bind/bind.spec

%bcond_with    SYSTEMTEST
%bcond_without GSSTSIG
%bcond_without PKCS11
%bcond_without JSON
%bcond_with    DLZ
%bcond_with    GEOIP2
%bcond_without UNITTEST
%bcond_with    DNSTAP
%bcond_without LMDB
%bcond_with    DOC
%bcond_with    TSAN

%{?!bind_uid:  %global bind_uid  25}
%{?!bind_gid:  %global bind_gid  25}
%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
%global        bind_dir          /var/named
%global        _unitdir          /usr/lib/systemd/system
%global        _tmpfilesdir      /usr/lib/tmpfiles.d
%global        chroot_prefix     %{bind_dir}/chroot
%global        chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
                                         %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
                                         %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4

%global        selinuxbooleans   named_write_master_zones=1
%define bind_export_libs isc dns isccfg irs
%{!?_export_dir:%global _export_dir /bind9-export/}
%undefine _strict_symbol_defs_build

Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name:     bind
License:  MPLv2.0
Version:  9.16.23
Release:  12
Epoch:    32
Url:      https://www.isc.org/downloads/bind/
#
Source0:  https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
Source1:  named.sysconfig
Source2:  https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz.asc
Source3:  named.logrotate
Source4:  https://downloads.isc.org/isc/pgpkeys/codesign2021.txt
Source16: named.conf
# Refresh by command: dig @a.root-servers.net. +tcp +norec
# or from URL
Source17: https://www.internic.net/domain/named.root
Source18: named.localhost
Source19: named.loopback
Source20: named.empty
Source23: named.rfc1912.zones
Source25: named.conf.sample
Source27: named.root.key
Source35: bind.tmpfiles.d
Source36: trusted-key.key
Source37: named.service
Source38: named-chroot.service
Source41: setup-named-chroot.sh
Source42: generate-rndc-key.sh
Source43: named.rwtab
Source44: named-chroot-setup.service
Source46: named-setup-rndc.service
Source47: named-pkcs11.service
Source48: setup-named-softhsm.sh
Source49: named-chroot.files

Patch1:bind-9.14-config-pkcs11.patch
Patch2:bind-9.10-dist-native-pkcs11.patch
Patch3:bind-9.11-kyua-pkcs11.patch
# Common patches
Patch10: bind-9.5-PIE.patch
Patch16: bind-9.16-redhat_doc.patch
Patch72: bind-9.5-dlz-64bit.patch
Patch106:bind93-rh490837.patch
Patch112:bind97-rh645544.patch
Patch130:bind-9.9.1-P2-dlz-libdb.patch
Patch157:bind-9.11-fips-tests.patch
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/2689
Patch164:bind-9.11-rh1666814.patch

Patch6000: CVE-2022-0396.patch
Patch6001: CVE-2021-25220.patch
Patch6002: CVE-2022-2795.patch
Patch6003: CVE-2022-38177.patch
Patch6004: CVE-2022-38178.patch
Patch6005: CVE-2022-3080.patch
Patch6006: CVE-2022-2881.patch
Patch6007: CVE-2022-2906.patch

