!144 同步上游社区补丁

From: @jiangheng12 
Reviewed-by: @kircher 
Signed-off-by: @kircher

backport-0002-Fix-catalog-zone-reconfiguration-crash.patch

@@ -0,0 +1,119 @@
+From 4b362a82ebf511d0915585bbe55bdb9b989f439a Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Mon, 11 Oct 2021 18:13:39 +0000
+Subject: [PATCH] Fix catalog zone reconfiguration crash
+
+The following scenario triggers a "named" crash:
+
+1. Configure a catalog zone.
+2. Start "named".
+3. Comment out the "catalog-zone" clause.
+4. Run `rndc reconfig`.
+5. Uncomment the "catalog-zone" clause.
+6. Run `rndc reconfig` again.
+
+Implement the required cleanup of the in-memory catalog zone during
+the first `rndc reconfig`, so that the second `rndc reconfig` could
+find it in an expected state.
+
+(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda)
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b362a82ebf511d0915585bbe55bdb9b989f439a
+---
+ bin/named/server.c          |  2 ++
+ lib/dns/include/dns/zone.h  | 20 ++++++++++++++++++++
+ lib/dns/win32/libdns.def.in |  2 ++
+ lib/dns/zone.c              | 18 ++++++++++++++++++
+ 4 files changed, 42 insertions(+)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 860ccae8a1..9c0f12f63f 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -6523,6 +6523,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
+ 
+ 	if (zone_is_catz) {
+ 		dns_zone_catz_enable(zone, view->catzs);
++	} else if (dns_zone_catz_is_enabled(zone)) {
++		dns_zone_catz_disable(zone);
+ 	}
+ 
+ 	/*
+diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
+index 08e2263c5b..33ab5c60fd 100644
+--- a/lib/dns/include/dns/zone.h
++++ b/lib/dns/include/dns/zone.h
+@@ -2605,6 +2605,26 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
+  * \li	prior to calling, zone->catzs is NULL or is equal to 'catzs'
+  */
+ 
++void
++dns_zone_catz_disable(dns_zone_t *zone);
++/*%<
++ * Disable zone as catalog zone, if it is one.
++ *
++ * Requires:
++ *
++ * \li	'zone' is a valid zone object
++ */
++
++bool
++dns_zone_catz_is_enabled(dns_zone_t *zone);
++/*%<
++ * Return a boolean indicating whether the zone is enabled as catalog zone.
++ *
++ * Requires:
++ *
++ * \li	'zone' is a valid zone object
++ */
++
+ void
+ dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db);
+ /*%<
+diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
+index 31f511103f..1e0f7cf64a 100644
+--- a/lib/dns/win32/libdns.def.in
++++ b/lib/dns/win32/libdns.def.in
+@@ -1173,8 +1173,10 @@ dns_xfrin_shutdown
+ dns_zone_addnsec3chain
+ dns_zone_asyncload
+ dns_zone_attach
++dns_zone_catz_disable
+ dns_zone_catz_enable
+ dns_zone_catz_enable_db
++dns_zone_catz_is_enabled
+ dns_zone_cdscheck
+ dns_zone_checknames
+ dns_zone_clearforwardacl
+diff --git a/lib/dns/zone.c b/lib/dns/zone.c
+index 65a3aacab7..bc33e6ede8 100644
+--- a/lib/dns/zone.c
++++ b/lib/dns/zone.c
+@@ -1942,6 +1942,24 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
+ 	UNLOCK_ZONE(zone);
+ }
+ 
++void
++dns_zone_catz_disable(dns_zone_t *zone) {
++	REQUIRE(DNS_ZONE_VALID(zone));
++
++	LOCK_ZONE(zone);
++	if (zone->catzs != NULL) {
++		dns_catz_catzs_detach(&zone->catzs);
++	}
++	UNLOCK_ZONE(zone);
++}
++
++bool
++dns_zone_catz_is_enabled(dns_zone_t *zone) {
++	REQUIRE(DNS_ZONE_VALID(zone));
++
++	return (zone->catzs != NULL);
++}
++
+ /*
+  * If a zone is a catalog zone, attach it to update notification in database.
+  */
+-- 
+2.27.0
+

