+ 	rctx->ardataset->attributes |= DNS_RDATASETATTR_CACHE;
+ 	rctx->ardataset->trust = rctx->trust;
+ 	(void)dns_rdataset_additionaldata(rctx->ardataset, rctx->aname,
+-					  check_related, rctx);
++					  check_related, rctx, 0);
+ 
+ 	for (sigrdataset = ISC_LIST_HEAD(rctx->aname->list);
+ 	     sigrdataset != NULL;
+@@ -9159,7 +9159,7 @@ rctx_authority_positive(respctx_t *rctx) {
+ 					 */
+ 					(void)dns_rdataset_additionaldata(
+ 						rdataset, name, check_related,
+-						rctx);
++						rctx, 0);
+ 					done = true;
+ 				}
+ 			}
+@@ -9666,8 +9666,12 @@ rctx_referral(respctx_t *rctx) {
+ 	 */
+ 	INSIST(rctx->ns_rdataset != NULL);
+ 	FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING);
++
++	/*
++	 * Mark the glue records in the additional section to be cached.
++	 */
+ 	(void)dns_rdataset_additionaldata(rctx->ns_rdataset, rctx->ns_name,
+-					  check_related, rctx);
++					  check_related, rctx, 0);
+ #if CHECK_FOR_GLUE_IN_ANSWER
+ 	/*
+ 	 * Look in the answer section for "glue" that is incorrectly
+@@ -9679,8 +9683,9 @@ rctx_referral(respctx_t *rctx) {
+ 	if (rctx->glue_in_answer &&
+ 	    (fctx->type == dns_rdatatype_aaaa || fctx->type == dns_rdatatype_a))
+ 	{
+-		(void)dns_rdataset_additionaldata(
+-			rctx->ns_rdataset, rctx->ns_name, check_answer, fctx);
++		(void)dns_rdataset_additionaldata(rctx->ns_rdataset,
++						  rctx->ns_name, check_answer,
++						  fctx, 0);
+ 	}
+ #endif /* if CHECK_FOR_GLUE_IN_ANSWER */
+ 	FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
+@@ -9782,7 +9787,7 @@ again:
+ 			if (CHASE(rdataset)) {
+ 				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
+ 				(void)dns_rdataset_additionaldata(
+-					rdataset, name, check_related, rctx);
++					rdataset, name, check_related, rctx, 0);
+ 				rescan = true;
+ 			}
+ 		}
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index 5549e20..ded1eae 100644
+--- a/lib/ns/query.c
++++ b/lib/ns/query.c
+@@ -2094,7 +2094,8 @@ addname:
+ 	if (trdataset != NULL && dns_rdatatype_followadditional(type)) {
+ 		if (client->additionaldepth++ < client->view->max_restarts) {
+ 			eresult = dns_rdataset_additionaldata(
+-				trdataset, fname, query_additional_cb, qctx);
++				trdataset, fname, query_additional_cb, qctx,
++				DNS_RDATASET_MAXADDITIONAL);
+ 		}
+ 		client->additionaldepth--;
+ 	}
+@@ -2194,7 +2195,7 @@ regular:
+ 	 * We don't care if dns_rdataset_additionaldata() fails.
+ 	 */
+ 	(void)dns_rdataset_additionaldata(rdataset, name, query_additional_cb,
+-					  qctx);
++					  qctx, DNS_RDATASET_MAXADDITIONAL);
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
+ }
+ 
+@@ -2220,7 +2221,8 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 	 * To the current response for 'client', add the answer RRset
+ 	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
+ 	 * owner name '*namep', to section 'section', unless they are
+-	 * already there.  Also add any pertinent additional data.
++	 * already there.  Also add any pertinent additional data, unless
++	 * the query was for type ANY.
+ 	 *
+ 	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
+ 	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
+@@ -2275,7 +2277,9 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 	 */
+ 	query_addtoname(mname, rdataset);
+ 	query_setorder(qctx, mname, rdataset);
+-	query_additional(qctx, mname, rdataset);
++	if (qctx->qtype != dns_rdatatype_any) {
++		query_additional(qctx, mname, rdataset);
++	}
+ 
+ 	/*
+ 	 * Note: we only add SIGs if we've added the type they cover, so
+-- 
+2.48.1
+