Patch6008:backport-0001-Do-not-convert-ISC_R_NOSPACE-to-DNS_R_SERVFAIL-too-e.patch
Patch6009:backport-0001-Exercise-ISC_R_NOSPACE-path-in-dns_sdlz_putrr.patch
Patch6010:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch
Patch6011:backport-0002-Add-a-regression-test.patch
Patch6012:backport-0003-Improve-the-logging-on-failed-TCP-accept.patch
Patch6013:backport-0004-Stop-leaking-mutex-in-nmworker-and-cond-in-nm-socket.patch
Patch6014:backport-0005-Address-memory-leak-when-processing-dnssec-policy-cl.patch
Patch6015:backport-0005-Report-duplicate-dnssec-policy-names.patch
Patch6016:backport-0006-Prevent-a-shutdown-race-in-catz_create_chg_task.patch
Patch6017:backport-0007-Fix-bug-introduced-by-763-related-to-offline-keys.patch
Patch6018:backport-0007-Only-warn-if-we-could-not-delete-signature.patch
Patch6019:backport-0007-Update-autosign-test.patch
Patch6020:backport-0007-Replace-RSASHA1-in-autosign-test-with-default-alg.patch
Patch6021:backport-0008-On-shutdown-return-ISC_R_SHUTTINGDOWN-from-isc_taskm.patch
Patch6022:backport-0009-Remove-taskmgr-excl_lock-fix-the-locking-for-taskmgr.patch
Patch6023:backport-0010-add-UV_ENOTSUP-to-isc___nm_uverr2result.patch
Patch6024:backport-0011-rndc-add-an-extra-task-reference.patch
Patch6025:backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch
Patch6026:backport-0012-Add-a-system-test-for-view-reverting-after-a-failed-.patch
Patch6027:backport-0012-Fix-a-memory-leak-in-dns_dlzcreate.patch
Patch6028:backport-0012-Fix-invalid-control-port-number-in-the-catz-system-t.patch
Patch6029:backport-0012-Improve-the-view-configuration-error-handling-and-re.patch
Patch6030:backport-0012-Improve-the-zones-view-reverting-logic-when-a-zone-i.patch
Patch6031:backport-0013-Add-log-message-when-hard-quota-is-reached-in-TCP-ac.patch
Patch6032:backport-0014-Update-writetimeout-to-be-T_IDLE-in-netmgr_test.c.patch
Patch6033:backport-0014-Rename-sock-timer-to-sock-read_timer.patch
Patch6034:backport-0014-Add-TCP-TCPDNS-and-TLSDNS-write-timer.patch
Patch6035:backport-0014-Add-TCP-write-timeout-system-test.patch
Patch6036:backport-0014-Add-isc_nmhandle_setwritetimeout-function.patch
Patch6037:backport-0015-Fix-more-ns_statscounter_recursclients-underflows.patch
Patch6038:backport-0016-Properly-free-up-enqueued-netievents-in-nm_destroy.patch
Patch6039:backport-0017-Delay-isc__nm_uvreq_t-deallocation-to-connection-cal.patch
Patch6040:backport-0018-Handle-TCP-sockets-in-isc__nmsocket_reset.patch
Patch6041:backport-0019-Use-unsigned-arithmetic-when-shifting-by-24.patch
Patch6042:backport-0020-Grow-the-lex-token-buffer-in-one-more-place.patch
Patch6043:backport-0021-Add-test-configurations-with-invalid-dnssec-policy-c.patch
Patch6044:backport-0021-Check-dnssec-policy-key-roles-for-validity.patch
Patch6045:backport-0022-Add-network-manager-based-timer-API.patch
Patch6046:backport-0022-Change-single-write-timer-to-per-send-timers.patch
Patch6048:backport-0022-On-shutdown-reset-the-established-TCP-connections.patch
Patch6049:backport-0023-Log-not-authoritative-for-update-zone-more-clearly.patch
Patch6050:backport-0024-Prevent-arithmetic-overflow-of-i-in-master.c-generat.patch
Patch6051:backport-0024-update-shell-syntax.patch
Patch6052:backport-0024-add-a-system-test-for-GENERATE-with-an-integer-overf.patch
Patch6053:backport-0025-Test-CDS-DELETE-persists-after-zone-sign.patch
Patch6054:backport-0025-Update-dns_dnssec_syncdelete-function.patch
Patch6055:backport-0026-Check-that-pending-negative-cache-entries-for-DS-can.patch
Patch6056:backport-0026-Update-the-rdataset-trust-field-in-ncache.c-rdataset.patch
Patch6057:backport-0027-Prevent-memory-bloat-caused-by-a-jemalloc-quirk.patch
Patch6058:backport-0028-Ensure-diff-variable-is-not-read-uninitialized.patch
Patch6059:backport-0029-Initialize-printed-buffer.patch
Patch6060:backport-0030-Additional-safety-check-for-negative-array-index.patch
Patch6061:backport-0031-Fix-dig-nssearch-race-between-recv_done-and-send_don.patch
Patch6062:backport-0032-Process-the-delegating-NS-RRset-when-checking-rpz-ru.patch
Patch6063:backport-0032-Allow-DNS_RPZ_POLICY_ERROR-to-be-converted-to-a-stri.patch
Patch6064:backport-0032-Add-test-cases-using-static-and-static-stub-zones.patch
Patch6065:backport-0032-Check-the-cache-as-well-when-glue-NS-are-returned-pr.patch
Patch6066:backport-0032-Process-learned-records-as-well-as-glue.patch
Patch6067:backport-0033-Lock-the-trampoline-when-attaching.patch
Patch6068:backport-0034-prevent-a-possible-buffer-overflow-in-configuration-.patch
Patch6069:backport-0035-Add-lower-bound-checks-to-fetchlimit-test.patch
Patch6070:backport-0035-Disable-EDNS-for-the-fetchlimit-test-server.patch
Patch6071:backport-0035-Fix-the-fetches-per-server-quota-calculation.patch
Patch6072:backport-0036-Check-if-key-metadata-is-modified-before-writing.patch
Patch6073:backport-0036-Add-kasp-test-for-3302.patch
Patch6074:backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch
Patch6075:backport-0037-Don-t-process-DNSSEC-related-and-ZONEMD-records-in-c.patch
Patch6076:backport-0037-Require-valid-key-for-dst_key-functions.patch
Patch6077:backport-0038-Do-not-cancel-processing-record-datasets-in-catalog-.patch
Patch6078:backport-0039-corrected-the-opcode-param-to-opcode_totext.patch
Patch6079:backport-0040-make-the-fix-more-complete.patch
Patch6080:backport-0041-Gracefully-handle-uv_read_start-failures.patch
Patch6081:backport-0042-Fix-a-race-between-resolver-query-timeout-and-valida.patch
Patch6082:backport-0042-Remove-resolver.c-maybe_destroy.patch
Patch6083:backport-0043-Check-for-overflow-in-GENERATE-computations.patch
Patch6084:backport-0043-Tighten-GENERATE-directive-parsing.patch
Patch6085:backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch
Patch6086:backport-0045-Move-setting-the-sock-write_timeout-to-the-async_-se.patch

Patch9000:bugfix-limit-numbers-of-test-threads.patch

%{?systemd_ordering}
Requires:       coreutils
Requires:       shadow-utils
Requires:       glibc-common
Requires:       grep
Requires:       bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires:       systemd
# This wild require should satisfy %%selinux_set_boolean macro only
# in case it needs to be used
Requires: policycoreutils-python-utils libselinux-utils
Requires: selinux-policy selinux-policy-base libuv
Recommends:     bind-utils bind-dnssec-utils
BuildRequires:  gcc, make
BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
BuildRequires:  libidn2-devel, libxml2-devel
#BuildRequires:  systemd-rpm-macros
BuildRequires:  selinux-policy
# needed for %%{__python3} macro
BuildRequires:  python3-devel
BuildRequires:  python3-ply
BuildRequires:  findutils sed
BuildRequires:  libuv-devel
BuildRequires:  systemd
BuildRequires:  libnsl2
%if %{with DLZ}
BuildRequires:  openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-devel
%endif
%if %{with UNITTEST}
# make unit dependencies
BuildRequires:  libcmocka-devel kyua
%endif
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
BuildRequires:  softhsm
%endif
%if %{with SYSTEMTEST}
# bin/tests/system dependencies
BuildRequires:  perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long)
# manual configuration requires this tool
BuildRequires:  iproute
%endif
%if %{with GSSTSIG}
BuildRequires:  krb5-devel
%endif
%if %{with LMDB}
BuildRequires:  lmdb-devel
%endif
%if %{with JSON}
BuildRequires:  json-c-devel
%endif
%if %{with GEOIP2}
BuildRequires:  libmaxminddb-devel
%endif
%if %{with DNSTAP}
BuildRequires:  fstrm-devel protobuf-c-devel
%endif
# Needed to regenerate dig.1 manpage
%if %{with DOC}
BuildRequires:  python3-sphinx python3-sphinx_rtd_theme
BuildRequires:  doxygen
%endif
%if %{with DOCPDF}
# Because remaining issues with COPR, allow turning off PDF (re)generation
BuildRequires:  python3-sphinx-latex latexmk texlive-xetex texlive-xindy
%endif
%if %{with TSAN}
BuildRequires: libtsan
%endif

%description
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.

