!5 update bind to 9.11.21

Merge pull request !5 from eaglegai/master
2020-07-27 20:50:21 +08:00 · 2020-07-27 20:50:21 +08:00 · af23b46880
commit af23b46880
parent 3e5d4c0c9a c13ec7edbf
71 changed files with 6579 additions and 3725 deletions
--- a/2432-check-param_template-i-.pValue-is-non-NULL.patch
+++ b/2432-check-param_template-i-.pValue-is-non-NULL.patch
@ -1,53 +0,0 @@
 From 8ac0152651725cfa3dd887f9f73e6ff9671ce2dd Mon Sep 17 00:00:00 2001
 From: Bill Parker <wp02855@gmail.com>
 Date: Tue, 10 Jul 2018 12:34:00 +1000
 Subject: [PATCH 2432/3677] check param_template[i].pValue is non NULL
 ---
 bin/pkcs11/pkcs11-keygen.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)
 diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
 index fe314ab..9631c0e 100644
 --- a/bin/pkcs11/pkcs11-keygen.c
 +++ b/bin/pkcs11/pkcs11-keygen.c
@@ -657,8 +657,18 @@ main(int argc, char *argv[]) {
 	}
 	/* Allocate space for parameter attributes */
 -	for (i = 0; i < param_attrcnt; i++)
 +	for (i = 0; i < param_attrcnt; i++) {
 +		param_template[i].pValue = NULL;
 +	}
 +
 +	for (i = 0; i < param_attrcnt; i++) {
 		param_template[i].pValue = malloc(param_template[i].ulValueLen);
 +		if (param_template[i].pValue == NULL) {
 +			fprintf(stderr, "malloc failed\n");
 +			error = 1;
 +			goto exit_params;
 +		}
 +	}
 	rv = pkcs_C_GetAttributeValue(hSession, domainparams,
 				 dsa_param_template, DSA_PARAM_ATTRS);
@@ -713,9 +723,13 @@ main(int argc, char *argv[]) {
  exit_params:
 	/* Free parameter attributes */
 -	if (keyclass == key_dsa || keyclass == key_dh)
 -		for (i = 0; i < param_attrcnt; i++)
 -			free(param_template[i].pValue);
 +	if (keyclass == key_dsa || keyclass == key_dh) {
 +		for (i = 0; i < param_attrcnt; i++) {
 +			if (param_template[i].pValue != NULL) {
 +				free(param_template[i].pValue);
 +			}
 +		}
 +	}
  exit_domain:
 	/* Destroy domain parameters */
 -- 
 1.8.3.1
--- a/2497-refcount-errors-on-error-paths.patch
+++ b/2497-refcount-errors-on-error-paths.patch
@ -1,53 +0,0 @@
 From 4093efc900e250a39f9669e3d740a4286a0edb9c Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Tue, 31 Jul 2018 17:41:45 +1000
 Subject: [PATCH 2497/3677] refcount errors on error paths
 ---
 lib/dns/rbtdb.c | 3 ---
 lib/dns/view.c  | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)
 diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 index e332802..01c7cd8 100644
 --- a/lib/dns/rbtdb.c
 +++ b/lib/dns/rbtdb.c
@@ -8368,7 +8368,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
 		if (result != ISC_R_SUCCESS) {
 			while (i-- > 0) {
 				NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
 -				isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL);
 				isc_refcount_destroy(&rbtdb->node_locks[i].references);
 			}
 			goto cleanup_deadnodes;
@@ -8491,7 +8490,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
 	rbtdb->current_version = allocate_version(mctx, 1, 1, ISC_FALSE);
 	if (rbtdb->current_version == NULL) {
 		isc_refcount_decrement(&rbtdb->references, NULL);
 -		isc_refcount_destroy(&rbtdb->references);
 		free_rbtdb(rbtdb, ISC_FALSE, NULL);
 		return (ISC_R_NOMEMORY);
 	}
@@ -8513,7 +8511,6 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
 			    sizeof(*rbtdb->current_version));
 		rbtdb->current_version = NULL;
 		isc_refcount_decrement(&rbtdb->references, NULL);
 -		isc_refcount_destroy(&rbtdb->references);
 		free_rbtdb(rbtdb, ISC_FALSE, NULL);
 		return (result);
 	}
 diff --git a/lib/dns/view.c b/lib/dns/view.c
 index e36576f..7751535 100644
 --- a/lib/dns/view.c
 +++ b/lib/dns/view.c
@@ -311,6 +311,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 		dns_tsigkeyring_detach(&view->dynamickeys);
  cleanup_references:
 +	isc_refcount_decrement(&view->references, NULL);
 	isc_refcount_destroy(&view->references);