SOURCES/bind-9.18-CVE-2025-40778.patch

@@ -0,0 +1,781 @@
+From 69783c72b5db5f96518839508829e20b75b96f86 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 10 Jul 2025 09:37:36 +1000
+Subject: [PATCH] Tighten restrictions on caching NS RRsets in authority
+ section
+
+To prevent certain spoofing attacks, a new check has been added
+to the existing rules for whether NS data can be cached: the owner
+name of the NS RRset must be an ancestor of the name being queried.
+
+(cherry picked from commit fa153f791f9324bf84abf8d259e11c0531fe6e25)
+(cherry picked from commit 025d61bacd0f57f994a631654aff7a933d89a547)
+
+Further restrict addresses that are cached when processing referrals
+
+Use the owner name of the NS record as the bailwick apex name
+when determining which additional records to cache, rather than
+the name of the delegating zone (or a parent thereof).
+
+(cherry picked from commit a41054e9e606a61f1b3c8bc0c54e2f1059347165)
+(cherry picked from commit cd17dfe696cdf9b8ef23fbc8738de7c79f957846)
+
+Retry lookups with unsigned DNAME over TCP
+
+To prevent spoofed unsigned DNAME responses being accepted retry
+response with unsigned DNAMEs over TCP if the response is not TSIG
+signed or there isn't a good DNS CLIENT COOKIE.
+
+To prevent test failures, this required adding TCP support to the
+ans3 and ans4 servers in the chain system test.
+
+(cherry picked from commit 2e40705c06831988106335ed77db3cf924d431f6)
+(cherry picked from commit 4c6d03b0bb2ffbafcde8e8a5bc0e49908b978a72)
+---
+ bin/tests/system/chain/ans3/ans.pl | 143 -------------------
+ bin/tests/system/chain/ans3/ans.py | 217 +++++++++++++++++++++++++++++
+ bin/tests/system/chain/ans4/ans.py |  57 ++++++--
+ lib/dns/include/dns/message.h      |   8 ++
+ lib/dns/message.c                  |  12 ++
+ lib/dns/resolver.c                 | 110 ++++++++++++---
+ 6 files changed, 374 insertions(+), 173 deletions(-)
+ delete mode 100644 bin/tests/system/chain/ans3/ans.pl
+ create mode 100644 bin/tests/system/chain/ans3/ans.py
+
+diff --git a/bin/tests/system/chain/ans3/ans.pl b/bin/tests/system/chain/ans3/ans.pl
+deleted file mode 100644
+index e42240b..0000000
+--- a/bin/tests/system/chain/ans3/ans.pl
++++ /dev/null
+@@ -1,143 +0,0 @@
+-#!/usr/bin/env perl
+-
+-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+-#
+-# SPDX-License-Identifier: MPL-2.0
+-#
+-# This Source Code Form is subject to the terms of the Mozilla Public
+-# License, v. 2.0.  If a copy of the MPL was not distributed with this
+-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+-#
+-# See the COPYRIGHT file distributed with this work for additional
+-# information regarding copyright ownership.
+-
+-use strict;
+-use warnings;
+-
+-use IO::File;
+-use Getopt::Long;
+-use Net::DNS::Nameserver;
+-
+-my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+-print $pidf "$$\n" or die "cannot write pid file: $!";
+-$pidf->close or die "cannot close pid file: $!";
+-sub rmpid { unlink "ans.pid"; exit 1; };
+-sub term { };
+-
+-$SIG{INT} = \&rmpid;
+-if ($Net::DNS::VERSION > 1.41) {
+-    $SIG{TERM} = \&term;
+-} else {
+-    $SIG{TERM} = \&rmpid;
+-}
+-
+-my $localaddr = "10.53.0.3";
+-
+-my $localport = int($ENV{'PORT'});
+-if (!$localport) { $localport = 5300; }
+-
+-my $verbose = 0;
+-my $ttl = 60;
+-my $zone = "example.broken";
+-my $nsname = "ns3.$zone";
+-my $synth = "synth-then-dname.$zone";
+-my $synth2 = "synth2-then-dname.$zone";
+-
+-sub reply_handler {
+-    my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_;
+-    my ($rcode, @ans, @auth, @add);
+-
+-    print ("request: $qname/$qtype\n");
+-    STDOUT->flush();
+-
+-    if ($qname eq "example.broken") {
+-        if ($qtype eq "SOA") {
+-	    my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0");
+-	    push @ans, $rr;
+-        } elsif ($qtype eq "NS") {
+-	    my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname");
+-	    push @ans, $rr;
+-	    $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr");
+-	    push @add, $rr;
+-        }
+-        $rcode = "NOERROR";
+-    } elsif ($qname eq "cname-to-$synth2") {
+-        my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2");
+-	push @ans, $rr;
+-        $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name");
+-	push @ans, $rr;
+-        $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+-	push @ans, $rr;
+-	$rcode = "NOERROR";
+-    } elsif ($qname eq "$synth" || $qname eq "$synth2") {
+-	if ($qtype eq "DNAME") {
+-	    my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME .");
+-	    push @ans, $rr;
+-	}
+-	$rcode = "NOERROR";
+-    } elsif ($qname eq "name.$synth") {
+-	my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.");
+-	push @ans, $rr;
+-	$rr = new Net::DNS::RR("$synth $ttl $qclass DNAME .");
+-	push @ans, $rr;
+-	$rcode = "NOERROR";
+-    } elsif ($qname eq "name.$synth2") {
+-	my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.");
+-	push @ans, $rr;
+-	$rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+-	push @ans, $rr;
+-	$rcode = "NOERROR";
+-    # The following three code branches referring to the "example.dname"
+-    # zone are necessary for the resolver variant of the CVE-2021-25215
+-    # regression test to work.  A named instance cannot be used for
+-    # serving the DNAME records below as a version of BIND vulnerable to
+-    # CVE-2021-25215 would crash while answering the queries asked by
+-    # the tested resolver.
+-    } elsif ($qname eq "ns3.example.dname") {
+-	if ($qtype eq "A") {
+-		my $rr = new Net::DNS::RR("$qname $ttl $qclass A 10.53.0.3");
+-		push @ans, $rr;
+-	}
+-	if ($qtype eq "AAAA") {
+-		my $rr = new Net::DNS::RR("example.dname. $ttl $qclass SOA . . 0 0 0 0 $ttl");
+-		push @auth, $rr;
+-	}
+-	$rcode = "NOERROR";
+-    } elsif ($qname eq "self.example.self.example.dname") {
+-	my $rr = new Net::DNS::RR("self.example.dname. $ttl $qclass DNAME dname.");
+-	push @ans, $rr;
+-	$rr = new Net::DNS::RR("$qname $ttl $qclass CNAME self.example.dname.");
+-	push @ans, $rr;
+-	$rcode = "NOERROR";
+-    } elsif ($qname eq "self.example.dname") {
+-	if ($qtype eq "DNAME") {
+-		my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME dname.");
+-		push @ans, $rr;
+-	}
+-	$rcode = "NOERROR";
+-    } else {
+-	$rcode = "REFUSED";
+-    }
+-    return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+-}
+-
+-GetOptions(
+-    'port=i' => \$localport,
+-    'verbose!' => \$verbose,
+-);
+-
+-my $ns = Net::DNS::Nameserver->new(
+-    LocalAddr => $localaddr,
+-    LocalPort => $localport,
+-    ReplyHandler => \&reply_handler,
+-    Verbose => $verbose,
+-);
+-
+-if ($Net::DNS::VERSION >= 1.42) {
+-    $ns->start_server();
+-    select(undef, undef, undef, undef);
+-    $ns->stop_server();
+-    unlink "ans.pid";
+-} else {
+-    $ns->main_loop;
+-}
+diff --git a/bin/tests/system/chain/ans3/ans.py b/bin/tests/system/chain/ans3/ans.py
+new file mode 100644
+index 0000000..0a031c1
+--- /dev/null
++++ b/bin/tests/system/chain/ans3/ans.py
+@@ -0,0 +1,217 @@
++# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++#
++# SPDX-License-Identifier: MPL-2.0
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0.  If a copy of the MPL was not distributed with this
++# file, you can obtain one at https://mozilla.org/MPL/2.0/.
++#
++# See the COPYRIGHT file distributed with this work for additional
++# information regarding copyright ownership.
++
++############################################################################
++# ans.py: See README.anspy for details.
++############################################################################
++
++from __future__ import print_function
++import os
++import sys
++import signal
++import socket
++import select
++from datetime import datetime, timedelta
++import functools
++
++import dns, dns.message, dns.query
++from dns.rdatatype import *
++from dns.rdataclass import *
++from dns.rcode import *
++from dns.name import *
++
++
++############################################################################
++# Respond to a DNS query.
++############################################################################
++def create_response(msg):
++    ttl = 60
++    zone = "example.broken."
++    nsname = f"ns3.{zone}"
++    synth = f"synth-then-dname.{zone}"
++    synth2 = f"synth2-then-dname.{zone}"
++
++    m = dns.message.from_wire(msg)
++    qname = m.question[0].name.to_text()
++
++    # prepare the response and convert to wire format
++    r = dns.message.make_response(m)
++
++    # get qtype
++    rrtype = m.question[0].rdtype
++    qtype = dns.rdatatype.to_text(rrtype)
++    print(f"request: {qname}/{qtype}")
++
++    rcode = "NOERROR"
++    if qname == zone:
++        if qtype == "SOA":
++            r.answer.append(dns.rrset.from_text(qname, ttl, IN, SOA, ". . 0 0 0 0 0"))
++        elif qtype == "NS":
++            r.answer.append(dns.rrset.from_text(qname, ttl, IN, NS, nsname))
++            r.additional.append(dns.rrset.from_text(nsname, ttl, IN, A, ip4))
++    elif qname == f"cname-to-{synth2}":
++        r.answer.append(dns.rrset.from_text(qname, ttl, IN, CNAME, f"name.{synth2}"))
++        r.answer.append(dns.rrset.from_text(f"name.{synth2}", ttl, IN, CNAME, "name."))
++        r.answer.append(dns.rrset.from_text(synth2, ttl, IN, DNAME, "."))
++    elif qname == f"{synth}" or qname == f"{synth2}":
++        if qtype == "DNAME":
++            r.answer.append(dns.rrset.from_text(qname, ttl, IN, DNAME, "."))
++    elif qname == f"name.{synth}":
++        r.answer.append(dns.rrset.from_text(qname, ttl, IN, CNAME, "name."))
++        r.answer.append(dns.rrset.from_text(synth, ttl, IN, DNAME, "."))
++    elif qname == f"name.{synth2}":
++        r.answer.append(dns.rrset.from_text(qname, ttl, IN, CNAME, "name."))
++        r.answer.append(dns.rrset.from_text(synth2, ttl, IN, DNAME, "."))
++    elif qname == "ns3.example.dname.":
++        # This and the next two code branches referring to the "example.dname"
++        # zone are necessary for the resolver variant of the CVE-2021-25215
++        # regression test to work.  A named instance cannot be used for
++        # serving the DNAME records below as a version of BIND vulnerable to
++        # CVE-2021-25215 would crash while answering the queries asked by
++        # the tested resolver.
++        if qtype == "A":
++            r.answer.append(dns.rrset.from_text(qname, ttl, IN, A, ip4))
++        elif qtype == "AAAA":
++            r.authority.append(
++                dns.rrset.from_text("example.dname.", ttl, IN, SOA, ". . 0 0 0 0 0")
++            )
++    elif qname == "self.example.self..example.dname.":
++        r.answer.append(
++            dns.rrset.from_text("self.example.dname.", ttl, IN, DNAME, "dname.")
++        )
++        r.answer.append(
++            dns.rrset.from_text(qname, ttl, IN, CNAME, "self.example.dname.")
++        )
++    elif qname == "self.example.dname.":
++        if qtype == "DNAME":
++            r.answer.append(dns.rrset.from_text(qname, ttl, IN, DNAME, "dname."))
++    else:
++        rcode = "REFUSED"
++
++    r.flags |= dns.flags.AA
++    r.use_edns()
++    return r.to_wire()
++
++
++def sigterm(signum, frame):
++    print("Shutting down now...")
++    os.remove("ans.pid")
++    running = False
++    sys.exit(0)
++
++
++############################################################################
++# Main
++#
++# Set up responder and control channel, open the pid file, and start
++# the main loop, listening for queries on the query channel or commands
++# on the control channel and acting on them.
++############################################################################
++ip4 = "10.53.0.3"
++ip6 = "fd92:7065:b8e:ffff::3"
++
++try:
++    port = int(os.environ["PORT"])
++except:
++    port = 5300
++
++query4_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
++query4_udp.bind((ip4, port))
++
++query4_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++query4_tcp.bind((ip4, port))
++query4_tcp.listen(1)
++query4_tcp.settimeout(1)
++
++havev6 = True
++try:
++    query6_udp = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
++    try:
++        query6_udp.bind((ip6, port))
++    except:
++        query6_udp.close()
++        havev6 = False
++
++    query6_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++    try:
++        query6_tcp.bind((ip4, port))
++        query6_tcp.listen(1)
++        query6_tcp.settimeout(1)
++    except:
++        query6_tcp.close()
++        havev6 = False
++except:
++    havev6 = False
++
++signal.signal(signal.SIGTERM, sigterm)
++
++f = open("ans.pid", "w")
++pid = os.getpid()
++print(pid, file=f)
++f.close()
++
++running = True
++
++print("Listening on %s port %d" % (ip4, port))
++if havev6:
++    print("Listening on %s port %d" % (ip6, port))
++print("Ctrl-c to quit")
++
++if havev6:
++    input = [query4_udp, query4_tcp, query6_udp, query6_tcp]
++else:
++    input = [query4_udp, query4_tcp]
++
++while running:
++    try:
++        inputready, outputready, exceptready = select.select(input, [], [])
++    except select.error as e:
++        break
++    except socket.error as e:
++        break
++    except KeyboardInterrupt:
++        break
++
++    for s in inputready:
++        if s == query4_udp or s == query6_udp:
++            print("Query received on %s" % (ip4 if s == query4_udp else ip6))
++            # Handle incoming queries
++            msg = s.recvfrom(65535)
++            rsp = create_response(msg[0])
++            if rsp:
++                s.sendto(rsp, msg[1])
++        elif s == query4_tcp or s == query6_tcp:
++            try:
++                conn, _ = s.accept()
++                if s == query4_tcp or s == query6_tcp:
++                    print(
++                        "TCP Query received on %s" % (ip4 if s == query4_tcp else ip6),
++                        end=" ",
++                    )
++                # get TCP message length
++                msg = conn.recv(2)
++                if len(msg) != 2:
++                    print("couldn't read TCP message length")
++                    continue
++                length = struct.unpack(">H", msg[:2])[0]
++                msg = conn.recv(length)
++                if len(msg) != length:
++                    print("couldn't read TCP message")
++                    continue
++                rsp = create_response(msg)
++                if rsp:
++                    conn.send(struct.pack(">H", len(rsp)))
++                    conn.send(rsp)
++                conn.close()
++            except socket.error as e:
++                print("error: %s" % str(e))
++    if not running:
++        break
+diff --git a/bin/tests/system/chain/ans4/ans.py b/bin/tests/system/chain/ans4/ans.py
+index 839067f..66f0193 100755
+--- a/bin/tests/system/chain/ans4/ans.py
++++ b/bin/tests/system/chain/ans4/ans.py
+@@ -316,16 +316,30 @@ try:
+ except:
+     ctrlport = 5300
+ 
+-query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+-query4_socket.bind((ip4, port))
++query4_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
++query4_udp.bind((ip4, port))
++
++query4_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
++query4_tcp.bind((ip4, port))
++query4_tcp.listen(1)
++query4_tcp.settimeout(1)
+ 
+ havev6 = True
+ try:
+-    query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
++    query6_udp = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
++    try:
++        query6_udp.bind((ip6, port))
++    except:
++        query6_udp.close()
++        havev6 = False
++
++    query6_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+     try:
+-        query6_socket.bind((ip6, port))
++        query6_tcp.bind((ip4, port))
++        query6_tcp.listen(1)
++        query6_tcp.settimeout(1)
+     except:
+-        query6_socket.close()
++        query6_tcp.close()
+         havev6 = False
+ except:
+     havev6 = False
+@@ -350,9 +364,9 @@ print("Control channel on %s port %d" % (ip4, ctrlport))
+ print("Ctrl-c to quit")
+ 
+ if havev6:
+-    input = [query4_socket, query6_socket, ctrl_socket]
++    input = [query4_udp, query4_tcp, query6_udp, query6_tcp, ctrl_socket]
+ else:
+-    input = [query4_socket, ctrl_socket]
++    input = [query4_udp, query4_tcp, ctrl_socket]
+ 
+ while running:
+     try:
+@@ -375,12 +389,37 @@ while running:
+                     break
+                 ctl_channel(msg)
+             conn.close()
+-        if s == query4_socket or s == query6_socket:
+-            print("Query received on %s" % (ip4 if s == query4_socket else ip6))
++        elif s == query4_udp or s == query6_udp:
++            print("Query received on %s" % (ip4 if s == query4_udp else ip6))
+             # Handle incoming queries
+             msg = s.recvfrom(65535)
+             rsp = create_response(msg[0])
+             if rsp:
+                 s.sendto(rsp, msg[1])
++        elif s == query4_tcp or s == query6_tcp:
++            try:
++                conn, _ = s.accept()
++                if s == query4_tcp or s == query6_tcp:
++                    print(
++                        "TCP Query received on %s" % (ip4 if s == query4_tcp else ip6),
++                        end=" ",
++                    )
++                # get TCP message length
++                msg = conn.recv(2)
++                if len(msg) != 2:
++                    print("couldn't read TCP message length")
++                    continue
++                length = struct.unpack(">H", msg[:2])[0]
++                msg = conn.recv(length)
++                if len(msg) != length:
++                    print("couldn't read TCP message")
++                    continue
++                rsp = create_response(msg)
++                if rsp:
++                    conn.send(struct.pack(">H", len(rsp)))
++                    conn.send(rsp)
++                conn.close()
++            except socket.error as e:
++                print("error: %s" % str(e))
+     if not running:
+         break
+diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
+index f15884a..c2efc19 100644
+--- a/lib/dns/include/dns/message.h
++++ b/lib/dns/include/dns/message.h
+@@ -283,6 +283,7 @@ struct dns_message {
+ 	unsigned int tkey	      : 1;
+ 	unsigned int rdclass_set      : 1;
+ 	unsigned int fuzzing	      : 1;
++	unsigned int has_dname	      : 1;
+ 
+ 	unsigned int opt_reserved;
+ 	unsigned int sig_reserved;
+@@ -1526,4 +1527,11 @@ dns_message_response_minttl(dns_message_t *msg, dns_ttl_t *pttl);
+  * \li   'pttl != NULL'.
+  */
+ 
++bool
++dns_message_hasdname(dns_message_t *msg);
++/*%<
++ * Return whether a DNAME was detected in the ANSWER section of a QUERY
++ * message when it was parsed.
++ */
++
+ ISC_LANG_ENDDECLS
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 67190af..4dae88a 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -428,6 +428,7 @@ msginit(dns_message_t *m) {
+ 	m->cc_bad = 0;
+ 	m->tkey = 0;
+ 	m->rdclass_set = 0;
++	m->has_dname = 0;
+ 	m->querytsig = NULL;
+ 	m->indent.string = "\t";
+ 	m->indent.count = 0;
+@@ -1710,6 +1711,11 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ 			 */
+ 			msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+ 			free_name = false;
++		} else if (rdtype == dns_rdatatype_dname &&
++			   sectionid == DNS_SECTION_ANSWER &&
++			   msg->opcode == dns_opcode_query)
++		{
++			msg->has_dname = 1;
+ 		}
+ 		rdataset = NULL;
+ 
+@@ -4861,3 +4867,9 @@ dns_message_response_minttl(dns_message_t *msg, dns_ttl_t *pttl) {
+ 
+ 	return (ISC_R_SUCCESS);
+ }
++
++bool
++dns_message_hasdname(dns_message_t *msg) {
++	REQUIRE(DNS_MESSAGE_VALID(msg));
++	return msg->has_dname;
++}
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 19b9b1a..72d83b6 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -796,6 +796,7 @@ typedef struct respctx {
+ 	bool get_nameservers; /* get a new NS rrset at
+ 			       * zone cut? */
+ 	bool resend;	      /* resend this query? */
++	bool secured;	      /* message was signed or had a valid cookie */
+ 	bool nextitem;	      /* invalid response; keep
+ 			       * listening for the correct one */
+ 	bool truncated;	      /* response was truncated */
+@@ -6972,7 +6973,8 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
+  * locally served zone.
+  */
+ static inline bool
+-name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
++name_external(const dns_name_t *name, dns_rdatatype_t type, respctx_t *rctx) {
++	fetchctx_t *fctx = rctx->fctx;
+ 	isc_result_t result;
+ 	dns_forwarders_t *forwarders = NULL;
+ 	dns_fixedname_t fixed, zfixed;
+@@ -6985,7 +6987,7 @@ name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+ 	dns_namereln_t rel;
+ 
+ 	apex = (ISDUALSTACK(fctx->addrinfo) || !ISFORWARDER(fctx->addrinfo))
+-		       ? fctx->domain
++		       ? rctx->ns_name != NULL ? rctx->ns_name : fctx->domain
+ 		       : fctx->fwdname;
+ 
+ 	/*
+@@ -7094,7 +7096,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
+ 	result = dns_message_findname(rctx->query->rmessage, section, addname,
+ 				      dns_rdatatype_any, 0, &name, NULL);
+ 	if (result == ISC_R_SUCCESS) {
+-		external = name_external(name, type, fctx);
++		external = name_external(name, type, rctx);
+ 		if (type == dns_rdatatype_a) {
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+ 			     rdataset != NULL;
+@@ -7725,6 +7727,47 @@ betterreferral(respctx_t *rctx) {
+ 	return (false);
+ }
+ 
++static bool
++rctx_need_tcpretry(respctx_t *rctx) {
++	resquery_t *query = rctx->query;
++	if ((rctx->retryopts & DNS_FETCHOPT_TCP) != 0) {
++		/* TCP is already in the retry flags */
++		return false;
++	}
++
++	/*
++	 * If the message was secured, no need to continue.
++	 */
++	if (rctx->secured) {
++		return false;
++	}
++
++	/*
++	 * Currently the only extra reason why we might need to
++	 * retry a UDP response over TCP is a DNAME in the message.
++	 */
++	if (dns_message_hasdname(query->rmessage)) {
++		return true;
++	}
++
++	return false;
++}
++
++static isc_result_t
++rctx_tcpretry(respctx_t *rctx) {
++	/*
++	 * Do we need to retry a UDP response over TCP?
++	 */
++	if (rctx_need_tcpretry(rctx)) {
++		rctx->retryopts |= DNS_FETCHOPT_TCP;
++		rctx->resend = true;
++		rctx_done(rctx, ISC_R_SUCCESS);
++		return ISC_R_COMPLETE;
++	}
++
++	return ISC_R_SUCCESS;
++}
++
+ /*
+  * resquery_response():
+  * Handles responses received in response to iterative queries sent by
+@@ -7914,6 +7957,17 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) {
+ 		return;
+ 	}
+ 
++	/*
++	 * Remember whether this message was signed or had a
++	 * valid client cookie; if not, we may need to retry over
++	 * TCP later.
++	 */
++	if (query->rmessage->cc_ok || query->rmessage->tsig != NULL ||
++	    query->rmessage->sig0 != NULL)
++	{
++		rctx.secured = true;
++	}
++
+ 	/*
+ 	 * The dispatcher should ensure we only get responses with QR
+ 	 * set.
+@@ -7925,10 +7979,7 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) {
+ 	 * TCP. This may be a misconfigured anycast server or an attempt
+ 	 * to send a spoofed response.  Skip if we have a valid tsig.
+ 	 */
+-	if (dns_message_gettsig(query->rmessage, NULL) == NULL &&
+-	    !query->rmessage->cc_ok && !query->rmessage->cc_bad &&
+-	    (rctx.retryopts & DNS_FETCHOPT_TCP) == 0)
+-	{
++	if (!rctx.secured && (rctx.retryopts & DNS_FETCHOPT_TCP) == 0) {
+ 		unsigned char cookie[COOKIE_BUFFER_SIZE];
+ 		if (dns_adb_getcookie(fctx->adb, query->addrinfo, cookie,
+ 				      sizeof(cookie)) > CLIENT_COOKIE_SIZE)
+@@ -7940,8 +7991,7 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) {
+ 				isc_log_write(
+ 					dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+ 					DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+-					"missing expected cookie "
+-					"from %s",
++					"missing expected cookie from %s",
+ 					addrbuf);
+ 			}
+ 			rctx.retryopts |= DNS_FETCHOPT_TCP;
+@@ -7951,6 +8001,17 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) {
+ 		}
+ 	}
+ 
++	/*
++	 * Check whether we need to retry over TCP for some other reason.
++	 */
++	result = rctx_tcpretry(&rctx);
++	if (result == ISC_R_COMPLETE) {
++		return;
++	}
++
++	/*
++	 * Check for EDNS issues.
++	 */
+ 	rctx_edns(&rctx);
+ 
+ 	/*
+@@ -8733,8 +8794,8 @@ rctx_answer_positive(respctx_t *rctx) {
+ 	}
+ 
+ 	/*
+-	 * Cache records in the authority section, if
+-	 * there are any suitable for caching.
++	 * Cache records in the authority section, if there are
++	 * any suitable for caching.
+ 	 */
+ 	rctx_authority_positive(rctx);
+ 
+@@ -8806,7 +8867,7 @@ rctx_answer_scan(respctx_t *rctx) {
+ 			/*
+ 			 * Don't accept DNAME from parent namespace.
+ 			 */
+-			if (name_external(name, dns_rdatatype_dname, fctx)) {
++			if (name_external(name, dns_rdatatype_dname, rctx)) {
+ 				continue;
+ 			}
+ 
+@@ -9107,14 +9168,14 @@ rctx_answer_dname(respctx_t *rctx) {
+ 
+ /*
+  * rctx_authority_positive():
+- * Examine the records in the authority section (if there are any) for a
+- * positive answer.  We expect the names for all rdatasets in this
+- * section to be subdomains of the domain being queried; any that are
+- * not are skipped.  We expect to find only *one* owner name; any names
+- * after the first one processed are ignored. We expect to find only
+- * rdatasets of type NS, RRSIG, or SIG; all others are ignored. Whatever
+- * remains can be cached at trust level authauthority or additional
+- * (depending on whether the AA bit was set on the answer).
++ * If a positive answer was received over TCP or secured with a cookie
++ * or TSIG, examine the authority section.  We expect names for all
++ * rdatasets in this section to be subdomains of the domain being queried;
++ * any that are not are skipped.  We expect to find only *one* owner name;
++ * any names after the first one processed are ignored. We expect to find
++ * only rdatasets of type NS; all others are ignored. Whatever remains can
++ * be cached at trust level authauthority or additional (depending on
++ * whether the AA bit was set on the answer).
+  */
+ static void
+ rctx_authority_positive(respctx_t *rctx) {
+@@ -9122,6 +9183,11 @@ rctx_authority_positive(respctx_t *rctx) {
+ 	bool done = false;
+ 	isc_result_t result;
+ 
++	/* If it's spoofable, don't cache it. */
++	if (!rctx->secured && (rctx->query->options & DNS_FETCHOPT_TCP) == 0) {
++		return;
++	}
++
+ 	result = dns_message_firstname(rctx->query->rmessage,
+ 				       DNS_SECTION_AUTHORITY);
+ 	while (!done && result == ISC_R_SUCCESS) {
+@@ -9130,7 +9196,9 @@ rctx_authority_positive(respctx_t *rctx) {
+ 		dns_message_currentname(rctx->query->rmessage,
+ 					DNS_SECTION_AUTHORITY, &name);
+ 
+-		if (!name_external(name, dns_rdatatype_ns, fctx)) {
++		if (!name_external(name, dns_rdatatype_ns, rctx) &&
++		    dns_name_issubdomain(fctx->name, name))
++		{
+ 			dns_rdataset_t *rdataset = NULL;
+ 
+ 			/*
+-- 
+2.51.1
+