%if %{with PKCS11}
%package pkcs11
Summary: Bind with native PKCS#11 functionality for crypto
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: softhsm

%description pkcs11
This is a version of BIND server built with native PKCS#11 functionality.
It is important to have SoftHSM v2+ installed and some token initialized.
For other supported HSM modules please check the BIND documentation.

%package pkcs11-utils
Summary: Bind tools with native PKCS#11 for using DNSSEC
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: bind-pkcs11 < 32:9.9.4-16.P2
Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release}

%description pkcs11-utils
This is a set of PKCS#11 utilities that when used together create rsa
keys in a PKCS11 keystore. Also utilities for working with DNSSEC
compiled with native PKCS#11 functionality are included.

%package pkcs11-libs
Summary: Bind libraries compiled with native PKCS#11
Requires: bind-license = %{epoch}:%{version}-%{release}
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}

%description pkcs11-libs
This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
functionality.

%package pkcs11-devel
Summary: Development files for Bind libraries compiled with native PKCS#11
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: bind-devel%{?_isa} = %{epoch}:%{version}-%{release}

%description pkcs11-devel
This a set of development files for BIND libraries (dns, isc) compiled
with native PKCS#11 functionality.
%endif

%package libs
Summary: Libraries used by the BIND DNS packages
Requires: bind-license = %{epoch}:%{version}-%{release}
Provides: bind-libs-lite = %{epoch}:%{version}-%{release}
Obsoletes: bind-libs-lite < 32:9.16.13

%description libs
Contains heavyweight version of BIND suite libraries used by both named DNS
server and utilities in bind-utils package.

%package license
Summary:  License of the BIND DNS suite
BuildArch:noarch

%description license
Contains license of the BIND DNS suite.

%package utils
Summary: Utilities for querying DNS name servers
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
# For compatibility with Debian package
Provides: dnsutils = %{epoch}:%{version}-%{release}

%description utils
Bind-utils contains a collection of utilities for querying DNS (Domain
Name System) name servers to find out information about Internet
hosts. These tools will provide you with the IP addresses for given
host names, as well as other information about registered domains and
network addresses.

You should install bind-utils if you need to get information from DNS name
servers.

%package dnssec-utils
Summary: DNSSEC keys and zones management utilities
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: bind-utils
Requires: python3-bind = %{epoch}:%{version}-%{release}
Requires: bind-dnssec-doc = %{epoch}:%{version}-%{release}

%description dnssec-utils
Bind-dnssec-utils contains a collection of utilities for editing
DNSSEC keys and BIND zone files. These tools provide generation,
revocation and verification of keys and DNSSEC signatures in zone files.

You should install bind-dnssec-utils if you need to sign a DNS zone
or maintain keys for it.

%package dnssec-doc
Summary: Manual pages of DNSSEC utilities
Requires: bind-license = %{epoch}:%{version}-%{release}
BuildArch:noarch
Conflicts: %{name}-utils < %{epoch}:%{version}-%{release}

%description dnssec-doc
Bind-dnssec-doc contains manual pages for bind-dnssec-utils.

%package devel
Summary:  Header files and libraries needed for bind-dyndb-ldap
Provides: bind-lite-devel = %{epoch}:%{version}-%{release}
Obsoletes: bind-lite-devel < 32:9.16.6-3
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
Requires: libcap-devel%{?_isa}
%if %{with GSSTSIG}
Requires: krb5-devel%{?_isa}
%endif
%if %{with LMDB}
Requires: lmdb-devel%{?_isa}
%endif
%if %{with JSON}
Requires:  json-c-devel%{?_isa}
%endif
%if %{with DNSTAP}
Requires:  fstrm-devel%{?_isa} protobuf-c-devel%{?_isa}
%endif
%if %{with GEOIP2}
Requires:  libmaxminddb-devel%{?_isa}
%endif

%description devel
The bind-devel package contains full version of the header files and libraries
required for building bind-dyndb-ldap. Upstream no longer supports nor recommends
bind libraries for third party applications.

%package chroot
Summary:        A chroot runtime environment for the ISC BIND DNS server, named(8)
Prefix:         %{chroot_prefix}
# grep is required due to setup-named-chroot.sh script
Requires:       grep
Requires:       bind%{?_isa} = %{epoch}:%{version}-%{release}

%description chroot
This package contains a tree of files which can be used as a
chroot(2) jail for the named(8) program from the BIND package.
Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>


%if %{with DLZ}
%package dlz-filesystem
Summary: BIND server filesystem DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}

%description dlz-filesystem
Dynamic Loadable Zones filesystem module for BIND server.

%package dlz-ldap
Summary: BIND server ldap DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}

%description dlz-ldap
Dynamic Loadable Zones LDAP module for BIND server.

%package dlz-mysql
Summary: BIND server mysql and mysqldyn DLZ modules
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3

%description dlz-mysql
Dynamic Loadable Zones MySQL module for BIND server.
Contains also mysqldyn module with dynamic DNS updates (DDNS) support.

%package dlz-sqlite3
Summary: BIND server sqlite3 DLZ module
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}

%description dlz-sqlite3
Dynamic Loadable Zones sqlite3 module for BIND server.
%endif


%package -n python3-bind
Summary:   A module allowing rndc commands to be sent from Python programs
Requires:  bind-license = %{epoch}:%{version}-%{release}
Requires:  python3 python3-ply %{?py3_dist:%py3_dist ply}
BuildArch: noarch
%{?python_provide:%python_provide python3-bind}
%{?python_provide:%python_provide python3-isc}

%description -n python3-bind
This package provides a module which allows commands to be sent to rndc directly from Python programs.

%if %{with DOC}
%package doc
Summary:   BIND 9 Administrator Reference Manual
Requires:  bind-license = %{epoch}:%{version}-%{release}
Requires:  python3-sphinx_rtd_theme
BuildArch: noarch

%description doc
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.