backport-0003-Improve-the-logging-on-failed-TCP-accept.patch

@@ -0,0 +1,162 @@
+From 75c484e36d6d28da820bfcf530a28b4f785049a6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Wed, 1 Dec 2021 17:41:20 +0100
+Subject: [PATCH] Improve the logging on failed TCP accept
+
+Previously, when TCP accept failed, we have logged a message with
+ISC_LOG_ERROR level.  One common case, how this could happen is that the
+client hits TCP client quota and is put on hold and when resumed, the
+client has already given up and closed the TCP connection.  In such
+case, the named would log:
+
+    TCP connection failed: socket is not connected
+
+This message was quite confusing because it actually doesn't say that
+it's related to the accepting the TCP connection and also it logs
+everything on the ISC_LOG_ERROR level.
+
+Change the log message to "Accepting TCP connection failed" and for
+specific error states lower the severity of the log message to
+ISC_LOG_INFO.
+
+(cherry picked from commit 20ac73eb222e60395399b467b0a72015a4dd8845)
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/75c484e36d6d28da820bfcf530a28b4f785049a6
+---
+ lib/isc/netmgr/netmgr-int.h |  3 +++
+ lib/isc/netmgr/netmgr.c     | 27 +++++++++++++++++++++++++++
+ lib/isc/netmgr/tcp.c        | 20 ++------------------
+ lib/isc/netmgr/tcpdns.c     | 22 ++--------------------
+ 4 files changed, 34 insertions(+), 38 deletions(-)
+
+diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
+index f7b54f9..b4299d5 100644
+--- a/lib/isc/netmgr/netmgr-int.h
++++ b/lib/isc/netmgr/netmgr-int.h
+@@ -1576,4 +1576,7 @@ isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async);
+ void
+ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
+
++void
++isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
++
+ #define STREAM_CLIENTS_PER_CONN 23
+diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
+index 3283eb6e4f..54042a9123 100644
+--- a/lib/isc/netmgr/netmgr.c
++++ b/lib/isc/netmgr/netmgr.c
+@@ -1967,6 +1967,33 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) {
+ 	}
+ }
+ 
++void
++isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
++	int level;
++
++	switch (result) {
++	case ISC_R_SUCCESS:
++	case ISC_R_NOCONN:
++		return;
++	case ISC_R_QUOTA:
++	case ISC_R_SOFTQUOTA:
++		if (!can_log_quota) {
++			return;
++		}
++		level = ISC_LOG_INFO;
++		break;
++	case ISC_R_NOTCONNECTED:
++		level = ISC_LOG_INFO;
++		break;
++	default:
++		level = ISC_LOG_ERROR;
++	}
++
++	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
++		      level, "Accepting TCP connection failed: %s",
++		      isc_result_totext(result));
++}
++
+ static void
+ isc__nmsocket_readtimeout_cb(uv_timer_t *timer) {
+ 	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
+diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
+index 5cca9f5214..1b5e80d3a7 100644
+--- a/lib/isc/netmgr/tcp.c
++++ b/lib/isc/netmgr/tcp.c
+@@ -631,15 +631,7 @@ tcp_connection_cb(uv_stream_t *server, int status) {
+ 
+ 	result = accept_connection(ssock, quota);
+ done:
+-	if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
+-		if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
+-		    can_log_tcp_quota()) {
+-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+-				      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
+-				      "TCP connection failed: %s",
+-				      isc_result_totext(result));
+-		}
+-	}
++	isc__nm_accept_connection_log(result, can_log_tcp_quota());
+ }
+ 
+ void
+@@ -934,15 +926,7 @@ isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
+ 	REQUIRE(sock->tid == isc_nm_tid());
+ 
+ 	result = accept_connection(sock, ievent->quota);
+-	if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
+-		if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
+-		    can_log_tcp_quota()) {
+-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+-				      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
+-				      "TCP connection failed: %s",
+-				      isc_result_totext(result));
+-		}
+-	}
++	isc__nm_accept_connection_log(result, can_log_tcp_quota());
+ }
+ 
+ static isc_result_t
+diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
+index 188790c8b4..b76dcbc66c 100644
+--- a/lib/isc/netmgr/tcpdns.c
++++ b/lib/isc/netmgr/tcpdns.c
+@@ -600,16 +600,7 @@ tcpdns_connection_cb(uv_stream_t *server, int status) {
+ 
+ 	result = accept_connection(ssock, quota);
+ done:
+-	if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
+-		if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
+-		    can_log_tcpdns_quota())
+-		{
+-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+-				      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
+-				      "TCP connection failed: %s",
+-				      isc_result_totext(result));
+-		}
+-	}
++	isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
+ }
+ 
+ void
+@@ -905,16 +896,7 @@ isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
+ 	REQUIRE(ievent->sock->tid == isc_nm_tid());
+ 
+ 	result = accept_connection(ievent->sock, ievent->quota);
+-	if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
+-		if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
+-		    can_log_tcpdns_quota())
+-		{
+-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+-				      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
+-				      "TCP connection failed: %s",
+-				      isc_result_totext(result));
+-		}
+-	}
++	isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
+ }
+ 
+ static isc_result_t
+-- 
+2.27.0
+

backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch

@@ -0,0 +1,85 @@
+From 885e44650b547cff88095d01769e303474582612 Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Wed, 5 Jan 2022 09:38:36 +0000
+Subject: [PATCH] Separate the locked parts of dns_zone_catz_enable/disable
+ functions
+
+Separate the locked parts of dns_zone_catz_enable() and
+dns_zone_catz_disable() functions into static functions.  This will
+let us perform those tasks from the other parts of the module while
+the zone is locked, avoiding one pair of additional unlocking and
+locking operations.
+
+(cherry picked from commit 6b937ed5f67a13cf6ad6249380073a6e647d7897)
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/885e44650b547cff88095d01769e303474582612
+---
+ lib/dns/zone.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/lib/dns/zone.c b/lib/dns/zone.c
+index 2faf12519e..9205271574 100644
+--- a/lib/dns/zone.c
++++ b/lib/dns/zone.c
+@@ -871,6 +871,10 @@ static inline void
+ zone_attachdb(dns_zone_t *zone, dns_db_t *db);
+ static inline void
+ zone_detachdb(dns_zone_t *zone);
++static void
++zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
++static void
++zone_catz_disable(dns_zone_t *zone);
+ static isc_result_t
+ default_journal(dns_zone_t *zone);
+ static void
+@@ -1930,28 +1934,42 @@ dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
+ 					     zone->rpzs->zones[zone->rpz_num]);
+ }
+ 
+-void
+-dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
++static void
++zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
+ 	REQUIRE(DNS_ZONE_VALID(zone));
+ 	REQUIRE(catzs != NULL);
+ 
+-	LOCK_ZONE(zone);
+ 	INSIST(zone->catzs == NULL || zone->catzs == catzs);
+ 	dns_catz_catzs_set_view(catzs, zone->view);
+ 	if (zone->catzs == NULL) {
+ 		dns_catz_catzs_attach(catzs, &zone->catzs);
+ 	}
+-	UNLOCK_ZONE(zone);
+ }
+ 
+ void
+-dns_zone_catz_disable(dns_zone_t *zone) {
++dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
+ 	REQUIRE(DNS_ZONE_VALID(zone));
+ 
+ 	LOCK_ZONE(zone);
++	zone_catz_enable(zone, catzs);
++	UNLOCK_ZONE(zone);
++}
++
++static void
++zone_catz_disable(dns_zone_t *zone) {
++	REQUIRE(DNS_ZONE_VALID(zone));
++
+ 	if (zone->catzs != NULL) {
+ 		dns_catz_catzs_detach(&zone->catzs);
+ 	}
++}
++
++void
++dns_zone_catz_disable(dns_zone_t *zone) {
++	REQUIRE(DNS_ZONE_VALID(zone));
++
++	LOCK_ZONE(zone);
++	zone_catz_disable(zone);
+ 	UNLOCK_ZONE(zone);
+ }
+ 
+-- 
+2.27.0
+