SOURCES/bind-9.18-CVE-2025-40780.patch

@@ -0,0 +1,120 @@
+From c7d94eb33a2de5a0f3fdcb4eae7ffdee711cc3e1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Tue, 19 Aug 2025 19:22:18 +0200
+Subject: [PATCH] Use cryptographically-secure pseudo-random generator
+ everywhere
+
+It was discovered in an upcoming academic paper that a xoshiro128**
+internal state can be recovered by an external 3rd party allowing to
+predict UDP ports and DNS IDs in the outgoing queries.  This could lead
+to an attacker spoofing the DNS answers with great efficiency and
+poisoning the DNS cache.
+
+Change the internal random generator to system CSPRNG with buffering to
+avoid excessive syscalls.
+
+Thanks Omer Ben Simhon and Amit Klein of Hebrew University of Jerusalem
+for responsibly reporting this to us.  Very cool research!
+
+(cherry picked from commit cffcab9d5f3e709002f331b72498fcc229786ae2)
+(cherry picked from commit 8330b49fb90bfeae14b47b7983e9459cc2bbaffe)
+---
+ lib/isc/include/isc/random.h |  2 +-
+ lib/isc/random.c             | 14 +++++++-------
+ tests/isc/random_test.c      |  4 +++-
+ 3 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
+index 1e30d0c..fd55343 100644
+--- a/lib/isc/include/isc/random.h
++++ b/lib/isc/include/isc/random.h
+@@ -20,7 +20,7 @@
+ #include <isc/types.h>
+ 
+ /*! \file isc/random.h
+- * \brief Implements wrapper around a non-cryptographically secure
++ * \brief Implements wrapper around a cryptographically secure
+  * pseudo-random number generator.
+  *
+  */
+diff --git a/lib/isc/random.c b/lib/isc/random.c
+index 7eead66..fb04669 100644
+--- a/lib/isc/random.c
++++ b/lib/isc/random.c
+@@ -85,7 +85,7 @@ static thread_local uint32_t seed[4] = { 0 };
+ 
+ static uint32_t
+ rotl(const uint32_t x, int k) {
+-	return ((x << k) | (x >> (32 - k)));
++	return (x << k) | (x >> (32 - k));
+ }
+ 
+ static uint32_t
+@@ -104,7 +104,7 @@ next(void) {
+ 
+ 	seed[3] = rotl(seed[3], 11);
+ 
+-	return (result_starstar);
++	return result_starstar;
+ }
+ 
+ static thread_local isc_once_t isc_random_once = ISC_ONCE_INIT;
+@@ -128,21 +128,21 @@ uint8_t
+ isc_random8(void) {
+ 	RUNTIME_CHECK(isc_once_do(&isc_random_once, isc_random_initialize) ==
+ 		      ISC_R_SUCCESS);
+-	return (next() & 0xff);
++	return next() & 0xff;
+ }
+ 
+ uint16_t
+ isc_random16(void) {
+ 	RUNTIME_CHECK(isc_once_do(&isc_random_once, isc_random_initialize) ==
+ 		      ISC_R_SUCCESS);
+-	return (next() & 0xffff);
++	return next() & 0xffff;
+ }
+ 
+ uint32_t
+ isc_random32(void) {
+ 	RUNTIME_CHECK(isc_once_do(&isc_random_once, isc_random_initialize) ==
+ 		      ISC_R_SUCCESS);
+-	return (next());
++	return next();
+ }
+ 
+ void
+@@ -174,7 +174,7 @@ isc_random_uniform(uint32_t upper_bound) {
+ 		      ISC_R_SUCCESS);
+ 
+ 	if (upper_bound < 2) {
+-		return (0);
++		return 0;
+ 	}
+ 
+ #if (ULONG_MAX > 0xffffffffUL)
+@@ -202,5 +202,5 @@ isc_random_uniform(uint32_t upper_bound) {
+ 		}
+ 	}
+ 
+-	return (r % upper_bound);
++	return r % upper_bound;
+ }
+diff --git a/tests/isc/random_test.c b/tests/isc/random_test.c
+index 1935846..0016252 100644
+--- a/tests/isc/random_test.c
++++ b/tests/isc/random_test.c
+@@ -321,7 +321,9 @@ random_test(pvalue_func_t *func, isc_random_func test_func) {
+ 			}
+ 			break;
+ 		case ISC_RANDOM_BYTES:
+-			isc_random_buf(values, sizeof(values));
++			for (i = 0; i < ARRAY_SIZE(values); i++) {
++				values[i] = isc_random32();
++			}
+ 			break;
+ 		case ISC_RANDOM_UNIFORM:
+ 			uniform_values = (uint16_t *)values;
+-- 
+2.51.1
+

SOURCES/bind-9.18-CVE-2025-8677.patch

@@ -0,0 +1,223 @@
+From c30c944e424a6c2281e0b1d53e25fc8ed3f71d41 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Tue, 22 Jul 2025 08:07:02 +0200
+Subject: [PATCH] Fail the DNSSEC validation if matching but invalid DNSKEY is
+ found
+
+If a matching but cryptographically invalid key was encountered during
+the DNSSEC validation, the key would be just skipped and not counted
+towards validation failures.  Treat such DNSSEC keys as hard failures
+and fail the DNSSEC validation immediatelly instead of continuing the
+DNSSEC validation with the next DNSKEYs in the RRset.
+
+Co-authored-by: Matthijs Mekking <matthijs@isc.org>
+
+(cherry picked from commit f00117a4226be90d1bc865aff19bddf114242914)
+(cherry picked from commit 7c5b8ef055900224f0424c341927562c5a9ebe19)
+
+Fix an issue with selfsigned_dnskey() return value
+
+The selfsigned_dnskey() function currently returns boolean. There
+was a recent change to make it return a isc_result_t error code,
+which is implicitly converted to bool, which is obviously an error.
+
+If instead of the result code we return true/false, it still doesn't
+indicate the error to the caller that has happened before.
+
+Change the function to return isc_result_t, and change the caller
+routine to process the new return type.
+
+(cherry picked from commit 40c396ba2d955c32d70db04e900e40bf96519c59)
+---
+ lib/dns/validator.c | 79 +++++++++++++++++++++++++++++----------------
+ 1 file changed, 51 insertions(+), 28 deletions(-)
+
+diff --git a/lib/dns/validator.c b/lib/dns/validator.c
+index 696a464..1d84b75 100644
+--- a/lib/dns/validator.c
++++ b/lib/dns/validator.c
+@@ -431,6 +431,8 @@ fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) {
+ 			result = select_signing_key(val, rdataset);
+ 			if (result == ISC_R_SUCCESS) {
+ 				val->keyset = &val->frdataset;
++			} else {
++				val->failed = true;
+ 			}
+ 		}
+ 		result = validate_answer(val, true);
+@@ -1161,6 +1163,8 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
+ 				goto done;
+ 			}
+ 			dst_key_free(&val->key);
++		} else {
++			break;
+ 		}
+ 		dns_rdata_reset(&rdata);
+ 		result = dns_rdataset_next(rdataset);
+@@ -1285,13 +1289,15 @@ seek_dnskey(dns_validator_t *val) {
+ 				      "keyset with trust %s",
+ 				      dns_trust_totext(val->frdataset.trust));
+ 			result = select_signing_key(val, val->keyset);
+-			if (result != ISC_R_SUCCESS) {
++			if (result == ISC_R_NOTFOUND) {
+ 				/*
+-				 * Either the key we're looking for is not
+-				 * in the rrset, or something bad happened.
+-				 * Give up.
++				 * The key we're looking for is not
++				 * in the rrset
+ 				 */
+ 				result = DNS_R_CONTINUE;
++			} else if (result != ISC_R_SUCCESS) {
++				/* Something bad happened. Give up. */
++				break;
+ 			}
+ 		}
+ 		break;
+@@ -1352,17 +1358,17 @@ compute_keytag(dns_rdata_t *rdata) {
+ /*%
+  * Is the DNSKEY rrset in val->event->rdataset self-signed?
+  */
+-static bool
++static isc_result_t
+ selfsigned_dnskey(dns_validator_t *val) {
+ 	dns_rdataset_t *rdataset = val->event->rdataset;
+ 	dns_rdataset_t *sigrdataset = val->event->sigrdataset;
+ 	dns_name_t *name = val->event->name;
+ 	isc_result_t result;
+ 	isc_mem_t *mctx = val->view->mctx;
+-	bool answer = false;
++	bool match = false;
+ 
+ 	if (rdataset->type != dns_rdatatype_dnskey) {
+-		return (false);
++		return DNS_R_NOKEYMATCH;
+ 	}
+ 
+ 	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
+@@ -1384,8 +1390,6 @@ selfsigned_dnskey(dns_validator_t *val) {
+ 		     result == ISC_R_SUCCESS;
+ 		     result = dns_rdataset_next(sigrdataset))
+ 		{
+-			dst_key_t *dstkey = NULL;
+-
+ 			dns_rdata_reset(&sigrdata);
+ 			dns_rdataset_current(sigrdataset, &sigrdata);
+ 			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+@@ -1400,18 +1404,16 @@ selfsigned_dnskey(dns_validator_t *val) {
+ 
+ 			/*
+ 			 * If the REVOKE bit is not set we have a
+-			 * theoretically self signed DNSKEY RRset.
+-			 * This will be verified later.
++			 * theoretically self-signed DNSKEY RRset;
++			 * this will be verified later.
++			 *
++			 * We don't return the answer yet, though,
++			 * because we need to check the remaining keys
++			 * and possbly remove them if they're revoked.
+ 			 */
+ 			if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
+-				answer = true;
+-				continue;
+-			}
+-
+-			result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
+-							 &dstkey);
+-			if (result != ISC_R_SUCCESS) {
+-				continue;
++				match = true;
++				break;
+ 			}
+ 
+ 			/*
+@@ -1421,6 +1423,14 @@ selfsigned_dnskey(dns_validator_t *val) {
+ 			if (DNS_TRUST_PENDING(rdataset->trust) &&
+ 			    dns_view_istrusted(val->view, name, &key))
+ 			{
++				dst_key_t *dstkey = NULL;
++
++				result = dns_dnssec_keyfromrdata(
++					name, &keyrdata, mctx, &dstkey);
++				if (result != ISC_R_SUCCESS) {
++					break;
++				}
++
+ 				result = dns_dnssec_verify(
+ 					name, rdataset, dstkey, true,
+ 					val->view->maxbits, mctx, &sigrdata,
+@@ -1433,6 +1443,8 @@ selfsigned_dnskey(dns_validator_t *val) {
+ 					 */
+ 					dns_view_untrust(val->view, name, &key);
+ 				}
++
++				dst_key_free(&dstkey);
+ 			} else if (rdataset->trust >= dns_trust_secure) {
+ 				/*
+ 				 * We trust this RRset so if the key is
+@@ -1440,12 +1452,14 @@ selfsigned_dnskey(dns_validator_t *val) {
+ 				 */
+ 				dns_view_untrust(val->view, name, &key);
+ 			}
+-
+-			dst_key_free(&dstkey);
+ 		}
+ 	}
+ 
+-	return (answer);
++	if (!match) {
++		return DNS_R_NOKEYMATCH;
++	}
++
++	return ISC_R_SUCCESS;
+ }
+ 
+ /*%
+@@ -1680,10 +1694,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
+ 				val->event->name, keyrdata, val->view->mctx,
+ 				&dstkey);
+ 			if (result != ISC_R_SUCCESS) {
+-				/*
+-				 * This really shouldn't happen, but...
+-				 */
+-				continue;
++				return result;
+ 			}
+ 		}
+ 		result = verify(val, dstkey, &rdata, sig.keyid);
+@@ -3064,11 +3075,22 @@ validator_start(isc_task_t *task, isc_event_t *event) {
+ 
+ 		INSIST(dns_rdataset_isassociated(val->event->rdataset));
+ 		INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
+-		if (selfsigned_dnskey(val)) {
++
++		result = selfsigned_dnskey(val);
++		switch (result) {
++		case ISC_R_SUCCESS:
+ 			result = validate_dnskey(val);
+-		} else {
++			break;
++		case DNS_R_NOKEYMATCH:
+ 			result = validate_answer(val, false);
++			break;
++		default:
++			validator_log(val, ISC_LOG_INFO,
++				      "invalid selfsigned DNSKEY: %s",
++				      isc_result_totext(result));
++			goto cleanup;
+ 		}
++
+ 		if (result == DNS_R_NOVALIDSIG &&
+ 		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
+ 		{
+@@ -3137,6 +3159,7 @@ validator_start(isc_task_t *task, isc_event_t *event) {
+ 		UNREACHABLE();
+ 	}
+ 
++cleanup:
+ 	if (result != DNS_R_WAIT) {
+ 		want_destroy = exit_check(val);
+ 		validator_done(val, result);
+-- 
+2.51.1
+

SOURCES/bind-9.18-nsupdate-TLS-doc.patch

@@ -0,0 +1,114 @@
+From 146811cdc40459129b20df9b3bb31bd152570b72 Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Wed, 21 Sep 2022 15:05:11 +0000
+Subject: [PATCH 2/3] Document nsupdate options related to DoT
+
+Add documentation for the newly implemented DoT feature of the
+nsupdate program.
+
+(cherry picked from commit bd8299d7b501234263a6aee98049f879b1c700b7)
+---
+ bin/nsupdate/nsupdate.rst | 48 ++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 47 insertions(+), 1 deletion(-)
+
+diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst
+index 81bb4815cf4..f1ab5c76fa7 100644
+--- a/bin/nsupdate/nsupdate.rst
++++ b/bin/nsupdate/nsupdate.rst
+@@ -19,7 +19,7 @@ nsupdate - dynamic DNS update utility
+ Synopsis
+ ~~~~~~~~
+ 
+-:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
++:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [ [**-S**] [**-K** tlskeyfile] [**-E** tlscertfile] [**-A** tlscafile] [**-H** tlshostname] [-O] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
+ 
+ Description
+ ~~~~~~~~~~~
+@@ -71,6 +71,15 @@ Options
+ 
+    This option sets use of IPv6 only.
+ 
++.. option:: -A tlscafile
++
++   This option specifies the file of the certificate authorities (CA) certificates
++   (in PEM format) in order to verify the remote server TLS certificate when
++   using DNS-over-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will
++   override the certificates from the global certificates store, which are
++   otherwise used by default when :option:`-S` is enabled. This option can not
++   be used in conjuction with :option:`-O`, and it implies :option:`-S`.
++
+ .. option:: -C
+ 
+    Overrides the default `resolv.conf` file. This is only intended for testing.
+@@ -84,10 +93,23 @@ Options
+ 
+    This option sets extra debug mode.
+ 
++.. option:: -E tlscertfile
++
++   This option sets the certificate(s) file for authentication for the
++   DNS-over-TLS (DoT) transport to the remote server. The certificate
++   chain file is expected to be in PEM format. This option implies :option:`-S`,
++   and can only be used with :option:`-K`.
++
+ .. option:: -g
+ 
+    This option enables standard GSS-TSIG mode.
+ 
++.. option:: -H tlshostname
++
++   This option makes :program:`nsupdate` use the provided hostname during remote
++   server TLS certificate verification. Otherwise, the DNS server name
++   is used. This option implies :option:`-S`.
++
+ .. option:: -i
+ 
+    This option forces interactive mode, even when standard input is not a terminal.
+@@ -104,6 +126,13 @@ Options
+    key used to authenticate Dynamic DNS update requests. In this case,
+    the key specified is not an HMAC-MD5 key.
+ 
++.. option:: -K tlskeyfile
++
++   This option sets the key file for authenticated encryption for the
++   DNS-over-TLS (DoT) transport with the remote server. The private key file is
++   expected to be in PEM format. This option implies :option:`-S`, and can only
++   be used with :option:`-E`.
++
+ .. option:: -l
+ 
+    This option sets local-host only mode, which sets the server address to localhost
+@@ -123,6 +152,14 @@ Options
+    This option enables a non-standards-compliant variant of GSS-TSIG
+    used by Windows 2000.
+ 
++.. option:: -O
++
++   This option enables Opportunistic TLS. When used, the remote peer's TLS
++   certificate will not be verified. This option should be used for debugging
++   purposes only, and it is not recommended to use it in production. This
++   option can not be used in conjuction with :option:`-A`, and it implies
++   :option:`-S`.
++
+ .. option:: -p port
+ 
+    This option sets the port to use for connections to a name server. The default is
+@@ -138,6 +175,15 @@ Options
+    This option sets the number of UDP retries. The default is 3. If zero, only one update
+    request is made.
+ 
++.. option:: -S
++
++   This option indicates whether to use DNS-over-TLS (DoT) when querying
++   name servers specified by ``server servername port`` syntax in the input
++   file, and the primary server discovered through a SOA request. When the
++   :option:`-K` and :option:`-E` options are used, then the specified TLS
++   client certificate and private key pair are used for authentication
++   (Mutual TLS). This option implies :option:`-v`.
++
+ .. option:: -t timeout
+ 
+    This option sets the maximum time an update request can take before it is aborted. The
+-- 
+2.48.1
+