This package contains BIND 9 Administrator Reference Manual
in HTML and PDF format.
%end

%endif

%prep
%autosetup -n %{name}-%{version} -N

# Common patches
%autopatch -p1 -m 10

%if %{with PKCS11}
%autopatch -p1 -m 1 -M 1
cp -r bin/named{,-pkcs11}
cp -r bin/dnssec{,-pkcs11}
cp -r lib/dns{,-pkcs11}
cp -r lib/ns{,-pkcs11}
%autopatch -p1 -m 2 -M 9
%endif

# Sparc and s390 arches need to use -fPIE
%ifarch sparcv9 sparc64 s390 s390x
for i in bin/named/{,unix}/Makefile.in; do
  sed -i 's|fpie|fPIE|g' $i
done
%endif

sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh
:;


%build
## We use out of tree configure/build for export libs
%define _configure "../configure"

# normal and pkcs11 unit tests
%define unit_prepare_build() \
  cp -uv Kyuafile "%{1}/" \
  find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \
  find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \
  find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
  find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \

%define systemtest_prepare_build() \
  cp -Tuav bin/tests "%{1}/bin/tests/" \
  cp -uv version "%{1}" \

CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
%if %{with TSAN}
  CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
%endif
export CFLAGS
export STD_CDEFINES="$CPPFLAGS"


#sed -i -e \
#'s/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \
#version

libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f

mkdir build

%if %{with DLZ}
# DLZ modules do not support oot builds. Copy files into build
mkdir -p build/contrib/dlz
cp -frp contrib/dlz/modules build/contrib/dlz/modules
%endif

pushd build
LIBDIR_SUFFIX=
export LIBDIR_SUFFIX
%configure \
  --with-python=%{__python3} \
  --with-libtool \
  --localstatedir=%{_var} \
  --with-pic \
  --disable-static \
  --includedir=%{_includedir}/bind9 \
  --with-tuning=large \
  --with-libidn2 \
%if %{with GEOIP2}
  --with-maxminddb \
%endif
%if %{with PKCS11}
  --enable-native-pkcs11 \
  --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
%endif
  --with-dlopen=yes \
%if %{with GSSTSIG}
  --with-gssapi=yes \
%endif
%if %{with LMDB}
  --with-lmdb=yes \
%else
  --with-lmdb=no \
%endif
%if %{with JSON}
  --without-libjson --with-json-c \
%endif
%if %{with DNSTAP}
  --enable-dnstap \
%endif
%if %{with UNITTEST}
  --with-cmocka \
%endif
  --enable-fixed-rrset \
  --enable-full-report \
;
%if %{with DNSTAP}
  pushd lib
  SRCLIB="../../../lib"
  (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
%if %{with PKCS11}
  (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto)
%endif
  popd
%endif

%if %{with DOCPDF}
# avoid using home for pdf latex files
export TEXMFVAR="`pwd`"
export TEXMFCONFIG="`pwd`"
fmtutil-user --listcfg || :
fmtutil-user --missing || :
%endif

%make_build

# Regenerate dig.1 manpage
pushd bin/dig
make man
popd
pushd bin/python
make man
popd

%if %{with DOC}
  make doc
%endif

%if %{with DLZ}
  pushd contrib/dlz/modules
  for DIR in mysql mysqldyn; do
    sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \
        -e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \
        $DIR/Makefile.in > $DIR/Makefile
  done
  for DIR in filesystem ldap mysql mysqldyn sqlite3; do
    make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
  done
  popd
%endif
popd # build

%unit_prepare_build build
%systemtest_prepare_build build

%check
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
  # Tests require initialization of pkcs11 token
  eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
%endif

%if %{with TSAN}
export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
%endif

%if %{with UNITTEST}
  pushd build
  CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l)
  if [ "$CPUS" -gt 16 ]; then
    ORIGFILES=$(ulimit -n)
    ulimit -n 4096 || : # Requires on some machines with many cores
  fi
  export ISC_TASK_WORKERS=8
  make unit
  e=$?
  if [ "$e" -ne 0 ]; then
    echo "ERROR: this build of BIND failed 'make unit'. Aborting."
    exit $e;
  fi;

  [ "$CPUS" -gt 16 ] && ulimit -n $ORIGFILES || :
  popd
## End of UNITTEST
%endif

%if %{with SYSTEMTEST}
# Runs system test if ip addresses are already configured
# or it is able to configure them
if perl bin/tests/system/testsock.pl
then
  CONFIGURED=already
else
  CONFIGURED=
  sh bin/tests/system/ifconfig.sh up
  perl bin/tests/system/testsock.pl && CONFIGURED=build
fi
if [ -n "$CONFIGURED" ]
then
  set -e
  pushd build/bin/tests
  chown -R ${USER} . # Can be unknown user
  %make_build test 2>&1 | tee test.log
  e=$?
  popd
  [ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down
  if [ "$e" -ne 0 ]; then
    echo "ERROR: this build of BIND failed 'make test'. Aborting."
    exit $e;
  fi;
else
  echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.'
fi
%endif
:

%install
# Build directory hierarchy
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/{bind,named}
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named/{slaves,data,dynamic}
mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8}
mkdir -p ${RPM_BUILD_ROOT}/run/named
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log

#chroot
for D in %{chroot_create_directories}
do
  mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}${D}
done

# create symlink as it is on real filesystem
pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var
ln -s ../run run
popd

# these are required to prevent them being erased during upgrade of previous
touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf
#end chroot

pushd build
%make_install
popd
rpm -E %{_unitdir}

# Remove unwanted files
rm -f ${RPM_BUILD_ROOT}/etc/bind.keys

# Systemd unit files
mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}

%if %{with PKCS11}
install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
%else
# Not packaged without PKCS11
find ${RPM_BUILD_ROOT}%{_includedir}/bind9/pk11 ${RPM_BUILD_ROOT}%{_includedir}/bind9/pkcs11 \
  -name '*.h' \! -name site.h -delete

%endif

mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh

%if %{with PKCS11}
install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
%endif

install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named
install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files

%if %{with DLZ}
  pushd build
  pushd contrib/dlz/modules
  for DIR in filesystem ldap mysql mysqldyn sqlite3; do
    %make_install -C $DIR libdir=%{_libdir}/named
  done
  pushd ${RPM_BUILD_ROOT}/%{_libdir}/bind
    cp -s ../named/dlz_*.so .
  popd
  mkdir -p doc/{mysql,mysqldyn}
  cp -p mysqldyn/testing/README doc/mysqldyn/README.testing
  cp -p mysqldyn/testing/* doc/mysqldyn
  cp -p mysql/testing/* doc/mysql
  popd
  popd
%endif