  cleanup_fwdtable:
 -- 
 1.8.3.1
--- a/2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch
+++ b/2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch
@ -1,11 +0,0 @@
 --- a/lib/dns/openssl_link.c	2019-04-17 06:00:00.086000000 -0400
 +++ b/lib/dns/openssl_link_1.c	2019-04-17 06:03:38.556000000 -0400
@@ -385,7 +385,7 @@ dst__openssl_destroy(void) {
 static isc_result_t
 toresult(isc_result_t fallback) {
 	isc_result_t result = fallback;
 -	unsigned long err = ERR_get_error();
 +	unsigned long err = ERR_peek_error();
 #if defined(HAVE_OPENSSL_ECDSA) && \
     defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
 	int lib = ERR_GET_LIB(err);
--- a/2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch
+++ b/2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch
@ -1,47 +0,0 @@
 From 17212cf9965a1a0ec8412b807fe08f74e059cc1c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
 Date: Fri, 7 Sep 2018 09:34:32 +0200
 Subject: [PATCH 2711/3677] Align CMSG buffers to a void* boundary, fixes crash
 on architectures with strict alignment CHANGES entry
 ---
 CHANGES                    | 3 +++
 lib/isc/include/isc/util.h | 5 +++++
 lib/isc/unix/socket.c      | 5 +++--
 3 files changed, 11 insertions(+), 2 deletions(-)
 diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
 index bb0c885..acc3d64 100644
 --- a/lib/isc/include/isc/util.h
 +++ b/lib/isc/include/isc/util.h
@@ -260,6 +260,11 @@ extern void mock_assert(const int result, const char* const expression,
 #define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
 /*%
 + * Alignment
 + */
 +#define ALIGN(x, a) (((x) + (a) - 1) & ~((typeof(x))(a)-1))
 +
 +/*%
  * Misc
  */
 #include <isc/deprecated.h>
 diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
 index 343cec2..62a00cd 100644
 --- a/lib/isc/unix/socket.c
 +++ b/lib/isc/unix/socket.c
@@ -315,8 +315,9 @@ typedef isc_event_t intev_t;
 #define CMSG_SP_INT 24
 -#define RECVCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1)
 -#define SENDCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1)
 +/* Align cmsg buffers to be safe on SPARC etc. */
 +#define RECVCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1, sizeof(void*))
 +#define SENDCMSGBUFLEN ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1, sizeof(void*))
 /*%
  * The number of times a send operation is repeated if the result is EINTR.
 -- 
 1.8.3.1
--- a/2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch
+++ b/2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch
@ -1,22 +0,0 @@
 --- a/lib/isc/timer.c	2018-09-04 00:04:41.000000000 -0400
 +++ b/lib/isc/timer_1.c	2019-04-17 23:40:41.930000000 -0400
@@ -472,8 +472,10 @@ isc__timer_create(isc_timermgr_t *manage
 		result = schedule(timer, &now, ISC_TRUE);
 	else
 		result = ISC_R_SUCCESS;
 -	if (result == ISC_R_SUCCESS)
 +	if (result == ISC_R_SUCCESS){
 +                *timerp = (isc_timer_t *)timer;
 		APPEND(manager->timers, timer, link);
 +        }
 	UNLOCK(&manager->lock);
@@ -486,7 +488,6 @@ isc__timer_create(isc_timermgr_t *manage
 		return (result);
 	}
 -	*timerp = (isc_timer_t *)timer;
 	return (ISC_R_SUCCESS);
 }
--- a/2865-free-key-on-error.patch
+++ b/2865-free-key-on-error.patch
@ -1,26 +0,0 @@
 From 607c2d7441b5b56272765dfd6ee56de983c3b407 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 19 Oct 2018 19:23:39 +1100
 Subject: [PATCH 2865/3677] free key on error
 ---
 lib/dns/dst_api.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
 index 7685dcb..c0684d9 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -802,6 +802,9 @@ dst_key_fromgssapi(const dns_name_t *name, gss_ctx_id_t gssctx,
 	*keyp = key;
 	result = ISC_R_SUCCESS;
 out:
 +	if (result != ISC_R_SUCCESS) {
 +		dst_key_free(&key);
 +	}
 	return result;
 }
 -- 
 1.8.3.1