SOURCES/bind-9.18-query-fname-relative.patch

@@ -0,0 +1,90 @@
+From 5bc7cd7a7b9c37e5c70ccf74c5485a02411aaef5 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 25 Apr 2025 02:00:00 +0200
+Subject: [PATCH] Insert additional checks ensuring name is not relative
+
+Mitigation for crashes put in various places, where obviously relative
+uninitialized name must not appear. This seems unnecessary once true
+cause were identified, but may prevent similar places.
+---
+ lib/ns/query.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index 11d2520..7e8a4d2 100644
+--- a/lib/ns/query.c
++++ b/lib/ns/query.c
+@@ -2203,6 +2203,20 @@ regular:
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
+ }
+ 
++static void
++log_query_relative(query_ctx_t *qctx, const char *func, const dns_name_t *name) {
++	if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) {
++		char namebuf[DNS_NAME_FORMATSIZE] = "!";
++		dns_name_format(name, namebuf, sizeof(namebuf));
++		ns_client_log(
++			qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
++			ISC_LOG_DEBUG(1),
++			"%s: fname=%s leading to relative name, aborting query.",
++			func, namebuf
++		);
++	}
++}
++
+ static void
+ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 	       dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
+@@ -2275,6 +2289,11 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+ 	}
+ 
++	if (!qctx->is_zone && mname && !dns_name_isabsolute(mname)) {
++		log_query_relative(qctx, "query_addrrset", mname);
++		QUERY_ERROR(qctx, DNS_R_SERVFAIL);
++		return;
++	}
+ 	/*
+ 	 * Update message name, set rdataset order, and do additional
+ 	 * section processing if needed.
+@@ -8074,6 +8093,11 @@ query_respond_any(query_ctx_t *qctx) {
+ 							     : qctx->tname;
+ 				query_prefetch(qctx->client, name,
+ 					       qctx->rdataset);
++				if (name && !dns_name_isabsolute(name)) {
++					log_query_relative(qctx, "query_respond_any", name);
++					result = DNS_R_DROP;
++					break;
++				}
+ 			}
+ 
+ 			/*
+@@ -10696,6 +10720,11 @@ query_cname(query_ctx_t *qctx) {
+ 
+ 	if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+ 		query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
++		if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
++			log_query_relative(qctx, "query_cname", qctx->fname);
++			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
++			return (ns_query_done(qctx));
++		}
+ 	}
+ 
+ 	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+@@ -10801,7 +10830,13 @@ query_dname(query_ctx_t *qctx) {
+ 
+ 	if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+ 		query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
++		if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
++			log_query_relative(qctx, "query_dname", qctx->fname);
++			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
++			return (ns_query_done(qctx));
++		}
+ 	}
++
+ 	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+ 		       qctx->dbuf, DNS_SECTION_ANSWER);
+ 
+-- 
+2.49.0
+

SOURCES/bind-9.18.29.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAma+DmEACgkQGC4jV5Ri
+76q1FQ/8CXrIA21FAdnGuGqC53EVOzFl3QptFMThoVTO0kzp7rQcwv8xE/gphXnT
+j4DWMAZ/tDW6ZalDbmCh6t+z/0pXewHB+43CILSkzU9Gi5gnAUHdIdlGQnYH/x2N
+eyHBKuB9Wubmi87Yu8zjtF+Xu43qgcYqNKP/QqU9YwsqPQ+7GgcKAETVidFMB9/4
+QZiMT4gMawguft+BwFZ1eYvk0Bemk0OkKhofyWDcVnl5r93pvTIK3SsIHyEHx7xu
+dbG9Z5HhoaJ8b48djahrrYSQCQ0Dn9KbEVLu+/BS5tz+k+V1VI1pk4OS15wn7yBZ
+8EqAGc5xj4MEKW7PEteOK7QQQE59yKY6SGwt+tQwokUZ/Rq4bAx2bHXY83oRBULo
+BIRDdgoxc9X44YQ/a55La+7/xq2eCYwW2s364R4To3K58nPCNlkdEQUziY1V7guR
+3zOcHPAZNe5bK7bN3BMDusQgtoerfSUC1x+zj5Nm9Xnb/yAtVUyiP/k/zlIds9W3
+rKSCM5FAuacZdWQKeVpRa1EaXhObm08qLO9a/Dc/Qvll8GKAmrMoll2WwEoUVlZ3
+HwZPRsPIWYSCemtHmp36b7nOZ0vo4NMXjb2nV7xW3a8BqOD3RW0XiTlC814qmqsU
+x16eOHowvtDw58abeBzPJ2k1yne1Ic2zBdJzUM9wqdJCoBN5g0A=
+=2EW2
+-----END PGP SIGNATURE-----

SOURCES/bind-9.20-CVE-2025-8677-dual-signing-test.patch

@@ -0,0 +1,137 @@
+From 748bf1ee0681bd2a2bc0b3dfa8634787017818c3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Sat, 1 Nov 2025 12:00:59 +0100
+Subject: [PATCH] Add a system test with one good and one bad algorithm
+
+The case where there would be one supported algorithm and one already
+unsupported (like RSAMD5 or RSASHA1) was missing.
+
+(cherry picked from commit 3aa6f585e0466700e5d4b64fffccf883bb1c21dd)
+---
+ bin/tests/system/dnssec/clean.sh          |  1 +
+ bin/tests/system/dnssec/ns2/example.db.in |  4 +++
+ bin/tests/system/dnssec/ns2/sign.sh       |  3 ++-
+ bin/tests/system/dnssec/ns3/named.conf.in |  6 +++++
+ bin/tests/system/dnssec/ns3/sign.sh       | 31 +++++++++++++++++++++++
+ bin/tests/system/dnssec/tests.sh          | 11 ++++++++
+ 6 files changed, 55 insertions(+), 1 deletion(-)
+
+diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
+index 1a933ad..aa35122 100644
+--- a/bin/tests/system/dnssec/clean.sh
++++ b/bin/tests/system/dnssec/clean.sh
+@@ -69,6 +69,7 @@ rm -f ./ns3/dnskey-unsupported.example.db.tmp
+ rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl
+ rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db
+ rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db
++rm -f ./ns3/extrabadkey.example.db
+ rm -f ./ns3/future.example.db ./ns3/trusted-future.key
+ rm -f ./ns3/inline.example.db.signed
+ rm -f ./ns3/kskonly.example.db
+diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
+index f711f58..63d41e5 100644
+--- a/bin/tests/system/dnssec/ns2/example.db.in
++++ b/bin/tests/system/dnssec/ns2/example.db.in
+@@ -168,4 +168,8 @@ ns.managed-future	A	10.53.0.3
+ revkey			NS	ns.revkey
+ ns.revkey		A	10.53.0.3
+ 
++; A secure subdomain with extra bad key
++extrabadkey		NS	ns3.extrabadkey
++ns3.extrabadkey		A	10.53.0.3
++
+ dname-at-apex-nsec3	NS	ns3
+diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
+index b60e82a..eb00806 100644
+--- a/bin/tests/system/dnssec/ns2/sign.sh
++++ b/bin/tests/system/dnssec/ns2/sign.sh
+@@ -62,7 +62,8 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
+   ttlpatch split-dnssec split-smart expired expiring upper lower \
+   dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
+   dnskey-nsec3-unknown managed-future revkey \
+-  dname-at-apex-nsec3 occluded; do
++  dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024 \
++  extrabadkey; do
+   cp "../ns3/dsset-$subdomain.example." .
+ done
+ 
+diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
+index 680cff5..3536046 100644
+--- a/bin/tests/system/dnssec/ns3/named.conf.in
++++ b/bin/tests/system/dnssec/ns3/named.conf.in
+@@ -84,6 +84,12 @@ zone "insecure2.example" {
+ 	allow-update { any; };
+ };
+ 
++zone "extrabadkey.example" {
++	type primary;
++	file "extrabadkey.example.db.signed";
++	allow-update { any; };
++};
++
+ zone "insecure.nsec3.example" {
+ 	type primary;
+ 	file "insecure.nsec3.example.db";
+diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
+index 14fc709..743a0e4 100644
+--- a/bin/tests/system/dnssec/ns3/sign.sh
++++ b/bin/tests/system/dnssec/ns3/sign.sh
+@@ -673,3 +673,34 @@ $DSFROMKEY "$dnskeyname.key" >"dsset-delegation.${zone}."
+ cat "$infile" "${kskname}.key" "${zskname}.key" "${keyname}.key" \
+   "${dnskeyname}.key" "dsset-delegation.${zone}." >"$zonefile"
+ "$SIGNER" -P -o "$zone" "$zonefile" >/dev/null
++
++#
++#
++#
++zone=extrabadkey.example.
++infile=template.db.in
++zonefile=extrabadkey.example.db
++
++# Add KSK and ZSK that we will mangle to RSAMD5
++ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
++zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
++cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
++"$SIGNER" -g -O full -o "$zone" "$zonefile" >/dev/null 2>&1
++
++# Mangle the signatures to RSAMD5 and save them for future use
++sed -ne "s/\(IN[[:space:]]*RRSIG[[:space:]]*[A-Z]*\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /p" < "$zonefile.signed" > "$zonefile.signed.rsamd5"
++
++# Now add normal KSK and ZSK to the zone file
++ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
++zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
++cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
++
++# Mangle the DNSKEY algorithm numbers and add them to the signed zone file
++cat "$ksk.key" "$zsk.key" | sed -e "s/\(IN[[:space:]]*DNSKEY[[:space:]]*[0-9]* 3\) $DEFAULT_ALGORITHM_NUMBER /\1 1 /" >> "$zonefile"
++
++# Sign normally
++"$SIGNER" -g -o "$zone" "$zonefile" >/dev/null 2>&1
++
++# Add the mangled signatures to signed zone file
++cat "$zonefile.signed.rsamd5" >> "$zonefile.signed"
++rm "$zonefile.signed.rsamd5"
+diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
+index c7b1c3a..e908317 100644
+--- a/bin/tests/system/dnssec/tests.sh
++++ b/bin/tests/system/dnssec/tests.sh
+@@ -4468,5 +4468,16 @@ n=$((n + 1))
+ if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+ 
++echo_i "checking extra-bad-algorithm positive validation ($n)"
++ret=0
++dig_with_opts +noauth a.extrabadkey.example. @10.53.0.3 A >dig.out.ns3.test$n || ret=1
++dig_with_opts +noauth a.extrabadkey.example. @10.53.0.4 A >dig.out.ns4.test$n || ret=1
++digcomp --lc dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
++grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
++grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
++n=$((n + 1))
++test "$ret" -eq 0 || echo_i "failed"
++status=$((status + ret))
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+-- 
+2.51.1
+

SOURCES/bind-9.20-CVE-2025-8677-dual-signing.patch

@@ -0,0 +1,36 @@
+From 5126c74ec19f56294cbfdc312f75778d8f249e59 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 3 Nov 2025 22:03:54 +0100
+Subject: [PATCH] Do not abort key search on unsupported algorithm
+
+When supported and unsupported algorithm rrsig is present, some keys may
+return unsupported algorithm error. Continue to next key without
+counting this to validation failures.
+
+(cherry picked from commit 38ddff3336e08983a4c0b5f3ea4eb35bb0f6ac81)
+---
+ lib/dns/validator.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dns/validator.c b/lib/dns/validator.c
+index 15e177e4d7..a9db844c27 100644
+--- a/lib/dns/validator.c
++++ b/lib/dns/validator.c
+@@ -1163,7 +1163,13 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
+ 				goto done;
+ 			}
+ 			dst_key_free(&val->key);
+-		} else {
++		} else if (result != DST_R_UNSUPPORTEDALG) {
++			/* Unsupported alg happens when RRset is signed by both
++			 * supported and unsupported alg. */
++			validator_log(val, ISC_LOG_DEBUG(3),
++				      "select_signing_key alg %d keyid %d: %s",
++				      siginfo->algorithm, siginfo->keyid,
++				      isc_result_totext(result));
+ 			break;
+ 		}
+ 		dns_rdata_reset(&rdata);
+-- 
+2.51.1
+

SOURCES/bind-9.21-resume-qmin-cname.patch

@@ -0,0 +1,44 @@
+From ac0c3b0477d97fe5c968910f603bb8d04c740da7 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 3 Jun 2025 21:00:58 +0200
+Subject: [PATCH] Handle CNAME and DNAME in resume_min in a special way
+
+When authoritative zone is loaded when query minimization query for the
+same zone is already pending, it might receive unexpected result codes.
+
+Normally DNS_R_CNAME would follow to query_cname after processing sent
+events, but dns_view_findzonecut does not fill CNAME target into
+event->foundevent. Usual lookup via query_lookup would always have that
+filled.
+
+Ideally we would restart the query with unmodified search name, if
+unexpected change from recursing to local zone cut were detected. Until
+dns_view_findzonecut is modified to export zone/cache source of the cut,
+at least fail queries which went into unexpected state.
+---
+ lib/dns/resolver.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 795791246b..39a294437e 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -4497,6 +4497,15 @@ resume_qmin(isc_task_t *task, isc_event_t *event) {
+ 	if (result == DNS_R_NXDOMAIN) {
+ 		result = DNS_R_SERVFAIL;
+ 	}
++	/*
++	 * CNAME or DNAME means zone were added with that record
++	 * after the start of query minimization queries. It means
++	 * we do not have initialized correct hevent->foundname
++	 * and have to fail.
++	 */
++	if (result == DNS_R_CNAME || result == DNS_R_DNAME) {
++		result = DNS_R_SERVFAIL;
++	}
+ 
+ 	if (result != ISC_R_SUCCESS) {
+ 		goto cleanup;
+-- 
+2.49.0
+

SOURCES/bind-9.5-PIE.patch

@@ -0,0 +1,28 @@
+From 13348a5fc64387bf53ef450688e181100d0ceddb Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Thu, 12 Dec 2024 15:56:13 +0100
+Subject: [PATCH] Harden named service build flags
+
+---
+ bin/named/Makefile.am | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
+index 57a023b..b832e9c 100644
+--- a/bin/named/Makefile.am
++++ b/bin/named/Makefile.am
+@@ -33,7 +33,10 @@ endif HAVE_LIBXML2
+ 
+ AM_CPPFLAGS +=						\
+ 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
+-	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
++	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"		\
++	-fpie
++
++AM_LDFLAGS  += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+ 
+ sbin_PROGRAMS = named
+ 
+-- 
+2.47.1
+

SOURCES/named.logrotate

@@ -2,11 +2,9 @@
     missingok
     su named named
     create 0644 named named
+    notifempty
     postrotate
         /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
         /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
-        /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
-        /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
-        /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
     endscript
 }

SPECS/bind9.18.spec

@@ -77,7 +77,7 @@ License:  MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
 Version:  9.18.29
-Release:  1%{?dist}
+Release:  5%{?dist}.2
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -114,6 +114,35 @@ Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2122010
 Patch26: bind-9.18-unittest-netmgr-unstable.patch
+# https://issues.redhat.com/browse/FREEIPA-11706
+# https://issues.redhat.com/browse/RHEL-76331
+Patch27: bind-9.18-nsupdate-TLS.patch
+Patch28: bind-9.18-nsupdate-TLS-doc.patch
+Patch29: bind-9.18-nsupdate-TLS-tests.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/commit/c6e6a7af8ac6b575dd3657b0f5cf4248d734c2b0
+Patch30: bind-9.18-CVE-2024-11187-pre-test.patch
+Patch31: bind-9.18-CVE-2024-11187.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/commit/e733e624147155d6cbee7f0f150c79c7ac6b54bb
+Patch32: bind-9.18-CVE-2024-12705.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10562
+# https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
+# downstream patch fixing bind-dyndb-ldap causing issue
+Patch33: bind-9.21-resume-qmin-cname.patch
+# downstream only, extra check for above change, RHEL-30407
+Patch34: bind-9.18-query-fname-relative.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/40c396ba2d955c32d70db04e900e40bf96519c59
+# https://gitlab.isc.org/isc-projects/bind9/commit/7c5b8ef055900224f0424c341927562c5a9ebe19
+Patch223: bind-9.18-CVE-2025-8677.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/025d61bacd0f57f994a631654aff7a933d89a547
+# https://gitlab.isc.org/isc-projects/bind9/commit/cd17dfe696cdf9b8ef23fbc8738de7c79f957846
+# https://gitlab.isc.org/isc-projects/bind9/commit/4c6d03b0bb2ffbafcde8e8a5bc0e49908b978a72
+Patch224: bind-9.18-CVE-2025-40778.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/8330b49fb90bfeae14b47b7983e9459cc2bbaffe
+Patch225: bind-9.18-CVE-2025-40780.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11194
+Patch226: bind-9.20-CVE-2025-8677-dual-signing.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11195
+Patch227: bind-9.20-CVE-2025-8677-dual-signing-test.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -476,6 +505,7 @@ export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
     THREADS=16
     ulimit -n 8092 || : # Requires on some machines with many cores
   fi
+  export ISC_TASK_WORKERS="$THREADS"
   e=0
   make unit -j${THREADS} || e=$?
   # Display details of failure
@@ -961,6 +991,31 @@ fi;
 %endif
 