# Install isc/errno2result.h header
install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc

# Remove libtool .la files:
find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';

# PKCS11 versions manpages
%if %{with PKCS11}
pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
ln -s named.8.gz named-pkcs11.8.gz
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz
ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz
ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
popd
%endif

# 9.16.4 installs even manual pages for tools not generated
%if %{without DNSTAP}
rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true
%endif
%if %{without LMDB}
rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true
%endif

pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
ln -s ddns-confgen.8.gz tsig-keygen.8.gz
ln -s named-checkzone.8.gz named-compilezone.8.gz
popd

%if %{with DOC}
mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir}
cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir}
rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees}
# Backward compatible link to 9.11 documentation
(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html)
# Share static data from original sphinx package
for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/*
do
  BASE=$(basename -- "$DIR")
  BINDTHEMEDIR="${RPM_BUILD_ROOT}%{_pkgdocdir}/html/_static/$BASE"
  if [ -d "$BINDTHEMEDIR" ]; then
    rm -rf "$BINDTHEMEDIR"
    ln -s "$DIR" "$BINDTHEMEDIR"
  fi
done
%endif
%if %{with DOCPDF}
cp -a build/doc/arm/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir}
%endif

# Ghost config files:
touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log

# configuration files:
install -m 640 %{SOURCE16} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named

# data files:
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones

# sample bind configuration files for %%doc:
mkdir -p sample/etc sample/var/named/{data,slaves}
install -m 644 %{SOURCE25} sample/etc/named.conf
# Copy default configuration to %%doc to make it usable from system-config-bind
install -m 644 %{SOURCE16} named.conf.default
install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones
install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20}  sample/var/named
install -m 644 %{SOURCE17} sample/var/named/named.ca
for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do 
  echo '@ in soa localhost. root 1 3H 15M 1W 1D
  ns localhost.' > sample/var/named/$f; 
done
:;

mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf

mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named

%pre
if [ "$1" -eq 1 ]; then
  /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
  /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
fi;
:;

%post
%?ldconfig
if [ -e "%{_sysconfdir}/selinux/config" ]; then
  %selinux_set_booleans -s targeted %{selinuxbooleans}
  %selinux_set_booleans -s mls %{selinuxbooleans}
fi
if [ "$1" -eq 1 ]; then
  # Initial installation
  [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
  # rndc.key has to have correct perms and ownership, CVE-2007-6283
  [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
  [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
else
  # Upgrade, use invalid shell
  if getent passwd named | grep ':/bin/false$' >/dev/null; then
    /sbin/usermod -s /sbin/nologin named
  fi
  # Checkconf will parse out comments
  if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
  then
    echo "Replacing obsolete named.iscdlv.key with named.root.key..."
    if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then
      sed -e 's/named\.iscdlv\.key/named.root.key/' \
        /etc/named.conf.rpmbackup > /etc/named.conf || \
      mv /etc/named.conf.rpmbackup /etc/named.conf
    fi
  fi
fi
%systemd_post named.service
:;

%preun
# Package removal, not upgrade
%systemd_preun named.service

%postun
%?ldconfig
# Package upgrade, not uninstall
%systemd_postun_with_restart named.service
if [ -e "%{_sysconfdir}/selinux/config" ]; then
  %selinux_unset_booleans -s targeted %{selinuxbooleans}
  %selinux_unset_booleans -s mls %{selinuxbooleans}
fi

%if %{with PKCS11}
%post pkcs11
# Initial installation
%systemd_post named-pkcs11.service

%preun pkcs11
# Package removal, not upgrade
%systemd_preun named-pkcs11.service

%postun pkcs11
# Package upgrade, not uninstall
%systemd_postun_with_restart named-pkcs11.service
%endif

# Fix permissions on existing device files on upgrade
%define chroot_fix_devices() \
if [ $1 -gt 1 ]; then \
  for DEV in "%{1}/dev"/{null,random,zero}; do \
    if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; \
    then \
      /bin/chmod 0664 "$DEV" \
      /bin/chgrp named "$DEV" \
    fi \
  done \
fi

%triggerun -- bind < 32:9.9.0-0.6.rc1
/sbin/chkconfig --del named >/dev/null 2>&1 || :
/bin/systemctl try-restart named.service >/dev/null 2>&1 || :

%ldconfig_scriptlets libs

%if %{with PKCS11}
%ldconfig_scriptlets pkcs11-libs
%endif

%post chroot
%systemd_post named-chroot.service
%chroot_fix_devices %{chroot_prefix}
:;

%posttrans chroot
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
  [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1;
fi;

%preun chroot
# wait for stop of both named-chroot and named-chroot-setup services
# on uninstall
%systemd_preun named-chroot.service named-chroot-setup.service
:;

%postun chroot
# Package upgrade, not uninstall
%systemd_postun_with_restart named-chroot.service


%files
%dir %{_libdir}/bind
%dir %{_libdir}/named
%{_libdir}/named/*.so
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
%config(noreplace) %{_sysconfdir}/logrotate.d/named
%{_tmpfilesdir}/named.conf
%{_sysconfdir}/rwtab.d/named
%{_unitdir}/named.service
%{_unitdir}/named-setup-rndc.service
%{_sbindir}/named-journalprint
%{_sbindir}/named-checkconf
%{_bindir}/named-rrchecker
%{_bindir}/mdig
%{_sbindir}/named
%{_sbindir}/rndc*
%{_libexecdir}/generate-rndc-key.sh
%{_mandir}/man1/mdig.1*
%{_mandir}/man1/named-rrchecker.1*
%{_mandir}/man5/named.conf.5*
%{_mandir}/man5/rndc.conf.5*
%{_mandir}/man8/rndc.8*
%{_mandir}/man8/named.8*
%{_mandir}/man8/named-checkconf.8*
%{_mandir}/man8/rndc-confgen.8*
%{_mandir}/man8/named-journalprint.8*
%{_mandir}/man8/filter-aaaa.8.gz
%doc CHANGES README named.conf.default
%doc sample/