backport-0036-Check-if-key-metadata-is-modified-before-writing.patch

@@ -0,0 +1,235 @@
+From c2e8c722980cd40e163f748e8502c9637ea55cf3 Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Tue, 3 May 2022 12:28:31 +0200
+Subject: [PATCH] Check if key metadata is modified before writing
+
+Add a new parameter to the dst_key structure, mark a key modified if
+dst_key_(un)set[bool,num,state,time] is called. Only write out key
+files during a keymgr run if the metadata has changed.
+
+(cherry picked from commit 1da91b3ab46b3d875213a473595e671d9ff9c76f)
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c2e8c722980cd40e163f748e8502c9637ea55cf3
+---
+ lib/dns/dst_api.c         | 26 ++++++++++++++++++++++++++
+ lib/dns/dst_internal.h    |  1 +
+ lib/dns/include/dst/dst.h | 20 ++++++++++++++++++++
+ lib/dns/keymgr.c          | 17 ++++++++++++++++-
+ 4 files changed, 63 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
+index ab371330f0..8873a041b8 100644
+--- a/lib/dns/dst_api.c
++++ b/lib/dns/dst_api.c
+@@ -490,6 +490,16 @@ dst_key_isexternal(dst_key_t *key) {
+ 	return (key->external);
+ }
+ 
++void
++dst_key_setmodified(dst_key_t *key, bool value) {
++	key->modified = value;
++}
++
++bool
++dst_key_ismodified(dst_key_t *key) {
++	return (key->modified);
++}
++
+ isc_result_t
+ dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
+ 		    int type, const char *directory, isc_mem_t *mctx,
+@@ -637,6 +647,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
+ 	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
+ 	{
+ 		RETERR(computeid(pubkey));
++		pubkey->modified = false;
+ 		*keyp = pubkey;
+ 		pubkey = NULL;
+ 		goto out;
+@@ -690,6 +701,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
+ 		RETERR(DST_R_INVALIDPRIVATEKEY);
+ 	}
+ 
++	key->modified = false;
+ 	*keyp = key;
+ 	key = NULL;
+ 
+@@ -1047,6 +1059,8 @@ dst_key_setbool(dst_key_t *key, int type, bool value) {
+ 	REQUIRE(type <= DST_MAX_BOOLEAN);
+ 
+ 	isc_mutex_lock(&key->mdlock);
++	key->modified = key->modified || !key->boolset[type] ||
++			key->bools[type] != value;
+ 	key->bools[type] = value;
+ 	key->boolset[type] = true;
+ 	isc_mutex_unlock(&key->mdlock);
+@@ -1058,6 +1072,7 @@ dst_key_unsetbool(dst_key_t *key, int type) {
+ 	REQUIRE(type <= DST_MAX_BOOLEAN);
+ 
+ 	isc_mutex_lock(&key->mdlock);
++	key->modified = key->modified || key->boolset[type];
+ 	key->boolset[type] = false;
+ 	isc_mutex_unlock(&key->mdlock);
+ }
+@@ -1089,6 +1104,8 @@ dst_key_setnum(dst_key_t *key, int type, uint32_t value) {
+ 	REQUIRE(type <= DST_MAX_NUMERIC);
+ 
+ 	isc_mutex_lock(&key->mdlock);
++	key->modified = key->modified || !key->numset[type] ||
++			key->nums[type] != value;
+ 	key->nums[type] = value;
+ 	key->numset[type] = true;
+ 	isc_mutex_unlock(&key->mdlock);
+@@ -1100,6 +1117,7 @@ dst_key_unsetnum(dst_key_t *key, int type) {
+ 	REQUIRE(type <= DST_MAX_NUMERIC);
+ 
+ 	isc_mutex_lock(&key->mdlock);
++	key->modified = key->modified || key->numset[type];
+ 	key->numset[type] = false;
+ 	isc_mutex_unlock(&key->mdlock);
+ }
+@@ -1130,6 +1148,8 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
+ 	REQUIRE(type <= DST_MAX_TIMES);
+ 
+ 	isc_mutex_lock(&key->mdlock);
++	key->modified = key->modified || !key->timeset[type] ||
++			key->times[type] != when;
+ 	key->times[type] = when;
+ 	key->timeset[type] = true;
+ 	isc_mutex_unlock(&key->mdlock);
+@@ -1141,6 +1161,7 @@ dst_key_unsettime(dst_key_t *key, int type) {
+ 	REQUIRE(type <= DST_MAX_TIMES);
+ 
+ 	isc_mutex_lock(&key->mdlock);
++	key->modified = key->modified || key->timeset[type];
+ 	key->timeset[type] = false;
+ 	isc_mutex_unlock(&key->mdlock);
+ }
+@@ -1172,6 +1193,8 @@ dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state) {
+ 	REQUIRE(type <= DST_MAX_KEYSTATES);