 %changelog
+* Fri Oct 31 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-5.2
+- Fix upstream reported regression in recent CVE fix (CVE-2025-8677)
+- Add upstream created test to this regression
+
+* Thu Oct 23 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-5.1
+- Refuse malformed DNSKEY records (CVE-2025-8677)
+- Address various spoofing attacks (CVE-2025-40778)
+- Prevent cache poisoning due to weak PRNG (CVE-2025-40780)
+
+* Fri Sep 12 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-5
+- logrotate: skip if empty and remove old variants (RHEL-113942)
+
+* Tue Jun 10 2025 Petr Mensik <pemensik@redhat.com> - 32:9.18.29-4
+- Prevent name.c:670 attributes assertion failed (RHEL-30407)
+- Add extra checks for relative names
+
+* Mon Feb 03 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-3
+- Limit additional section records CPU processing (CVE-2024-11187)
+- Read HTTPS requests in limited chunks and prevent overload (CVE-2024-12705)
+
+* Mon Jan 27 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-2
+- Backport nsupdate TLS support into 9.18 (RHEL-76331)
+- Update nsupdate manual about new TLS options
+- Test nsupdate TLS support
+
 * Wed Aug 21 2024 Petr Menšík <pemensik@redhat.com> - 32:9.18.29-1
 - Update to 9.18.29 (RHEL-53015)
 

bind-9.11.12.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMooACgkQdLtrmky7
-PThv2RAAnXNLYTzXtH6ls29tRm5Hc+D6UaeqcWDNQ4BpkRVhrFxtukalGCi9mmB6
-NPJzFyXmaOW654pypCIuEgqJNFUpDtLzLzT7SUF+mhm+5plsaRSBnh4mq87l5KSp
-twODAPnfCJV+HBk5RmToLEstAbGQ7xEBTyQtZoFkY+V7zEFwENKiCvWsoSWOkYR3
-zXo3sKjc83HV9ShbW/mCtbZf5L0qlbrKOAzqJfAFMhNNJi8kMbmr/Zi2sIfN+Rhv
-g8HQo89Epv6r51yAdeED8idIX4rKjjcEtHrZeDmLdCcdHgSEj2sIlH92Joce6vL0
-S59A0rItIXm6fW8sz6WNpcj4tVtWYbIYjXZ4SPFNkaUrHv8cUekq+5vbI+v07Gh3
-2bhtDsDyTY5I1/AsY/EFmwkCAjUS00jZryBnuJpLB3v5JtUog4ek32yLBzPrqRBo
-1876j4nlXAia8mG0OgJNWZ0gHyUPe/TgfR8fQDLmHxHHlKrJNTEwY6bLW8jzFTX1
-zk510fI1K7J9tiQgf5wcBQ2h3EBlqzDNIJDovoATzLYIf0HKyVegh/vnQdtdEhUR
-1DzJAt3bsBfAP1AFfWPD/ACu5Zdm7SxY1wE/pjkwttDU3sRZqOfuwNBGeolu3cVN
-O9/h1zsyVeVS0ui2vu4+V4EvNitmXsVbG2doDq9L5yBiIKGO2Ew=
-=GCy6
------END PGP SIGNATURE-----

bind-9.14.7.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMpEACgkQdLtrmky7
-PTh/sg//QbNRAQvADQfwF1PPo+JxB+3WzQ9oJAWeHbOoiubwkUwO9xE+BEnTNd5o
-oM1lSLqFxNykOTaoeJlqPftPod1cxo7lSzkwflugGyB/59wliCpqCg053YV4x9mO
-QggvA/E50+0FI/Om/7v4GHGADu/JE83FovOueWAB0LgqfDSD6QFcNFF9sUJJ4P7r
-FcEXSWj8QbrHMWBKncZUOpD2ECotvtrYmi0DTHl1XfigESDQpWtsnTFuabCCsvkh
-ch9wQRplAes2Mf/aS5tl1y0QKKBFuEjtGiTdgrDl6o9GLnx6CueX5saZehu2EVkr
-fq2vEYUC2lRQSjuxSMMJ3L0TGUcl7+ixlAIISS2K9L5Xx7MhBXt/EH5KiKPfsEet
-3EH+DhxV5uXjDU7MgvREnxT+ssV23e0HWTz4tVVQ9LpvYmWPIgLcSOhHCc57yoQF
-c46V0f69dMWbMAlQ93EZSG274ZvpIszpK8+3hGI3/TuDFFgiQJeJJBFVtYJMle69
-3mEEclfzO7fBiXZFec6nVx2309bL64bafN7zszPKXl4XgoefOfD0v0eWqQT4fxfm
-dnGC0qMqSZs5F+d0fISV5JUUNYzt9PZjvnzqLLGOeTF6l3/n9G1mmNsXcxJ1OEIF
-6qh1oO7JTPjt0MFhKac4QjNQi/Bnp25O3I/PRyWZCbiwXkyvyQU=
-=ZT7s
------END PGP SIGNATURE-----

bind-9.5-PIE.patch

@@ -1,17 +0,0 @@
-diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
-index 57a023b..085f2f7 100644
---- a/bin/named/Makefile.am
-+++ b/bin/named/Makefile.am
-@@ -32,9 +32,12 @@ AM_CPPFLAGS +=				\
- endif HAVE_LIBXML2
- 
- AM_CPPFLAGS +=						\
-+	-fpie                                           \
- 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
- 	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
- 
-+AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
-+
- sbin_PROGRAMS = named
- 
- nodist_named_SOURCES = xsl.c

bind97-exportlib.patch

@@ -1,226 +0,0 @@
-diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in
-diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in
---- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/export/dns/Makefile.in	2013-05-13 10:45:22.574089729 +0200
-@@ -35,9 +35,9 @@ CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_
- 
- CWARNINGS =
- 
--ISCLIBS =	../isc/libisc.@A@
-+ISCLIBS =	../isc/libisc-export.@A@
- 
--ISCDEPLIBS =	../isc/libisc.@A@
-+ISCDEPLIBS =	../isc/libisc-export.@A@
- 
- LIBS =		@LIBS@
- 
-@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c
- 		-DLIBAGE=${LIBAGE} \
- 		-c ${srcdir}/version.c
- 
--libdns.@SA@: ${OBJS}
-+libdns-export.@SA@: ${OBJS}
- 	${AR} ${ARFLAGS} $@ ${OBJS}
- 	${RANLIB} $@
- 
--libdns.la: ${OBJS}
-+libdns-export.la: ${OBJS}
- 	${LIBTOOL_MODE_LINK} \
--		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
-+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \
- 		-rpath ${export_libdir} \
- 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- 		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
- 
--timestamp: libdns.@A@
-+timestamp: libdns-export.@A@
- 	touch timestamp
- 
- installdirs:
- 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
- 
- install:: timestamp installdirs
--	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
-+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \
- 	${DESTDIR}${export_libdir}/
- 
- clean distclean::
--	rm -f libdns.@A@ timestamp
-+	rm -f libdns-export.@A@ timestamp
- 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
- 	rm -f include/dns/rdatastruct.h
- 
-diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in
---- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/export/irs/Makefile.in	2013-05-13 10:45:22.575089729 +0200
-@@ -43,9 +43,9 @@ SRCS =		context.c \
- 		gai_sterror.c getaddrinfo.c getnameinfo.c \
- 		resconf.c
- 
--ISCLIBS =	../isc/libisc.@A@
--DNSLIBS =	../dns/libdns.@A@
--ISCCFGLIBS =	../isccfg/libisccfg.@A@
-+ISCLIBS =	../isc/libisc-export.@A@
-+DNSLIBS =	../dns/libdns-export.@A@
-+ISCCFGLIBS =	../isccfg/libisccfg-export.@A@
- 
- LIBS =		@LIBS@
- 
-@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c
- 		-DLIBAGE=${LIBAGE} \
- 		-c ${srcdir}/version.c
- 
--libirs.@SA@: ${OBJS} version.@O@
-+libirs-export.@SA@: ${OBJS} version.@O@
- 	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
- 	${RANLIB} $@
- 
--libirs.la: ${OBJS} version.@O@
-+libirs-export.la: ${OBJS} version.@O@
- 	${LIBTOOL_MODE_LINK} \
--		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
-+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \
- 		-rpath ${export_libdir} \
- 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- 		${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
- 
--timestamp: libirs.@A@
-+timestamp: libirs-export.@A@
- 	touch timestamp
- 
- installdirs:
- 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
- 
- install:: timestamp installdirs
--	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
-+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \
- 	${DESTDIR}${export_libdir}/
- 
- clean distclean::
--	rm -f libirs.@A@ libirs.la timestamp
-+	rm -f libirs-export.@A@ libirs-export.la timestamp
-diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in
---- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in	2013-05-13 10:45:22.576089729 +0200
-@@ -30,11 +30,11 @@ CINCLUDES =	-I. ${DNS_INCLUDES} -I${expo
- CDEFINES =
- CWARNINGS =
- 
--ISCLIBS =	../isc/libisc.@A@
--DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-+ISCLIBS =	../isc/libisc-export.@A@
-+DNSLIBS =	../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
- 
- ISCDEPLIBS =	../../lib/isc/libisc.@A@
--ISCCFGDEPLIBS =	libisccfg.@A@
-+ISCCFGDEPLIBS =	libisccfg-export.@A@
- 
- LIBS =		@LIBS@
- 
-@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c
- 		-DLIBAGE=${LIBAGE} \
- 		-c ${srcdir}/version.c
- 
--libisccfg.@SA@: ${OBJS}
-+libisccfg-export.@SA@: ${OBJS}
- 	${AR} ${ARFLAGS} $@ ${OBJS}
- 	${RANLIB} $@
- 
--libisccfg.la: ${OBJS}
-+libisccfg-export.la: ${OBJS}
- 	 ${LIBTOOL_MODE_LINK} \
--		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
-+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \
- 		-rpath ${export_libdir} \
- 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- 		${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
- 
--timestamp: libisccfg.@A@
-+timestamp: libisccfg-export.@A@
- 	touch timestamp
- 
- installdirs:
- 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
- 
- install:: timestamp installdirs
--	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
-+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \
- 	${DESTDIR}${export_libdir}/
- 
- clean distclean::
--	rm -f libisccfg.@A@ timestamp
-+	rm -f libisccfg-export.@A@ timestamp
-diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in
---- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/export/isc/Makefile.in	2013-05-13 10:45:22.576089729 +0200
-@@ -100,6 +100,10 @@ SRCS =		@ISC_EXTRA_SRCS@ \
- 
- LIBS =		@LIBS@
- 
-+# Note: the order of SUBDIRS is important.
-+# Attempt to disable parallel processing.
-+.NOTPARALLEL:
-+.NO_PARALLEL:
- SUBDIRS =	include unix nls @ISC_THREAD_DIR@
- TARGETS =	timestamp
- 
-@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c
- 		-DLIBAGE=${LIBAGE} \
- 		-c ${srcdir}/version.c
- 
--libisc.@SA@: ${OBJS}
-+libisc-export.@SA@: ${OBJS}
- 	${AR} ${ARFLAGS} $@ ${OBJS}
- 	${RANLIB} $@
- 
--libisc.la: ${OBJS}
-+libisc-export.la: ${OBJS}
- 	${LIBTOOL_MODE_LINK} \
--		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
-+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \
- 		-rpath ${export_libdir} \
- 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- 		${OBJS} ${LIBS}
- 
--timestamp: libisc.@A@
-+timestamp: libisc-export.@A@
- 	touch timestamp
- 
- installdirs:
- 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
- 
- install:: timestamp installdirs
--	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
-+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \
- 	${DESTDIR}${export_libdir}
- 
- clean distclean::
--	rm -f libisc.@A@ libisc.la timestamp
-+	rm -f libisc-export.@A@ libisc-export.la timestamp
-diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in
---- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
-+++ bind-9.9.3rc2/lib/export/samples/Makefile.in	2013-05-13 10:45:22.577089729 +0200
-@@ -31,15 +31,15 @@ CINCLUDES =	-I${srcdir}/include -I../dns
- CDEFINES =
- CWARNINGS =
- 
--DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
--ISCLIBS =	../isc/libisc.@A@
--ISCCFGLIBS =	../isccfg/libisccfg.@A@
--IRSLIBS =	../irs/libirs.@A@
-+DNSLIBS =	../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
-+ISCLIBS =	../isc/libisc-export.@A@
-+ISCCFGLIBS =	../isccfg/libisccfg-export.@A@
-+IRSLIBS =	../irs/libirs-export.@A@
- 
--DNSDEPLIBS =	../dns/libdns.@A@
--ISCDEPLIBS =	../isc/libisc.@A@
--ISCCFGDEPLIBS =	../isccfg/libisccfg.@A@
--IRSDEPLIBS =	../irs/libirs.@A@
-+DNSDEPLIBS =	../dns/libdns-export.@A@
-+ISCDEPLIBS =	../isc/libisc-export.@A@
-+ISCCFGDEPLIBS =	../isccfg/libisccfg-export.@A@
-+IRSDEPLIBS =	../irs/libirs-export.@A@
- 
- DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
- 