# Hide configuration
%defattr(0640,root,named,0750)
%dir %{_sysconfdir}/named
%config(noreplace) %verify(not link) %{_sysconfdir}/named.conf
%config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones
%defattr(0660,root,named,01770)
%dir %{_localstatedir}/named
%defattr(0660,named,named,0770)
%dir %{_localstatedir}/named/slaves
%dir %{_localstatedir}/named/data
%dir %{_localstatedir}/named/dynamic
%ghost %{_localstatedir}/log/named.log
%defattr(0640,root,named,0750)
%config %verify(not link) %{_localstatedir}/named/named.ca
%config %verify(not link) %{_localstatedir}/named/named.localhost
%config %verify(not link) %{_localstatedir}/named/named.loopback
%config %verify(not link) %{_localstatedir}/named/named.empty
%ghost %config(noreplace) %{_sysconfdir}/rndc.key
# ^- rndc.key now created on first install only if it does not exist
%ghost %config(noreplace) %{_sysconfdir}/rndc.conf
# ^- The default rndc.conf which uses rndc.key is in named's default internal config -
#    so rndc.conf is not necessary.
%defattr(-,named,named,-)
%dir /run/named

%files libs
%{_libdir}/libbind9-%{version}*.so
%{_libdir}/libisccc-%{version}*.so
%{_libdir}/libns-%{version}*.so
%{_libdir}/libdns-%{version}*.so
%{_libdir}/libirs-%{version}*.so
%{_libdir}/libisc-%{version}*.so
%{_libdir}/libisccfg-%{version}*.so

%files license
%{!?_licensedir:%global license %%doc}
%license COPYRIGHT

%files utils
%{_bindir}/dig
%{_bindir}/delv
%{_bindir}/host
%{_bindir}/nslookup
%{_bindir}/nsupdate
%{_bindir}/arpaname
%{_sbindir}/ddns-confgen
%{_sbindir}/tsig-keygen
%{_sbindir}/nsec3hash
%{_sbindir}/named-checkzone
%{_sbindir}/named-compilezone
%if %{with DNSTAP}
%{_bindir}/dnstap-read
%{_mandir}/man1/dnstap-read.1*
%endif
%if %{with LMDB}
%{_sbindir}/named-nzd2nzf
%{_mandir}/man8/named-nzd2nzf.8*
%endif
%{_mandir}/man1/host.1*
%{_mandir}/man1/nsupdate.1*
%{_mandir}/man1/dig.1*
%{_mandir}/man1/delv.1*
%{_mandir}/man1/nslookup.1*
%{_mandir}/man1/arpaname.1*
%{_mandir}/man8/ddns-confgen.8*
%{_mandir}/man8/tsig-keygen.8*
%{_mandir}/man8/nsec3hash.8*
%{_mandir}/man8/named-checkzone.8*
%{_mandir}/man8/named-compilezone.8*
%{_sysconfdir}/trusted-key.key

%files dnssec-utils
%{_sbindir}/dnssec*
%if %{with PKCS11}
%exclude %{_sbindir}/dnssec*pkcs11
%endif

%files dnssec-doc
%{_mandir}/man8/dnssec*.8*
%if %{with PKCS11}
%exclude %{_mandir}/man8/dnssec*-pkcs11.8*
%endif

%files devel
%{_libdir}/libbind9.so
%{_libdir}/libisccc.so
%{_libdir}/libns.so
%{_libdir}/libdns.so
%{_libdir}/libirs.so
%{_libdir}/libisc.so
%{_libdir}/libisccfg.so
%dir %{_includedir}/bind9
%{_includedir}/bind9/bind9
%{_includedir}/bind9/isccc
%{_includedir}/bind9/ns
%{_includedir}/bind9/dns
%{_includedir}/bind9/dst
%{_includedir}/bind9/irs
%{_includedir}/bind9/isc
%dir %{_includedir}/bind9/pk11
%{_includedir}/bind9/pk11/site.h
%{_includedir}/bind9/isccfg

%files chroot
%config(noreplace) %{_sysconfdir}/named-chroot.files
%{_unitdir}/named-chroot.service
%{_unitdir}/named-chroot-setup.service
%{_libexecdir}/setup-named-chroot.sh
%defattr(0664,root,named,-)
%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null
%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random
%ghost %dev(c,1,9) %verify(not mtime) %{chroot_prefix}/dev/urandom
%ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero
%defattr(0640,root,named,0750)
%dir %{chroot_prefix}
%dir %{chroot_prefix}/dev
%dir %{chroot_prefix}%{_sysconfdir}
%dir %{chroot_prefix}%{_sysconfdir}/named
%dir %{chroot_prefix}%{_sysconfdir}/pki
%dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends
%dir %{chroot_prefix}%{_localstatedir}
%dir %{chroot_prefix}/run
%ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf
%defattr(-,root,root,-)
%dir %{chroot_prefix}/usr
%dir %{chroot_prefix}/%{_libdir}
%dir %{chroot_prefix}/%{_libdir}/bind
%dir %{chroot_prefix}/%{_datadir}/GeoIP
%{chroot_prefix}/proc
%defattr(0660,root,named,01770)
%dir %{chroot_prefix}%{_localstatedir}/named
%defattr(0660,named,named,0770)
%dir %{chroot_prefix}%{_localstatedir}/tmp
%dir %{chroot_prefix}%{_localstatedir}/log
%defattr(-,named,named,-)
%dir %{chroot_prefix}/run/named
%{chroot_prefix}%{_localstatedir}/run

%if %{with PKCS11}
%files pkcs11
%{_sbindir}/named-pkcs11
%{_unitdir}/named-pkcs11.service
%{_mandir}/man8/named-pkcs11.8*
%{_libexecdir}/setup-named-softhsm.sh

%files pkcs11-utils
%{_sbindir}/dnssec*pkcs11
%{_sbindir}/pkcs11-destroy
%{_sbindir}/pkcs11-keygen
%{_sbindir}/pkcs11-list
%{_sbindir}/pkcs11-tokens
%{_mandir}/man8/pkcs11*.8*
%{_mandir}/man8/dnssec*-pkcs11.8*

%files pkcs11-libs
%{_libdir}/libdns-pkcs11-%{version}*.so
%{_libdir}/libns-pkcs11-%{version}*.so

%files pkcs11-devel
%{_includedir}/bind9/pk11/*.h
%exclude %{_includedir}/bind9/pk11/site.h
%{_includedir}/bind9/pkcs11
%{_libdir}/libdns-pkcs11.so
%{_libdir}/libns-pkcs11.so
%endif