+ 
+ 	isc_mutex_lock(&key->mdlock);
++	key->modified = key->modified || !key->keystateset[type] ||
++			key->keystates[type] != state;
+ 	key->keystates[type] = state;
+ 	key->keystateset[type] = true;
+ 	isc_mutex_unlock(&key->mdlock);
+@@ -1183,6 +1206,7 @@ dst_key_unsetstate(dst_key_t *key, int type) {
+ 	REQUIRE(type <= DST_MAX_KEYSTATES);
+ 
+ 	isc_mutex_lock(&key->mdlock);
++	key->modified = key->modified || key->keystateset[type];
+ 	key->keystateset[type] = false;
+ 	isc_mutex_unlock(&key->mdlock);
+ }
+@@ -2747,4 +2771,6 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) {
+ 			dst_key_unsetstate(to, i);
+ 		}
+ 	}
++
++	dst_key_setmodified(to, dst_key_ismodified(from));
+ }
+diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
+index e26837bfe4..4933cfd5aa 100644
+--- a/lib/dns/dst_internal.h
++++ b/lib/dns/dst_internal.h
+@@ -147,6 +147,7 @@ struct dst_key {
+ 	bool inactive; /*%< private key not present as it is
+ 			* inactive */
+ 	bool external; /*%< external key */
++	bool modified; /*%< set to true if key file metadata has changed */
+ 
+ 	int fmt_major; /*%< private key format, major version
+ 			* */
+diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
+index d50761a63c..eab5501029 100644
+--- a/lib/dns/include/dst/dst.h
++++ b/lib/dns/include/dst/dst.h
+@@ -1107,6 +1107,26 @@ dst_key_isexternal(dst_key_t *key);
+  *	'key' to be valid.
+  */
+ 
++void
++dst_key_setmodified(dst_key_t *key, bool value);
++/*%<
++ * If 'value' is true, this marks the key to indicate that key file metadata
++ * has been modified. If 'value' is false, this resets the value, for example
++ * after you have written the key to file.
++ *
++ * Requires:
++ *	'key' to be valid.
++ */
++
++bool
++dst_key_ismodified(dst_key_t *key);
++/*%<
++ * Check if the key file has been modified.
++ *
++ * Requires:
++ *	'key' to be valid.
++ */
++
+ bool
+ dst_key_haskasp(dst_key_t *key);
+ /*%<
+diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
+index 965782b1f3..b01286575f 100644
+--- a/lib/dns/keymgr.c
++++ b/lib/dns/keymgr.c
+@@ -1512,6 +1512,7 @@ transition:
+ 			/* It is safe to make the transition. */
+ 			dst_key_setstate(dkey->key, i, next_state);
+ 			dst_key_settime(dkey->key, keystatetimes[i], now);
++			INSIST(dst_key_ismodified(dkey->key));
+ 			changed = true;
+ 		}
+ 	}
+@@ -2183,9 +2184,10 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
+ 	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
+ 	     dkey = ISC_LIST_NEXT(dkey, link))
+ 	{
+-		if (!dkey->purge) {
++		if (dst_key_ismodified(dkey->key) && !dkey->purge) {
+ 			dns_dnssec_get_hints(dkey, now);
+ 			RETERR(dst_key_tofile(dkey->key, options, directory));
++			dst_key_setmodified(dkey->key, false);
+ 		}
+ 	}
+ 
+@@ -2205,6 +2207,13 @@ failure:
+ 		}
+ 	}
+ 
++	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
++		char namebuf[DNS_NAME_FORMATSIZE];
++		dns_name_format(origin, namebuf, sizeof(namebuf));
++		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
++			      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3),
++			      "keymgr: %s done", namebuf);
++	}
+ 	return (result);
+ }
+ 
+@@ -2282,6 +2291,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+ 
+ 	dns_dnssec_get_hints(ksk_key, now);
+ 	result = dst_key_tofile(ksk_key->key, options, directory);
++	if (result == ISC_R_SUCCESS) {
++		dst_key_setmodified(ksk_key->key, false);
++	}
+ 	isc_dir_close(&dir);
+ 
+ 	return (result);
+@@ -2582,6 +2594,9 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
+ 
+ 	dns_dnssec_get_hints(key, now);
+ 	result = dst_key_tofile(key->key, options, directory);
++	if (result == ISC_R_SUCCESS) {
++		dst_key_setmodified(key->key, false);
++	}
+ 	isc_dir_close(&dir);
+ 
+ 	return (result);
+-- 
+2.27.0
+

backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch

@@ -0,0 +1,76 @@
+From 7c42c04f3fa1c6b936debe48b435b9ef9da464bd Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Mon, 16 May 2022 19:00:47 +0200
+Subject: [PATCH] Fix CID 352776: Concurrent data access violations
+
+*** CID 352776:  Concurrent data access violations  (MISSING_LOCK)
+/lib/dns/dst_api.c: 474 in dst_key_setmodified()
+468     dst_key_isexternal(dst_key_t *key) {
+469		return (key->external);
+470     }
+471
+472     void
+473     dst_key_setmodified(dst_key_t *key, bool value) {
+>>>     CID 352776:  Concurrent data access violations  (MISSING_LOCK)
+>>>     Accessing "key->modified" without holding lock
+>>>	"dst_key.mdlock". Elsewhere, "dst_key.modified" is accessed with
+>>>	"dst_key.mdlock" held 8 out of 11 times (8 of these accesses
+>>>	strongly imply that it is necessary).
+474		key->modified = value;
+475     }
+476
+477     bool
+478     dst_key_ismodified(dst_key_t *key) {
+479		return (key->modified);
+
+(cherry picked from commit 1fa24d0afbc01d25d71446156758b3a945db5b5f)
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/7c42c04f3fa1c6b936debe48b435b9ef9da464bd
+---
+ lib/dns/dst_api.c         | 12 ++++++++++--
+ lib/dns/include/dst/dst.h |  2 +-
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
+index 8873a041b8..e5a52aea37 100644
+--- a/lib/dns/dst_api.c
++++ b/lib/dns/dst_api.c
+@@ -492,12 +492,20 @@ dst_key_isexternal(dst_key_t *key) {
+ 
+ void
+ dst_key_setmodified(dst_key_t *key, bool value) {
++	isc_mutex_lock(&key->mdlock);
+ 	key->modified = value;
++	isc_mutex_unlock(&key->mdlock);
+ }
+ 
+ bool
+-dst_key_ismodified(dst_key_t *key) {
+-	return (key->modified);
++dst_key_ismodified(const dst_key_t *key) {
++	bool modified;
++
++	isc_mutex_lock(&(((dst_key_t *)key)->mdlock));
++	modified = key->modified;
++	isc_mutex_unlock(&(((dst_key_t *)key)->mdlock));
++
++	return (modified);
+ }
+ 
+ isc_result_t
+diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
+index eab5501029..3185e9f91b 100644
+--- a/lib/dns/include/dst/dst.h
++++ b/lib/dns/include/dst/dst.h
+@@ -1119,7 +1119,7 @@ dst_key_setmodified(dst_key_t *key, bool value);
+  */
+ 
+ bool
+-dst_key_ismodified(dst_key_t *key);
++dst_key_ismodified(const dst_key_t *key);
+ /*%<
+  * Check if the key file has been modified.
+  *
+-- 
+2.27.0
+