ci.fmf

@@ -1 +0,0 @@
-resultsdb-testcase: separate

codesign2019.txt

@@ -1,252 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Comment: GPGTools - http://gpgtools.org
-
-mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
-r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
-pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
-yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
-ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
-/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
-qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
-UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
-SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
-o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
-LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
-tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
-LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
-EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
-Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
-1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
-tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
-5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
-Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
-JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
-hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
-xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
-gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
-pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
-vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
-6f2op3tMiQEzBBABCAAdFiEEFcm6uMUTPAcGawLtlumWUDlMmawFAlwuSqAACgkQ
-lumWUDlMmaz+igf/ZW8OY5aWjRk7QiXp93jkWRIbMi8kB9jW5u6tfYXFjMADpqiQ
-yYdzEHFayRF92PQwj81UzIWzOWjErFWLDE2xol9sP5LdzeqoyED+XTqKggpVsIs+
-Lq672qnumQoZKp1YGb8MDocU2DNg/VsMdi7kCnEnPbcSuBxksmxGYomusXNrAF94
-1OJ2sqd9BuFamLIyn8XUCGGYlsvMoe4kTCg6Cc1sQvx0lDG8urKN57jBKWbP4alV
-+JBV5KQcf74gzPmE3ypgY1tMEwxyH/WyS9ekDbai0qauX6eUAsM1bduH8fIcknLS
-Zl5hrJTrzWFF9/DKOth8QOwhJ9zoIF1fcAsx9okBMwQQAQgAHRYhBHpqR7X54SM6
-0lUrXL2X3GOe6MR7BQJcLktcAAoJEL2X3GOe6MR7jwEH/iaolMeno1oeWAgzN6Mg
-bx3maweh/9Vqty1fwk7Crq1G78X5i1OCkknEL2p0Bfle4ApwcC4HZVcqCgoYpRV3
-/EEXtwkMNy3plWdBbLCQSev/E1D39GzgAHiMnv7NUJnkoJbvMrvrAiUTXPTtARMM
-gjEpvgEs60wuJxS8ESomRhe/KW4myxDoBxF+K+e5bOkOvvWVcAYJHWZ1BIZs4n6b
-+C2vO8q5aKTkQ/XvNT7utbTOqj1SGhItRaAQKXHBdzkQ1Et3wTA4+uRg4gK12624
-9LperYs26w9X9UzApl+qVxQhtWUw3tnUXMastDfQrRcvJgq1xpv++OqX5Uc93RTf
-SNWJAjMEEAEIAB0WIQS+DpdItxglOii7if/xsRvwXPAuVwUCXC5LlQAKCRDxsRvw
-XPAuV29KEACEwlTVVKe4gnBYHnlAD7csoQ0+gJ6C+Ofzlw+UItRIcFeVCAknSGBs
-NPxr9JStIvKpmsbSKpCNUEAYnRP2immh94y/C6BuTe1uUUmqBGr1f4OAUwZpmI29
-ixYeY/uUs9FZO3bS0/WtG46tdcJK41qtM0DYAGT3oeZhJMTW15dfvMGlFukauSOU
-+BbR+6sZhqdbWl/AOTE/6x5otnAaW0GObY/BW240Xq/KTgBrzVdK5qNoYsMVsiTd
-0im0JKvFG08ED+ZfcILhlO6G9jRhoTkhtYuf8CKN1dPf2IoB5FrRFf0xqRr9hNlk
-X7ViNMP9OPb8i3BubWvRi5rNSquCwrFATSiAgaA9Yi1BNzQsmQxOql9lsh7eCH7m
-+8zzUg9umWI6PkSv8vHBo2kPX73wmtEsF6vxJlk0yDBuQw7y0uuKh406tEEk4cP2
-8U4baq+ihpioupDhNuEII1h1Eh/RBE408RAOpcr+2F0m/fKOoJyz7u+AxyV81Ia6
-fyBnUfZnlfKo16w87c1HJRs9dKkRa5yGziBf9TcED3sru58Pftes2Nr80/iOh26i
-P2pRihcIyrmeAqDWnneErVCmPMDTe6zkMrm/0iZ25/Jfq+M8IHEzFEw3Y1FBOeFg
-9TyMDwYG2biJPTNTDO0BQ+Rrvs4SjFWEYSxgJSvG1jMfSPt5AR6MJrkCDQRcKvQU
-ARAAufZX5WzJr0lZAhxaGpHY6JMBr4jVOCP4TrDZhwC2K4CXNM/PLLNisWzquiWa
-FvUDhB89kCxrEhipwVFYhBr16CDQxrr8yhah3RIxrBMYhRTxgIAkANgkhGWfDJSE
-zXauA7krYtS3rYwhfXe4cNsTkLPbnMUlyLJcqj2wnZcZIt97aL+NFRPyfIw1KfUb
-9u3tB9seDYbvTEULeL07aTnHpWM5f3bTwJrJ2OFPzXseCCzPiVNh3Bv+YtJ1pMTr
-c/UHO5DoJuHLsF0wicPSrpD0twspFdR/0rT6eNycsaCtV4GQzBcMPvY7qai5XrZm
-Cqgluo1W6l6+F5YrKvRMtyyFkUNGcPywdjSlP44JyRrS2uzvFUViSsJArcmFG2TJ
-LCohnse8wqjw0dIUVbmDbE4zjaG56zkvu0k+04Wwp3XPgOZrbl6cbhX3yLhu/Gt0
-dzd9EReoNfKXk32hBzKas/vdeB5DZejbOOOWYftqyZC1LvDvvrYFhFK6VGozfZ6L
-Fml1hzn+xPahp5tRv93/T9zXeVPm9zilGMqm/gjRgh8ojWxNQoNzJyqTPWIvWmbu
-EIP3T3cTFq6lJpJsg3+sfzofGWZCGnBZQGqm8rEOoUWiaKe1BvQCX1x8p4/x8/tX
-TaVDpQCGoqxXt09plkDuGMuiDICxBlaHWUR2jLoHc2cLrB8AEQEAAYkCPAQYAQgA
-JhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcKvQUAhsMBQkD7JcAAAoJEHS7a5pM
-uz04pB8P/Amfg54IFeALiPOrKbjC3bVAQzrsf09IL8sUln/LCZIx9HgGAJj/f35S
-Q35sK2ucjWiDX6qCxVrWmC6caQXFgXOFSKIlqladmmgj4sIdLM5wj4nbomHChpB5
-rqV/GgkFwWBQ3kPCatXvc8Bg+zKJ+wXgTuPFXefyE9R+SLuas2grQ9hAjvTGHYbq
-iYxSlNDFc1aHLAQ3bS76351MHuMHOpLzoB0OkZDCVNW4GNEqrLbINdr50RAK+Loo
-Z2UBIobEZjXYor9A2FWkSvdjyz6X1QKMdQMath6R91k/O0abBa7ly4/805eAGXM3
-w1Xf2eMlpiUs69BeYoJBklK8aNMntpDREunJjhiPU4JoDzSxl5Qv7LuXylyo0YJA
-9YmydKhTTcRdwsKc//nGr/ckg4BRl+VbtJBYvd3xGB7IQ+pT/TOakv9qCospAhr3
-EQjVP/XpnWJRd+x+dq8UXqwWmTenWDE42cNr7BDFJdOqS5ZWy4sIz4sdjpSxXMB9
-8iiRtKSpKRCJgXScB7SYebh835EgG2YyQGdhJMO7C6ok9POYQBqL8sBqRzImJKoT
-VDvOH42WArKwJWTHa4mPdiDHEIZlkONerec3JXtl4Mfv8cwZ5Lb8fSiB/x8AWvqs
-puc/7hQtkus4TcgutS1fwhAwpnFItpVF6+73CMQrJsblBdTjW0T+uQINBFxbVHwB
-EADebZOJbhPdhHeBPdlZYE3rRjB8scDpWdjrCupfmeTC9MM6JgCE4DEMBtBXk+h1
-+7wfpblYYNFwGVFvytG5nvGRDtHWxwd1Z9O8Fx4Zqu0Fx/wAn7ZL3ryE+tdHR7JK
-7SLxOa2X49T/8LY0U8Q65I4ZRo/b4VMcXApCmncw3QSRqHT/mYdNnf+HHPvi3jza
-md3iVptCS4Iaisc079DFda+htWXspBc13lmPi2vGQkWjjS3B4yO8JackyQPVhpsg
-KYbRBzOH0Kii8bXmyA6O5uIJYEddp5Veged4FE/ej3CrgGP1D0Yk1epx8lLbi9RB
-kwFS7DA5rQ23UnbSy1WyV1ZgPrWqQAWuGpjMTVTWN0ElI3AGxAnE8lZlSXyE+XyV
-uHjjIVrayBjLKVqDuSLdKZeCvI4QsyHH6F0NKJQkngvXxLZYxO6s0c2EFFLzdVWT
-1V9GMP8UsDrrb+JsZjUVmPR1tTP4xqEQG6KjfFoQm5XWpGtFwh91OK1lwf/Bx2/C
-j+PquLLFcj7hEP79VDTUZPQAduTTxIeTzHXH+x1PCHFB10xxH3e82VSdJeBUrJxn
-riXzK50SKTTmF+uYpHqE8Jg1N2Y1n5ksuxeYUy8PFjhAeBCqZ6ZcldUDf4999e/z
-PT8bwfCDr8jRdqJHrq7RxTJiP5RsMudWpKeohzJGwQ5uZwARAQABiQRyBBgBCAAm
-FiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVHwCGwIFCQO9IQACQAkQdLtrmky7
-PTjBdCAEGQEIAB0WIQSVztolaxygoV8wL7WVIaftXazpGAUCXFtUfAAKCRCVIaft
-XazpGPeMEACm9nxA/VKf8RxDo2ZuTgyuSwlR8tCjAE4k3+UoiYUbamkW4pjx9Vgd
-1zC5bNxSWZ5vlJ4CH8ArKFqNK5LBVDZqhYureAo/1Af2b9vRJw0/QQHhuXz/jqeT
-wwrLuKpy796Gpt+aFfcmS0ZC4QXfxJERhAP6tu1p6YmAsSb+bjziQVkKrt9mhOrL
-dtz6WP0Fg1joRj33FgnnLtayHvtgQrNFI3ztCjk/B2FjYZxqbBGfk5gyo0cTE2Fi
-oLhG/XrxIoZepFMJkGYETnYQXrOt2KuJLvawV70YQmG8EqHYY8drKA0XDZs8TVdT
-5cvGvtm8ERz5znsssRBxQMI5Ml6O2ahrXp8Eq4htCzlvO8t2MOtzvqAJRiyAd6bA
-Uo+MGVRpnvePOR1SAgBXCd416rF0iCXc1utZxnqwdq9kJAZ+8mCLx4N4jk6AdGpX
-zcNkLg7QmUzXn75RxZ6GrIUYZJNMlswXq5XhSW4o8ePlaxWjh9+QTtU964AZhpA1
-uoHsKGTBxHJs0w6McZm14kb2PuaO2/rpf8s8IZyc93+Y5O/gHZ6/agBjA9qN6wkQ
-R1d5UhJC4QS/m35rBGBKK9X3fqQxaBCio6Qz+m4A3GchrztJpq+2P+ma5ylsTq5j
-V4njky26WNtrV7+N0C4Moj3I4Qn6YU/eSManTXzHzoiPZCEH/IOxgXIiD/9Zm3Zz
-I+h4NCfSGyP11/w1gEzlTHQ4at/FXIIDh0Y2ZNpWPffuFQLtcER2vyKPwhDYpGMy
-NNHXks4azfrXVCv0wmSNBbeS8pJrYtopZpCEBrAbg/YLv9m5lpDSRHaR3gv/qMZ7
-QxY+NwqciqTwGq68PuF4mDSvtfuFmbEES9Iybiie+eL/6DU2knfBjgshUe6vElR+
-LYoPQ45GY2IxRTJ1pMXaZw1+evwH3UvseRGkRygiaBgoU/qR4prynvjMQcacCa+C
-aRnXZJYp/usVBeY0xut9toc9/OcLGoBr5h9l5YjruO2vu8VHou8N0tarVQn3YbQR
-Fi+YtNtclWJa8Pq1AsKRTCFwDwP6eODv6mNOrEFydNRcpiQmzp47VWF/YHRfHzCq
-A1wHLxLUrpQTaVw6J4FqedAQ31aAO4faA7MS+ZMNBqZCZ7lTGC6TvojqqBAN2yX7
-AnnYpZHM+lGpi2/ukVzLqSkGmdNOgbu+UZvoej3YnHYig4yWP+z2xrlJl8bkhU/d
-r9IQE5aRCEPB/JWhHJ2/GqYl9qjshlB52+6X2KDarwptOtzT9ooArYhpMwKIYh34
-c7X8tlAKYk7V5j7txIRFDKKAftC7dM82PntXJxSkWyR70GYnYjiXyrqqerqT7xIC
-mDEQgFOPpy09zFW62paO9uiZw6qwybwqgGpoX7kCDQRcW1TbARAA3ERo2mPv2VVg
-ZUFr4MtPDm4UG00YJW/LYa3D3k0e9tdSScACXprk1sAoxUlQx/CSdErPKwXG4rax
-iN4t5nICUUNYSC0dh09G25jC7nwsWc0AYyZu+h/FzfvpOm3fBwmBlzILlGh0URwH
-Ffj9fHt6hos4C+3PFZZ/X24aMJF/cov1oYi9rqFwt/l0mgtPE88Iyj2/Vp3Lergg
-QMzKfEuyluj9fL2cgU0Qa7oAPXmaxhHtua4cvbM5SXGo3FXjIgzH9OfM+2orebeN
-wH1M3ec6w+nPmRmCJLvPKGOeS7GVXL5/aOyPlDWzSXYnpCKS2ntw4K4nt0IA8n8z
-1db109l/C2noDrDSJEqOo843ShNGTYOMVUrj3a+Y7o2ATc9pNZalf0PwnKas7NDb
-IJ152PEQw665iYXcv2awjLF6W0yuSq8kfiaAxIrsie2Dto0zgqOs0Ot9Y74u11Hh
-wBSHUO3mEZJScAAcI/yDF2PvjvCQSzu4mdXb77t6X2O6YHULz4A7bVQCMazcTDI9
-/S0W2+ixPnnJVnE3xgjK9zuizji8JDJw1hJCQM+yTLVqq9pfvcRfQ6uwpMRzz/O3
-S0zDRiA69/GyfNwkpgz5QaGpY02IK5WrQU1doRjIz4BHAYzoIOkMkRqTtjdElQZw
-/D3wSO2uwsEMNwRzibR/Lz1JF2aGn6EAEQEAAYkEcgQYAQgAJhYhBK4/rHlnEexZ
-/AB6pHS7a5pMuz04BQJcW1TbAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkBCAAd
-FiEE1wyE5ktVjlvM7AchMuIXXx11eioFAlxbVNsACgkQMuIXXx11eiqCfQ//SFDf
-rOIEoslp6n6vlCuavOg02wvjskKQGP1P1Q4v40Fw1Gl87n9uXAoMpeF4H+pzUxOi
-BHYCQi+EemwocSThzaWfPzd3JG/0OcRymf+ZOcBb+58VJL7p88QdMFIAi5J+KMuA
-fEG0zLkc9anEnXoVMmQJX5K+6PyeVDvBbYGjLjQAsWTZTiVuQI0w3WxFtDGWqQII