%if %{with DLZ}
%files dlz-filesystem
%{_libdir}/{named,bind}/dlz_filesystem_dynamic.so

%files dlz-mysql
%{_libdir}/{named,bind}/dlz_mysql_dynamic.so
%doc build/contrib/dlz/modules/doc/mysql
%{_libdir}/{named,bind}/dlz_mysqldyn_mod.so
%doc build/contrib/dlz/modules/doc/mysqldyn

%files dlz-ldap
%{_libdir}/{named,bind}/dlz_ldap_dynamic.so
%doc contrib/dlz/modules/ldap/testing/*

%files dlz-sqlite3
%{_libdir}/{named,bind}/dlz_sqlite3_dynamic.so
%doc contrib/dlz/modules/sqlite3/testing/*

%endif

%files -n python3-bind
%{python3_sitelib}/*.egg-info
%{python3_sitelib}/isc/

%if %{with DOC}
%files doc
%dir %{_pkgdocdir}
%doc %{_pkgdocdir}/Bv9ARM.html
%doc %{_pkgdocdir}/html
%endif
%if %{with DOCPDF}
%doc %{_pkgdocdir}/Bv9ARM.pdf
%endif

%changelog
* Sat Nov 26 2022 jiangheng <jiangheng14@huawei.com> - 32:9.16.23-12
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: backport some patches from community

* Thu Sep 29 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-11
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: Fix catalog zone reconfiguration crash
Improve the logging on failed TCP accept
Separate the locked parts of dns_zone_catz_enable-di
Check if key-metadata is modified before writing
Fix CID-352776 Concurrent data access violations
Require valid key for dst_key functions

* Wed Sep 28 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-10
- DESC: fix CVE-2022-2795 CVE-2022-38177 CVE-2022-38178
CVE-2022-3080 CVE-2022-2906 CVE-2022-2881

* Wed Aug 31 2022 yangchenguang <yangchenguang@uniontech.com> - 32:9.16.23-9
- DESC: fix downgrade bind-utils conflict bind-dnssec-doc

* Mon Aug 01 2022 jiangheng<jiangheng14@huawei.com> - 32:9.16.23-8
- Type:bugfix
- CVE:
- SUG:NA
- DESC:update version number to maximum and keep it same as 22.03

* Mon Jul 25 2022 jiangheng<jiangheng14@huawei.com> - 32:9.16.23-6
- Type:bugfix
- CVE:
- SUG:NA
- DESC:add missing dependencies
       remove geopip-directory in named.conf

* Mon Jun 13 2022 jiangheng<jiangheng14@huawei.com> - 9.16.23-5
- Type:bugfix
- CVE:
- SUG:NA
- DESC:fix test cases timeout

* Thu Mar 31 2022 jiangheng<jiangheng12@huawei.com> - 9.16.23-4
- Type:bugfix
- CVE:
- SUG:NA
- DESC:add bind.yaml to master branch

* Wed Mar 30 2022 jiangheng<jiangheng12@huawei.com> - 9.16.23-3
- Type:CVE
- CVE:CVE-2021-25220
- SUG:NA
- DESC:fix CVE-2021-25220

* Wed Mar 30 2022 jiangheng<jiangheng12@huawei.com> - 9.16.23-2
- Type:CVE
- CVE:CVE-2022-0396
- SUG:NA
- DESC:fix CVE-2022-0396

* Thu Dec 02 2021 jiangheng<jiangheng12@huawei.com> - 9.16.23-1
- DESC:update to 9.16.23

* Wed Nov 17 2021 jiangheng<jiangheng12@huawei.com> - 9.11.21-4.h9
- Type:CVE
- CVE:CVE-2021-25219
- SUG:NA
- DESC:fix CVE-2021-25219

* Wed Nov 03 2021 jiangheng<jiangheng12@huawei.com> - 9.11.21-4.h8
- Type:CVE
- CVE:CVE-2021-25219
- SUG:NA
- DESC:fix CVE-2021-25219

* Tue Aug 03 2021 jiangheng<jiangheng12@huawei.com> - 9.11.21-4.h7
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:give zspill its own lock
       fix tasan error
       fix data race
       Correctly encode LOC records with non integer negative
       isc_ratelimiter needs to hold a reference to its task
       dig +bufsize=0 failed to disable EDNS as a side effect
       Lock access to ctx->blocked as it is updated by multiple threads
       Only read dns_master_indent and dns_master_indentstr in named
       Defer read of zl->server and zl->reconfig
       Break lock order loop by sending TAT in an event
       Handle DNS_R_NCACHENXRRSET in fetch_callback_{dnskey,validator}()
       Unload a zone if a transfer breaks its SOA record
       Address inconsistencies in checking added RRsets
       dns_rdata_tostruct() should reject rdata with DNS_RDATA_UPDATE set

* Fri Jun 04 2021 jiangheng<jiangheng12@huawei.com> - 9.11.21-4.h6
- Type:bugfix
- CVE:
- SUG:NA
- DESC:set print-time default to yes

* Wed May 19 2021 jiangheng<jiangheng12@huawei.com> - 9.11.21-4.h5
- Type:CVE
- CVE:CVE-2021-25214 CVE-2021-25215
- SUG:NA
- DESC:fix CVE-2021-25214 CVE-2021-25215

* Mon Apr 26 2021 jiangheng<jiangheng12@huawei.com> - 9.11.21-4.h4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix no response when execute rndc addzone command

* Mon Apr 12 2021 zhujunhao<zhujunhao8@huawei.com> - 9.11.21-4.h3
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:remove GeoIP and libdb

* Mon Apr 12 2021 jiangheng<jiangheng12@huawei.com> - 9.11.21-4.h2
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix the upgrade installtion failure

* Wed Apr 07 2021 jiangheng<jiangheng12@huawei.com> - 9.11.21-4.h1
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:update version to 9.11.21-4.h1

* Wed Mar 10 2021 zhouyihang<zhouyihang3@huawei.com> - 9.11.4-17.h11
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:set geoip-use-ecs default to no