backport-0037-Require-valid-key-for-dst_key-functions.patch

@@ -0,0 +1,70 @@
+From d3147417c55cb1277cac42034198a3011c8f5cfb Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Tue, 17 May 2022 12:02:43 +0200
+Subject: [PATCH] Require valid key for dst_key functions
+
+Make sure that the key structure is valid when calling the following
+functions:
+- dst_key_setexternal
+- dst_key_isexternal
+- dst_key_setmodified
+- dst_key_ismodified
+
+This commit is adapted because 9.16 has a different approach
+of deconsting the variable.
+
+(cherry picked from commit 888ec4e0d407a9333017d6997a2be81a69658e1f)
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d3147417c55cb1277cac42034198a3011c8f5cfb
+---
+ lib/dns/dst_api.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
+index e5a52aea37..f5741a1af4 100644
+--- a/lib/dns/dst_api.c
++++ b/lib/dns/dst_api.c
+@@ -482,16 +482,22 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
+ 
+ void
+ dst_key_setexternal(dst_key_t *key, bool value) {
++	REQUIRE(VALID_KEY(key));
++
+ 	key->external = value;
+ }
+ 
+ bool
+ dst_key_isexternal(dst_key_t *key) {
++	REQUIRE(VALID_KEY(key));
++
+ 	return (key->external);
+ }
+ 
+ void
+ dst_key_setmodified(dst_key_t *key, bool value) {
++	REQUIRE(VALID_KEY(key));
++
+ 	isc_mutex_lock(&key->mdlock);
+ 	key->modified = value;
+ 	isc_mutex_unlock(&key->mdlock);
+@@ -500,10 +506,15 @@ dst_key_setmodified(dst_key_t *key, bool value) {
+ bool
+ dst_key_ismodified(const dst_key_t *key) {
+ 	bool modified;
++	dst_key_t *k;
+ 
+-	isc_mutex_lock(&(((dst_key_t *)key)->mdlock));
++	REQUIRE(VALID_KEY(key));
++
++	DE_CONST(key, k);
++
++	isc_mutex_lock(&k->mdlock);
+ 	modified = key->modified;
+-	isc_mutex_unlock(&(((dst_key_t *)key)->mdlock));
++	isc_mutex_unlock(&k->mdlock);
+ 
+ 	return (modified);
+ }
+-- 
+2.27.0
+

bind.spec

@@ -30,7 +30,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  10
+Release:  11
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -87,7 +87,14 @@ Patch6004: CVE-2022-38178.patch
 Patch6005: CVE-2022-3080.patch
 Patch6006: CVE-2022-2881.patch
 Patch6007: CVE-2022-2906.patch
-Patch9000: bugfix-limit-numbers-of-test-threads.patch
+Patch6008:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch
+Patch6009:backport-0003-Improve-the-logging-on-failed-TCP-accept.patch
+Patch6010:backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch
+Patch6011:backport-0036-Check-if-key-metadata-is-modified-before-writing.patch
+Patch6012:backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch
+Patch6013:backport-0037-Require-valid-key-for-dst_key-functions.patch
+
+Patch9000:bugfix-limit-numbers-of-test-threads.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -392,6 +399,12 @@ in HTML and PDF format.
 %patch6006 -p1
 %patch6007 -p1
 %patch9000 -p1
+%patch6008 -p1
+%patch6009 -p1
+%patch6010 -p1
+%patch6011 -p1
+%patch6012 -p1
+%patch6013 -p1
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@@ -1115,6 +1128,17 @@ fi;
 %endif
 
 %changelog
+* Thu Sep 29 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-11
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: Fix catalog zone reconfiguration crash
+Improve the logging on failed TCP accept
+Separate the locked parts of dns_zone_catz_enable-di
+Check if key-metadata is modified before writing
+Fix CID-352776 Concurrent data access violations
+Require valid key for dst_key functions
+
 * Wed Sep 28 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-10
 - DESC: fix CVE-2022-2795 CVE-2022-38177 CVE-2022-38178
 CVE-2022-3080 CVE-2022-2906 CVE-2022-2881