-8e/qE0DA7c/auGn7j2hid308+FcdfpmLefW9YesWjE1yYvHoCRdFOJ/7Sft4MQCI
-Re7UET3TRMBvtisP2DcqyzGPp22s4ZYFCCJJNiB92bXdEl5zXe4Ff7JTfNE/QrR7
-Wg5R9hZHgHdbp8p8bA3f0y29YCx3puYg7BbmQWiMh3rXWE5b090pSpw0K9BQU3vO
-irr+5/2TaFOJXHl4VF03GrWsSncShCbdsdRIv4TB0lY2mN4q+e7bjlAzJJeoaS97
-GIqu3DBlAJyx/ZwWW23DXXwoQ4jNuJhpl2jaCE7rVQB0uLjbp0i9Zdd4SdYZxmO/
-Y+JfgoJz8eyx8wZi4eDz1ijN0WKsIGjxJH5VUK9STjijDMeG6ZZRLc6b1QCGhe97
-ZbDkEUTdQGoeu4L5Fiqoma13NEsf8ofBDv+myJm/O67Va9JI3gxhIrhmF7LMzQQp
-lYx2peZC1CmhEnn83dtt83mhXvX6Dth657BW/Qd+GQ//SVuTPuNkBXfrTi4dbnv+
-cU6IsoIBodTF/WsQ6h4kbtsPhO5DbrsLNuNumrqVEN8jw+HUsEeNvFNeMrTPdG2V
-87ShQ4BQGkCf+GFRBj0myxxXOFZYQx6RpY5fCe7yOcTzpkbnPWmm7V8HdOuZ0NnL
-JNQ5YogOI6UvXVKv35R9qBo+G9jkhhb0eaAu6BERzKVANKfsGN7545ElZ1qlffMh
-AQhXGb6TsvCeSg2cWGb2cnVL2d58uVukD4PDiq4qqwgClkF3bOO70SIgGrCteHbi
-4Hseopex5m6GqqjoUYXr7QQBwSaQdc+gKtEjMHCsHbUyHRk0qEHdEe+2RmL0d0ra
-QMJfKyYQjcCR7tnrgN4WD1h4NKRdC/KRW31MDmH9XVPrkOMQCUCnArXkOwdKWsKf
-h8af9HqweXOT1FHJN/M3tWaBpv6KoduF2f2pj1VhPZ2EqFUycJ26lrHyOpsynQR6
-+TD+c1uXotDwKN5RW+YL1cydk6mhib64fdOyPUeTcHehjMAFgM2f5wi35Ujcj8id
-37cWOqRsggSbMnGO4AUA/YtcVNG8TjZbakson8ENK7e8q4sEiNFUZ7/CtzNokwHQ
-5uOG1+qB85Y4ImGnIZVeiBpjt73VVawg4Zvm/omtW50P9R+4rVhMJZZFAgrWg8BH
-H/KNznW0vUuShG8B+2FA/eu5Ag0EXFtVDAEQAL5ftI1GgVJEFgX5VsuFnfBnH95c
-zqmwEXaTP4s7Xm3O0Wy579EzRUD1eEw/UaD/q2OHScwvMP65cZYQ9w4hnCN6H96P
-96Teo7LOMCssvSXIO7gqP33LKTqDzsIoAFHwWE3dq1jbyP6T1Je85mr0Edvk8kOC
-B1hudswAARno/7X9zGulhhwuEHk5Iey7R59yRUQqBctdNcetGyaiFjjX0evuVADi
-/z/s07XhDLDt7+3Vglh1/7XGC64QhB9QjZ8j0u7+0xfmLLjhi+7EpkDlAHIJXX1H
-0wAsPOGKlYruQUmIsMNfBINZeulHEBZ4cAd30xsM296DzJ6QL9sAGfYMhRs0YHB/
-EJ10Zv0iw1pU2jCCUv/9Kf4F4nwgHQWQP7JAbfhOIUOUq/YlxjTLnkd25+7vD3KH
-NQ6UiRDROR9Jwetpd/zokpf5O5iTBpVL+sCq+NsTZyDOjITve2sY0V8v10M+Z+pL
-cp/cUZ4JEDS/WJ4/ovBNJP8b+YwN/RBgCjl8UBX/N+e7AA52eYP2H9GK9XPkzSCE
-VxEf5PyjGrwedpoLkzagrHsDuWo3uBquLyneT/ozihqKQAuInUy5B7rWU4mpKHe5
-Vto5o6Zuj+6MgHgIQzRK6Da2ziMNEmroxwZibcYCtUPdvcvxGh+byclnzBclKjOw
-kAalFPx0SxEbHmzPABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9
-OAUCXFtVDAIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBK7WIv4CB360
-tcFGwUKiedJIzcMQBQJcW1UMAAoJEEKiedJIzcMQH+cQAIQYXDnqi4Hl21LtAgky
-pZxug+x/LECVlwkrIfaQF337+fG+H9J7SdU87Sn1Xe/YUgQnF0XP/fjIVFM0e/Tb
-xVlmTFqiejLnIwJJDgUaHO3POT2sGEyO3tc0mqSzyRBxtMQ8yvApccBhL5QODv3h
-hlRWgk5MXU0IPeXw134IWm+o/PRiPBoXPawvVfEVIBlUFaiSZASf4BAiSad4aJQe
-P8PyP7FPvQB1xiib0iSetn6ZmNeN2OSUJPiPA8aE9JCKuFtomVQEDM0BqQDl5A7h
-5O2uyf0Li+/ArqBvfBjrH03e5zbID02dO3D2BjsV3jUeVPQ5WDgVg8LH+nfg/rRy
-wfCsx9zFp1mt3K4xN2v7IKwxGndApgCcx17gsjzMvLz0J7sSGov4MNjzqvGEDKCl
-uUvNKXqy7je9xcQLpoyvWtoWFXWTbQAcK5Vv+hC67r9bHpjI1KuqA8hYqNKxsv7s
-wiLZdd4SK9SIuwf0j8/XTZwmoFfGolJil0ZNxyqBF39+CMVpaHdLM1qKZz99TVzS
-h4obOOjkUjK458xSo0XCbJ4qXYp7PgxyWK6GIbTozbbG/1ldw+LUnqxt8Shf797L
-J9lbI3ICuR2P5PYlKJf3b6D9GyfqyrP387fKAKhHsYkZ1XD54/8wIgTrdfeNPtL0
-1mjWDjw5KvO9kuPBjcmzgt+NrtsQAJwKeZsiqLLcY8kJ9xP+/xtTlh2iVuZMfxwq
-hwlo4MMCzpobLDZ/JKU398m77eboTKJSBfeUYxQd4ATn1L8NLKjLxKAaBkjEk0nN
-8w9OUQbFlhQ/asLzzF7Z9IGGh9/SEgBZ8V67a0O3Qw9Xdi3ARK3bbZ8RIVJ0+P9G
-CGrfq9j4ZmGA2L4irLjsvDAv7CSMb4WBKW8j0Jz5LFMwOMJgG1TT5c6lNqFj6y09
-rZcVLnt8+lUv2Bw3LC0oI1TjFkrrCzIdfg++mPi3K/ZFc50bvnWF4eCOjgZ5U9Vb
-sxFZq3+vTRcIfI9z2lZ9CNDRA1O5jGvuVtEGLiSLF2aJ6kiNriLuuGTlXfg/Fpgh
-GTvyppOTzF7PtHzHBQ/ZjnhWojnc/jyJRwLK8cCl6+EOc887v8BDmqgFWtmycsE2
-5fDJ7UFGP13g/eDL3ZUgMDty5dQaUOTX145t2KT+lMqpY6ZK2EC+eoqrnIGJ+tYy
-0l4RRxi10mbNhuPIIDdph7X+mUHgCeA9gyF0Y+LqiB6CX+zFg7ovLvnCbMPxdGXq
-z7AjfwqZBKI+BVuBeDtyW4onmElCu5cXNKsg3W0IlQlZf9PMDU6Ht0XLUs7EPfbQ
-sH1Vqi1XE1W/tGnkmjcpG/qlt9Gx1uwFGLP6iomqUBc2c0GZ6R1xplXvd3w3yC8d
-8lAgPGImuQINBFxbVToBEADkuxhQx9gxlzzCc0nUu2v82XsD+GzONp9irt14gslx
-te96eKaTXTi0t5eya0X5TIY3wbREwjlfAeM9AfcAmWcsM4izrfPtANM6WOxB2Tbz
-EY2cqv7NBQii7Z5aqPyjcIiT0b0Gs2evlDkn3xEBBqTSrNcnGSA29bZPIkaUb7Qo
-p/Ani0S3/tgcR21gXsJwkgpfNKwvPT03Lz3/o5rXAyag0M/25adgk9SVKNcXc8h2
-HSGv5ENjwUKNNnowVbNLw4287mFUM2Vd6unGJ2MBj7aUwTrfBl7gNV96mMdDJWcB
-hGKYkxUvibuHCa2KH7gTrnV6X7sdrgD5CbJMPq6OZNSP6n6bUVg22eHxoETplFwT
-4NvV3clRMWIAG1XgXR1l99LAh7PPnPMM1pHQGPwYHQskoBFS4g5knzHpB9h9TfZ3
-MM4cDZR5NgWmE0fYVnWe5ax+wW0/IOklUoHv3qoL4yiN9wFJq2oLzUNQd9+tsqiy
-vxSTh8iYmHegyn5KuBPsrMPgvqiKOdalTZKkak9DOx4cGQL2qHspKxiBOb6uox2v
-fjMQ5bDeUn+4DYMdnZNHeywCUegJmDakUtlfvN+136IDHGwfdGcitqzswzd3+PI2
-qlwPE19gkrp9NUaD3Qj2ZtDP7sU2cThc6Gra5KRFW8f98bI77j1Wu6pCnYFLqPz4
-QQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVToCGwIF
-CQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQR5HX64jryNAThDSqwz3zWa56YK
-eQUCXFtVOgAKCRAz3zWa56YKeSWOEADK8u03LESGSQlZQqnnCAI8iYs1s+XRMEnG
-2tAQ1OK7/4eNgr1yZckmaW4FBMgeEgYIBJ7v3SlW7Hf7dE10TYPNGbP6UxVW8HIP
-rA4CINcGZXWWwpS374JNMS6A5eb6viuEgEMEi00jx0MmLvCMZKypmwXQUl5YJ5nB
-ytpQ1681mCQxGBMhT1eKQt3B4nAsoEnP+HnqVM/nKxBemSBNXX+C0b/YeQoLC3sD
-L+Z0NRI8U6PZl9Rokod3uynH0vfBYCEJd6MvsjtnJlVVaseYIA3ESNrFG12tw95I
-wKNrVCANZ1DBSyK4ovmmWsDrH+uFTHSLNjlxIuVxUfmXcLfgcepVCmd/7Z7UrWYr
-SXSvP0VG4ZmEPE7tNb8bfyADftO1cVsmcHBQeSrgvpSrTv9L8MocojpR5vJc1f+a
-sBT7rAeGzZP9riz1GmryXawaZgdLfaaJfzRQkc1uTChb7kMN+UMhVUdCAXmho0XO
-SfcsW84u/LpjdYh2Ww41xQO6EWvbZDNgD/Fdmp8Uh1MqJ1Dejri6kjNn6wPImXJd
-Eu6nHqWDRdYsfT4XUB18tB+4aIpFzCyIgpf7p1uaVU7Oqip5sZkc/WXKr77lV23m
-PQvpGRNCzgU2TJY7ktR3LOvUVN6wNfLMHzeQk18NdmcEGUrJ0YYtl9vE5/Eg9L6x
-LBH9PKt17IQ8D/9DLwQX8pl3fuTM8ZbzIPLxiXhbgzBBTXKRE2u1888+RIq9xE7c
-aVFjwq4qpgqZ5SFonTcG4Pi5ck3mFAzyA5zLRF+ckpmBpwSPMpLwCpv10369D1jh
-AF3JsUwt6DIb2BISMhh2ThSUMSKO75q8GSotsKjJyjD6vl1x4L7WXubTWxEiNuwD
-3kAjFWS1Z1VWtA9SURWAbsDaCV4VmwCCpSIwRr9OTbyu9XuMdMxGNpl8SwW7MVQb
-x4aYNvR7Hl/wIR71AHAXoSfrKp3p12anXjYYASHmbm16ugP4H7HLMBfznKet2f76
-gIxJr1CsAMTSqypcC1UoVb6Gz8djeIR+GU+6efHI4TIUMy5uMIUx8tYbwSEeo/y6
-NnjpJFYYjJa671iSABInNxs4+X+1zrFa+wl45EnaFxziEet2Qzv/VsusoLvLwnYi
-BZckclAS5xoVGFW0WJ01OfLUDHxGMt9GSheL8c+GLMaMtaCWunpmmt9zZ9WdpBOu
-AGluMG1Cee50TrhXaGE8CdNr8nOdSeLNAveBAPmuVa0JDSe20/D/RuYJLKeG9Vsq
-BZvjuGlOUsfl6UjtiGRbgS9OWpxeez5ugc9yyV+rBGIpmnIb+9quz2HmGxE65eA2
-cRNsZRIjFLzeAx/0RMaT1nlLFTBbUuZ+tJ+fgFtRGMhifZn1pb2dMQo0N7kCDQRc
-W1VuARAAv4LYaNq2Zev/v7M5DnxLpgHRcMkG7TOQpycrlK5653llpZzTy3mh5peW
-vcq3IDmdeUIJxQ+WDh2f0vS+NIKDC/HAddfHrZPbhO7zLxLcMW5KmV05ancaRSP0
-s0+IyQmvVxUNrgPinZiphlvRGoLXS6pdgfc4jIR9B2umPecfvfu/6EWFPnXZgG8K
-yY3Z+mwrmEO0FaXHBQuu6nactiPe79N4bLe8hk9RW6yIxLBeJzIoOlIcJmuRHapt
-nS2lV3mfhZdFnkAp1o6a2TL5BwgMY0wZUKZr78HEMKh6LbPN9rPepf0neUeq/k1l
-NJU7V6XMS+rezF31vgSJ5KoNGYhxtWZ54uksH2rcw7+ltpSVtqY91G/vibpRCJG3
-LdX/kxHni1NEWyZlpS/6ntuH6HSoNYsR9IMsbESs3QVCH74ApK88CxYCRB0SEo0M
-yAElbQ3bfEKCKl/FwC4IzAYAJ2arWKwBHRSJlsrNCtczrjG7j3EyJrn8+Tm5yjO6
-0THQjvc/nBxrNE09r1Lzz7jrDWC9Rl+BH6wqdniymoYyUAQsX2rZ+Jhah1Zkf+Gu
-76qtY+EH494dPM+0FazcBlgBd6/J5mh3Wk9JuecXLTEUGtzd1GmI9CENPAklCauX
-tNOWeTop27djuKWsZxuP1GyV6UYixFVOSWteyAbA32cncVv/2ZUAEQEAAYkEcgQY
-AQgAJhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcW1VuAhsCBQkDvSEAAkAJEHS7
-a5pMuz04wXQgBBkBCAAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlxbVW4ACgkQ
-F8xdsfAIhAd4jxAAiO9+VRQQ3eBOsJRgANdgL/l51kq7qE3u8xnSqNkrmdYDdT2H
-TYH5W4n2AmGo50BDafdjd6tut0qtzA3/hGWCooydxKFOsnIYziUeoHvlICj3RkHO
-y7utcFhAgRWi+kzFwnnXGf13dMU9iG7yvKrCrCEw44gzoQ1KnY1Xsj18n5JkqxeT
-94bzcSbz20OpOSIMfSQPrpy18WrZYwHodcIZ3IUUACCpMZdfTa9c/qHRQ/rcwl+B
-0JlHx0V4AYiSAsiMVgflO1Eqi7apPuwxPPd5nnHkrdDM9CYC3LdBORBXwncG3oZ5
-eTSXmsvFxHXH41JHsm/1QFcVmFAYhu9qJFCGiD+8UeTFtT+nnHU69BszgtUskqX8
-k9PqLdK7Vxkp16wc6WOp1NeIQ6Fd4PxTGrPqs9bJk7TlYtTFWpA0X+EMj/San+Ku
-PxqLEa4Ab12R4vs1pCrn/g1z3C/6ujH4B70HOrRTIeTjULJ6xdwXGtwUA09hio0r
-pHhtyZhAh5irUJNto4ZOk/Qyd+dfMsNvRJfbVIK2mmeRaBnp902AsQNgYVdi2Aki
-0h4kz3bVLGw7iD/xV2hV69+JwLSijkkmOpz/EjMwj0hDDYrHH3Y3o0dV3dNdk/5i
-6lQgcxSVsl9kWlHcoEllKbf0Hb1muKVwoGGYxFYna2jsLFVjG29M7iPSgrHjmg/+
-I3fmsLZ0VI9kmxniUlZ6gz5NB5PJ3RXmwKO9LkBgE5C1wpuZbNEQ1NsR2bprlJPm
-++GNSo8HaheuTRJn42kkOgfIJwjuvXih3FE/NtRA/W8H2uF6YLDjBKGZJbxQcmsd
-CTEuCRCVP8X7C5n3rl1YqzfWfNr8QFxvH7ivG7KOlSxvyTKcYatWb9uDUPrnr74f
-ZaMljHGsNyKj70MzZcrrsmt61yWGR0h+02rmIKlskl4hkh+qF5ehI+Bkd7eblsBy
-rxEREHq/ij2Vd7l0Z606YCE8vj8WfcsJj8JjwR3A+nND/oNJTTbQ3b8OvasvqIey
-WqqmGg73nbHjd/VIAUsfvnsEYatDk4pAA/wQr9c4T4s5Q/QRwDrAsa4J89FrDjWC
-hQBPL7TaP8Af/3Y3/86jLCN4lnW1qjPXv5rhBFeI0EVi1k1qdV06qr5HOk7CwQTT
-uc4rCdFcEnw8kVKZa/yFnlJfRa0Z4IwSahdp5fdFEuad6LpOcFFnYxWtIWhcg4GT
-RcMha/OZnsfqOqiAt6In+1IwuJBz3uMM7xw2AMaxzAejGEL63F81C5iJ6Ld6kQK+
-XblDW0G643bVbzkBb46MAT+UnLuWQUs3NDtk1FEioJyWUgbO/srMH4MoWM7rG8ZT
-nQPohNmPBrqL2phmE27HQsQ0rTjH2Z2ol7iy9OFMtT0=
-=MkGo
------END PGP PUBLIC KEY BLOCK-----