* Tue Mar 09 2021 yuboyun<yuboyun@huawei.com> - 9.11.4-17.h10
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:free rbuf 
       mempool didn t work for sizes less than sizeof void 
       Reset dig exit code after a TCP connection is establ 
       Prevent a race after zone load 
       Fix isc_buffer_copyregion for auto reallocated buffe 
       free tmpzonename and restart_master 
       errors initalizing badcaches were not caught or clea 
       set freed pointers to NULL 
       cleanup allocated memory on error 
       Fix a small memleak in delv 
       pass the correct object to cfg_obj_log 
       Try to fix crash at sigchase topdown 
       Do not fail on NULL passed to OpenSSL_free 
       error out if there are extra command line options 
       correct errno to result translation 
       properly detect period as last character in filename 
       fail if ctime output is truncted 
       Fix a race in fctx_cancelquery 
       add missing MAYBE_UNLOCK 
       Fix race in unix socket code when closing a socket t 
       fix Ed448 length values for precomputed ASN.1 prefix 
       don t overwrite the dns_master_loadfile result befor 
       address NULL pointer dereferences 
       address potential NULL pointer dereference 
       Prevent query loops for misbehaving servers 
       Lock di  manager buffer_lock before accessing b 
       Request exclusive access when crashing via fatal 
       Assign fctx client when fctx is created rather when  
       lock access to fctx nqueries 
       acquire task lock before calling push_readyq for tas 
       Call dns_dbiterator_destroy earlier to prevent poten 
       Handle catopen errors 
       Fixed crash when querying for non existing domain in 
       Fixed rebinding protection bug when using forwarder  
       initialize sockaddrdscp to prevent spurious output f 
       Lock access to answer to silence TSAN 
       Fix a data access race in resolver 
       Address race between zone_maintenance and dns_zone_s 
       rbtdb cleanup_dead_nodes should ignore alive nodes o 
       make sure new_zone_lock is locked before unlocking i 
       Prevent crash on dst initialization failure 
       IPSECKEY require non zero length public keys 
       NSEC3PARAM check that saltlen is consistent with the 
       A6 return FORMERR in fromwire if bits are non zero 
       Cast the original rcode to dns_ttl_t when setting ex 
       Lock on msg SELECT_POKE_CLOSE as it triggers a tsan  
       Lock access when updating reading manager epoll_even 
       Take complete ownership of aclp before calling destr 
       Take complete ownership of validatorp before calling 
       Address lock order inversion 
       It appears that you can t change what you are pollin 
       counter used was read without the lock being held 
       Missing locks in ns_lwresd_shutdown 
       Use atomics to update counters 
       Obtain a lock on the quota structure 
       The node lock was released too early 
       Address lock order inversion between the keytable an 
       Pause dbiterator to release rwlock to prevent lock o 
       Address lock order reversals when shutting down a vi 
       Hold qid lock when calling deref_portentry as 
       Lock zone before calling zone_namerd_tostr 
       Address TSAN error between dns_rbt_findnode and subt 
       Address data race in dns_stats_detach over reference 
       Lock check of DNS_ZONEFLG_EXITING flag 

* Mon Feb 22 2021 zhouyihang<zhouyihang3@huawei.com> - 9.11.4-17.h9
- Type:CVE
- CVE:CVE-2020-8625
- SUG:NA
- DESC:fix CVE-2020-8625

* Mon Jan 4 2021 zhouyihang<zhouyihang3@huawei.com> - 9.11.4-17.h8
- Type:CVE
- CVE:CVE-2020-8619
- SUG:NA
- DESC:fix CVE-2020-8619

* Mon Dec 21 2020 xihaochen<xihaochen@huawei.com> - 9.11.4-17.h7
- Type:CVE
- CVE:CVE-2020-8624
- SUG:NA
- DESC:fix CVE-2020-8624

* Wed Dec 02 2020 yuboyun<yuboyun@huawei.com> - 9.11.4-17.h6
- Type:bugfix
- CVE:NA
- SUG:restart
- DESC:fix the difference at the macro definition using clock gettime instead of gettimeofday

* Wed Nov 18 2020 yuboyun<yuboyun@huawei.com> - 9.11.4-17.h5
- Type:CVE
- CVE:CVE-2020-8623
- SUG:restart
- DESC:fix CVE-2020-8623

* Tue Sep 22 2020 yuboyun<yuboyun@huawei.com> - 9.11.4-17.h4
- Type:CVE
- CVE:CVE-2020-8622
- SUG:NA
- DESC:add %patch6032 -p1 to fix CVE-2020-8622

* Wed Sep 16 2020 yuboyun<yuboyun@huawei.com> - 9.11.4-17.h3
- Type:CVE
- CVE:CVE-2020-8622
- SUG:restart
- DESC:fix CVE-2020-8622

* Tue Jun 09 2020 gaihuiying<gaihuiying1@huawei.com> - 9.11.4-17.h2
- Type:cves
- ID:CVE-2018-5744 CVE-2019-6467 CVE-2019-6471 CVE-2019-6477
- SUG:restart
- DESC:backport patch to fix CVE-2018-5744 CVE-2019-6467 CVE-2019-6471 CVE-2019-6477

* Thu May 28 2020 gaihuiying<gaihuiying1@huawei.com> - 9.11.4-17.h1
- Type:cves
- ID:CVE-2020-8616 CVE-2020-8617
- SUG:restart
- DESC:backport patch to fix CVE-2020-8616 CVE-2020-8617

* Tue Mar 31 2020 liaichun<liaichun@huawei.com> - 9.11.4-17
- Type:bugfix
- ID:NA
- SUG:restart
- DESC: modify named.root.key permissions from 600 to 644

* Thu Mar 26 2020 liaichun<liaichun@huawei.com> - 9.11.4-16
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:fix  named service hangs and crashes

* Sat Mar 21 2020 liaichun<liaichun@huawei.com> - 9.11.4-15
- Type:bugfix
- ID:NA
- SUG:NA
- DESC: modify key file permissions from 644 to 600

* Fri Mar 20 2020 wangli<wangli221@huawei.com> - 9.11.4-14
- Type:bugfix
- ID:NA
- SUG:restart
- DESC:Reenable crypto rand for DHCP, disable just entropy check

* Thu Mar 19 2020 songnannan <songnannan2@huawei.com> - 9.11.4-13
- add gdb in buildrequires

* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 9.11.4-12
- Package init