gating.yaml

@@ -1,25 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_testing
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
- 
-#Rawhide
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
- 
-#gating rhel
---- !Policy
-product_versions:
-  - rhel-*
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-public.functional}
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

ldap2zone.c

@@ -1,411 +0,0 @@
-/*
- * Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
- * $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- */
-
-#define LDAP_DEPRECATED 1
-
-#include <sys/types.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <ctype.h>
-
-#include <ldap.h>
-
-struct string {
-    void *data;
-    size_t len;
-};
-
-struct assstack_entry {
-    struct string key;
-    struct string val;
-    struct assstack_entry *next;
-};
-
-struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key);
-void assstack_push(struct assstack_entry **stack, struct assstack_entry *item);
-void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item);
-void printsoa(struct string *soa);
-void printrrs(char *defaultttl, struct assstack_entry *item);
-void print_zone(char *defaultttl, struct assstack_entry *stack);
-void usage(char *name);
-void err(char *name, const char *msg);
-int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val);
-
-struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) {
-    for (; stack; stack = stack->next)
-	if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len))
-	    return stack;
-    return NULL;
-}
-
-void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) {
-    item->next = *stack;
-    *stack = item;
-}
-
-void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) {
-    struct assstack_entry *p;
-    
-    item->next = NULL;
-    if (!*stack) {
-	*stack = item;
-	return;
-    }
-    /* find end, should keep track of end somewhere */
-    /* really a queue, not a stack */
-    p = *stack;
-    while (p->next)
-	p = p->next;
-    p->next = item;
-}
-
-void printsoa(struct string *soa) {
-    char *s;
-    size_t i;
-    
-    s = (char *)soa->data;
-    i = 0;
-    while (i < soa->len) {
-	putchar(s[i]);
-	if (s[i++] == ' ')
-	    break;
-    }
-    while (i < soa->len) {
-	putchar(s[i]);
-	if (s[i++] == ' ')
-	    break;
-    } 
-    printf("(\n\t\t\t\t");
-    while (i < soa->len) {
-	putchar(s[i]);
-	if (s[i++] == ' ')
-	    break;
-    }
-    printf("; Serialnumber\n\t\t\t\t");
-    while (i < soa->len) {
-	if (s[i] == ' ')
-	    break;
-	putchar(s[i++]);
-    }
-    i++;
-    printf("\t; Refresh\n\t\t\t\t");
-    while (i < soa->len) {
-	if (s[i] == ' ')
-	    break;
-	putchar(s[i++]);
-    }
-    i++;
-    printf("\t; Retry\n\t\t\t\t");
-    while (i < soa->len) {
-	if (s[i] == ' ')
-	    break;
-	putchar(s[i++]);
-    }
-    i++;
-    printf("\t; Expire\n\t\t\t\t");
-    while (i < soa->len) {
-	putchar(s[i++]);
-    }
-    printf(" )\t; Minimum TTL\n");
-}
-
-void printrrs(char *defaultttl, struct assstack_entry *item) {
-    struct assstack_entry *stack;
-    char *s;
-    int first;
-    size_t i;
-    char *ttl, *type;
-    int top;
-    
-    s = (char *)item->key.data;
-
-    if (item->key.len == 1 && *s == '@') {
-	top = 1;
-	printf("@\t");
-    } else {
-	top = 0;
-	for (i = 0; i < item->key.len; i++)
-	    putchar(s[i]);
-	if (item->key.len < 8)
-	    putchar('\t');
-	putchar('\t');
-    }
-    
-    first = 1;
-    for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) {
-	ttl = (char *)stack->key.data;
-	s = strchr(ttl, ' ');
-	*s++ = '\0';
-	type = s;
-	
-	if (first)
-	    first = 0;
-        else
-	    printf("\t\t");
-	    
-	if (strcmp(defaultttl, ttl))
-	    printf("%s", ttl);
-	putchar('\t');
-	
-	if (top) {
-	    top = 0;
-	    printf("IN\t%s\t", type);
-	    /* Should always be SOA here */
-	    if (!strcmp(type, "SOA")) {
-		printsoa(&stack->val);
-		continue;
-	    }
-	} else
-	    printf("%s\t", type);
-
-	s = (char *)stack->val.data;
-	for (i = 0; i < stack->val.len; i++)
-	    putchar(s[i]);
-	putchar('\n');
-    }
-}
-
-void print_zone(char *defaultttl, struct assstack_entry *stack) {
-    printf("$TTL %s\n", defaultttl);
-    for (; stack; stack = stack->next)
-	printrrs(defaultttl, stack);
-};
-
-void usage(char *name) {
-    fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name);
-    exit(1);
-};
-
-void err(char *name, const char *msg) {
-    fprintf(stderr, "%s: %s\n", name, msg);
-    exit(1);
-};
-
-int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) {
-    struct string key;
-    struct assstack_entry *rr, *rrdata;
-    
-    /* Do nothing if name or value have 0 length */
-    if (!name->bv_len || !val->bv_len)
-	return 0;
-
-    /* see if already have an entry for this name */
-    key.len = name->bv_len;
-    key.data = name->bv_val;
-
-    rr = assstack_find(*stack, &key);
-    if (!rr) {
-	/* Not found, create and push new entry */
-	rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
-	if (!rr)
-	    return -1;
-	rr->key.len = name->bv_len;
-	rr->key.data = (void *) malloc(rr->key.len);
-	if (!rr->key.data) {
-	    free(rr);
-	    return -1;
-	}
-	memcpy(rr->key.data, name->bv_val, name->bv_len);
-	rr->val.len = sizeof(void *);
-	rr->val.data = NULL;
-	if (name->bv_len == 1 && *(char *)name->bv_val == '@')
-	    assstack_push(stack, rr);
-	else
-	    assstack_insertbottom(stack, rr);
-    }
-
-    rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
-    if (!rrdata) {
-	free(rr->key.data);
-	free(rr);
-	return -1;
-    }
-    rrdata->key.len = strlen(type) + strlen(ttl) + 1;
-    rrdata->key.data = (void *) malloc(rrdata->key.len);
-    if (!rrdata->key.data) {
-	free(rrdata);
-	free(rr->key.data);
-	free(rr);
-	return -1;
-    }
-    sprintf((char *)rrdata->key.data, "%s %s", ttl, type);
-	
-    rrdata->val.len = val->bv_len;
-    rrdata->val.data = (void *) malloc(val->bv_len);
-    if (!rrdata->val.data) {
-	free(rrdata->key.data);
-	free(rrdata);
-	free(rr->key.data);
-	free(rr);
-	return -1;
-    }
-    memcpy(rrdata->val.data, val->bv_val, val->bv_len);
-
-    if (!strcmp(type, "SOA"))
-	assstack_push((struct assstack_entry **) &(rr->val.data), rrdata);
-    else
-	assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata);
-    return 0;
-}
-
-int main(int argc, char **argv) {
-    char *s, *hostporturl, *base = NULL;
-    char *ttl, *defaultttl;
-    LDAP *ld;
-    char *fltr = NULL;
-    LDAPMessage *res, *e;
-    char *a, **ttlvals, **soavals, *serial;
-    struct berval **vals, **names;
-    char type[64];
-    BerElement *ptr;
-    int i, j, rc, msgid;
-    struct assstack_entry *zone = NULL;
-    
-    if (argc < 4 || argc > 5)
-        usage(argv[0]);
-
-    hostporturl = argv[2];
-
-    if (hostporturl != strstr( hostporturl, "ldap"))
-	err(argv[0], "Not an LDAP URL");
-
-    s = strchr(hostporturl, ':');
-
-    if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/')
-	err(argv[0], "Not an LDAP URL");
-
-    s = strchr(s+3, '/');
-    if (s) {
-	*s++ = '\0';
-	base = s;
-	s = strchr(base, '?');
-	if (s)
-	    err(argv[0], "LDAP URL can only contain host, port and base");
-    }
-
-    defaultttl = argv[3];
-    
-    rc = ldap_initialize(&ld, hostporturl);
-    if (rc != LDAP_SUCCESS)
-	err(argv[0], "ldap_initialize() failed");
-
-    if (argc == 5) {
-	/* serial number specified, check if different from one in SOA */
-	fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1);
-	sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]);
-	msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
-	if (msgid == -1)
-	    err(argv[0], "ldap_search() failed");
-
-	while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
-	    /* not supporting continuation references at present */
-	    if (rc != LDAP_RES_SEARCH_ENTRY)
-		err(argv[0], "ldap_result() returned cont.ref? Exiting");
-
-	    /* only one entry per result message */
-	    e = ldap_first_entry(ld, res);
-	    if (e == NULL) {
-		ldap_msgfree(res);
-		err(argv[0], "ldap_first_entry() failed");
-	    }
-	
-	    soavals = ldap_get_values(ld, e, "SOARecord");
-	    if (soavals)
-		break;
-	}
-
-	ldap_msgfree(res);
-	if (!soavals) {
-		err(argv[0], "No SOA Record found");
-	}
-	
-	/* We have a SOA, compare serial numbers */
-	/* Only checkinf first value, should be only one */
-	s = strchr(soavals[0], ' ');
-	s++;
-	s = strchr(s, ' ');
-	s++;
-	serial = s;
-	s = strchr(s, ' ');
-	*s = '\0';
-	if (!strcmp(serial, argv[4])) {
-	    ldap_value_free(soavals);
-	    err(argv[0], "serial numbers match");
-	}
-	ldap_value_free(soavals);
-    }
-
-    if (!fltr)
-	fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1);
-    if (!fltr)
-	err(argv[0], "Malloc failed");
-    sprintf(fltr, "(zoneName=%s)", argv[1]);
-
-    msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
-    if (msgid == -1)
-	err(argv[0], "ldap_search() failed");
-
-    while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
-	/* not supporting continuation references at present */
-	if (rc != LDAP_RES_SEARCH_ENTRY)
-	    err(argv[0], "ldap_result() returned cont.ref? Exiting");
-
-	/* only one entry per result message */
-	e = ldap_first_entry(ld, res);
-	if (e == NULL) {
-	    ldap_msgfree(res);
-	    err(argv[0], "ldap_first_entry() failed");
-	}
-	
-	names = ldap_get_values_len(ld, e, "relativeDomainName");
-	if (!names)
-	    continue;
-	
-	ttlvals = ldap_get_values(ld, e, "dNSTTL");
-	ttl = ttlvals ? ttlvals[0] : defaultttl;
-
-	for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) {
-	    char *s;
-
-	    for (s = a; *s; s++)
-		*s = toupper(*s);
-	    s = strstr(a, "RECORD");
-	    if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) {
-		ldap_memfree(a);
-		continue;
-	    }
-			
-	    strncpy(type, a, s - a);
-	    type[s - a] = '\0';
-	    vals = ldap_get_values_len(ld, e, a);
-	    if (vals) {
-		for (i = 0; vals[i]; i++)
-		    for (j = 0; names[j]; j++)
-			if (putrr(&zone, names[j], type, ttl, vals[i]))
-			    err(argv[0], "malloc failed");
-		ldap_value_free_len(vals);
-	    }
-	    ldap_memfree(a);
-	}
-
-	if (ptr)
-	    ber_free(ptr, 0);
-	if (ttlvals)
-	    ldap_value_free(ttlvals);
-	ldap_value_free_len(names);
-	/* free this result */
-	ldap_msgfree(res);
-    }
-
-    /* free final result */
-    ldap_msgfree(res);
-
-    print_zone(defaultttl, zone);
-    return 0;
-}

makefile-replace-libs.py

@@ -1,143 +0,0 @@
-#!/usr/bin/python3
-#
-# Makefile modificator
-#
-# Should help in building bin/tests/system tests standalone,
-# linked to libraries installed into the system.
-# TODO:
-# - Fix top_srcdir, because dyndb/driver/Makefile uses $TOPSRC/mkinstalldirs
-# - Fix conf.sh to contain paths to system tools
-# - Export $TOP/version somewhere, where it would be used
-# - system tests needs bin/tests code. Do not include just bin/tests/system
-#
-# Possible solution:
-#
-# sed -e 's/$TOP\/s\?bin\/\(delv\|confgen\|named\|nsupdate\|pkcs11\|python\|rndc\|check\|dig\|dnssec\|tools\)\/\([[:alnum:]-]\+\)/`type -p \2`/' conf.sh
-# sed -e 's,../../../../\(isc-config.sh\),\1,' builtin/tests.sh
-# or use: $NAMED -V | head -1 | cut -d ' ' -f 2
-
-import re
-import argparse
-
-"""
-Script for replacing Makefile ISC_INCLUDES with runtime flags.
-
-Should translate part of Makefile to use isc-config.sh instead static linked sources.
-ISC_INCLUDES = -I/home/pemensik/rhel/bind/bind-9.11.12/build/lib/isc/include \
-        -I${top_srcdir}/lib/isc \
-        -I${top_srcdir}/lib/isc/include \
-        -I${top_srcdir}/lib/isc/unix/include \
-        -I${top_srcdir}/lib/isc/pthreads/include \
-        -I${top_srcdir}/lib/isc/x86_32/include
-
-Should be translated to:
-ISC_INCLUDES = $(shell isc-config.sh --cflags isc)
-"""
-
-def isc_config(mode, lib):
-    if mode:
-        return '$(shell isc-config.sh {mode} {lib})'.format(mode=mode, lib=lib)
-    else:
-        return ''
-
-def check_match(match, debug=False):
-    """
-    Check this definition is handled by internal library
-    """
-    if not match:
-        return False
-    lib = match.group(2).lower()
-    ok = not lib_filter or lib in lib_filter
-    if debug:
-        print('{status} {lib}: {text}'.format(status=ok, lib=lib, text=match.group(1)))
-    return ok
-
-def fix_line(match, mode):
-    lib = match.group(2).lower()
-    return match.group(1)+isc_config(mode, lib)+"\n"
-
-def fix_file_lines(path, debug=False):
-    """
-    Opens file and scans fixes selected parameters
-
-    Returns list of lines if something should be changed,
-    None if no action is required
-    """
-    fixed = []
-    changed = False
-    with open(path, 'r') as fin:
-        fout = None
-
-        line = next(fin, None)
-        while line:
-            appended = False
-            while line.endswith("\\\n"):
-                line += next(fin, None)
-
-            inc = re_includes.match(line)
-            deplibs = re_deplibs.match(line)
-            libs = re_libs.match(line)
-            newline = None
-            if check_match(inc, debug=debug):
-                newline = fix_line(inc, '--cflags')
-            elif check_match(deplibs, debug=debug):
-                newline = fix_line(libs, None)
-            elif check_match(libs, debug=debug):
-                newline = fix_line(libs, '--libs')
-
-            if newline and line != newline:
-                changed = True
-                line = newline
-
-            fixed.append(line)
-            line = next(fin, None)
-
-    if not changed:
-        return None
-    else:
-        return fixed
-
-def write_lines(path, lines):
-    fout = open(path, 'w')
-    for line in lines:
-        fout.write(line)
-    fout.close()
-
-def print_lines(lines):
-    for line in lines:
-        print(line, end='')
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Makefile multiline include replacer')
-    parser.add_argument('files', nargs='+')
-    parser.add_argument('--filter', type=str,
-            default='isc isccc isccfg dns lwres bind9 irs',
-            help='List of libraries supported by isc-config.sh')
-    parser.add_argument('--check', action='store_true',
-            help='Test file only')
-    parser.add_argument('--print', action='store_true',
-            help='Print changed file only')
-    parser.add_argument('--debug', action='store_true',
-            help='Enable debug outputs')
-
-    args = parser.parse_args()
-    lib_filter = None
-
-    re_includes = re.compile(r'^\s*((\w+)_INCLUDES\s+=\s*).*')
-    re_deplibs = re.compile(r'^\s*((\w+)DEPLIBS\s*=).*')
-    re_libs = re.compile(r'^\s*((\w+)LIBS\s*=).*')
-
-    if args.filter:
-        lib_filter = set(args.filter.split(' '))
-        pass
-
-    for path in args.files:
-        lines = fix_file_lines(path, debug=args.debug)
-        if lines:
-            if args.print:
-                print_lines(lines)
-            elif not args.check:
-                write_lines(path, lines)
-                print('File {path} was fixed'.format(path=path))
-        else:
-            print('File {path} does not need fixing'.format(path=path))

plans.fmf

@@ -1,39 +0,0 @@
-environment+:
-  PACKAGE: bind9.18
-
-/tier1-internal:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/bind.git
-      name: /plans/bind9.18/tier1/internal
-
-/tier1-public:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/bind.git
-      name: /plans/bind9.18/tier1/public
-
-
-/tier2-tier3-internal:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/bind.git
-      name: /plans/bind9.18/tier2-tier3/internal
-
-/tier2-tier3-public:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/bind.git
-      name: /plans/bind9.18/tier2-tier3/public
-
-/others-internal:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/bind.git
-      name: /plans/bind9.18/others/internal
-
-/others-public:
-  plan:
-    import:
-      url: https://src.fedoraproject.org/tests/bind.git
-      name: /plans/bind9.18/others/public

softhsm2.conf.in

@@ -1,10 +0,0 @@
-# SoftHSM v2 configuration file
-
-directories.tokendir = @TOKENPATH@
-objectstore.backend = file
-
-# ERROR, WARNING, INFO, DEBUG
-log.level = ERROR
-
-# If CKF_REMOVABLE_DEVICE flag should be set
-slots.removable = false

sources

@@ -1,2 +0,0 @@
-SHA512 (bind-9.18.29.tar.xz) = 6c2676e2e2cb90f3bd73afb367813c54d1c961e12df1e12e41b9d0ee5a1d5cdf368d81410469753eaef37e43358b56796f078f3b2f20c3b247c4bef91d56c716
-SHA512 (bind-9.18.29.tar.xz.asc) = 6612c7151c4c1736e0237b8219cefbafbc1dcd4b04ad9b12b99cba703e6debde90d2f9838dd1465a47b9a002a598d9b8f3221dfe1a3bdc41436a92e6d06db472