--- a/2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch
+++ b/2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch
@ -1,49 +0,0 @@
 From afde30fe9b1fd43595290a6763db6d52e0903c5a Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 19 Oct 2018 19:36:17 +1100
 Subject: [PATCH 2879/3677] expand the pool then copy over the old entries so
 we that failures do not break the old pool; also don't leak the new pool on
 error
 ---
 lib/isc/pool.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)
 diff --git a/lib/isc/pool.c b/lib/isc/pool.c
 index 5c693a6..8fb2a45 100644
 --- a/lib/isc/pool.c
 +++ b/lib/isc/pool.c
@@ -131,21 +131,22 @@ isc_pool_expand(isc_pool_t **sourcep, unsigned int count,
 		newpool->init = pool->init;
 		newpool->initarg = pool->initarg;
 -		/* Copy over the objects from the old pool */
 -		for (i = 0; i < pool->count; i++) {
 -			newpool->pool[i] = pool->pool[i];
 -			pool->pool[i] = NULL;
 -		}
 -
 		/* Populate the new entries */
 		for (i = pool->count; i < count; i++) {
 -			result = pool->init(&newpool->pool[i], pool->initarg);
 +			result = newpool->init(&newpool->pool[i],
 +					       newpool->initarg);
 			if (result != ISC_R_SUCCESS) {
 -				isc_pool_destroy(&pool);
 +				isc_pool_destroy(&newpool);
 				return (result);
 			}
 		}
 +		/* Copy over the objects from the old pool */
 +		for (i = 0; i < pool->count; i++) {
 +			newpool->pool[i] = pool->pool[i];
 +			pool->pool[i] = NULL;
 +		}
 +
 		isc_pool_destroy(&pool);
 		pool = newpool;
 	}
 -- 
 1.8.3.1
--- a/2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch
+++ b/2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch
@ -1,52 +0,0 @@
 --- a/lib/dns/rdata/generic/loc_29.c	2018-09-04 00:04:41.000000000 -0400
 +++ b/lib/dns/rdata/generic/loc_291.c	2019-04-18 00:09:34.927000000 -0400
@@ -454,11 +454,12 @@ totext_loc(ARGS_TOTEXT) {
 	isc_boolean_t east;
 	isc_boolean_t below;
 	isc_region_t sr;
 -	char buf[sizeof("89 59 59.999 N 179 59 59.999 E "
 -			"-42849672.95m 90000000m 90000000m 90000000m")];
 	char sbuf[sizeof("90000000m")];
 	char hbuf[sizeof("90000000m")];
 	char vbuf[sizeof("90000000m")];
 +        /* "89 59 59.999 N 179 59 59.999 E " */
 +        /* "-42849672.95m 90000000m 90000000m 90000000m"; */
 +        char buf[8*6 + 12*1 + 2*10 + sizeof(sbuf)+sizeof(hbuf)+sizeof(vbuf)];
 	unsigned char size, hp, vp;
 	unsigned long poweroften[8] = { 1, 10, 100, 1000,
 					10000, 100000, 1000000, 10000000 };
@@ -550,7 +551,7 @@ totext_loc(ARGS_TOTEXT) {
 		altitude -= 10000000;
 	}
 -	snprintf(buf, sizeof(buf),
 +	snprintf(NULL, 0,
 		 "%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s",
 		 d1, m1, s1, fs1, north ? "N" : "S",
 		 d2, m2, s2, fs2, east ? "E" : "W",
 --- a/lib/dns/rdata/in_1/dhcid_49.c	2018-09-04 00:04:41.000000000 -0400
 +++ b/lib/dns/rdata/in_1/dhcid_491.c	2019-04-18 00:12:14.143000000 -0400
@@ -35,9 +35,8 @@ fromtext_in_dhcid(ARGS_FROMTEXT) {
 static inline isc_result_t
 totext_in_dhcid(ARGS_TOTEXT) {
 	isc_region_t sr, sr2;
 -	char buf[sizeof(" ; 64000 255 64000")];
 -	size_t n;
 -
 +        /* " ; 64000 255 64000" */
 +        char buf[5 + 3*5 + 1];
 	REQUIRE(rdata->type == dns_rdatatype_dhcid);
 	REQUIRE(rdata->rdclass == dns_rdataclass_in);
 	REQUIRE(rdata->length != 0);
@@ -55,10 +54,9 @@ totext_in_dhcid(ARGS_TOTEXT) {
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
 		RETERR(str_totext(/* ( */ " )", target));
 		if (rdata->length > 2) {
 -			n = snprintf(buf, sizeof(buf), " ; %u %u %u",
 +			snprintf(NULL, 0, " ; %u %u %u",
 				     sr2.base[0] * 256U + sr2.base[1],
 				     sr2.base[2], rdata->length - 3U);
 -			INSIST(n < sizeof(buf));
 			RETERR(str_totext(buf, target));
 		}
 	}
--- a/3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch
+++ b/3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch
@ -1,35 +0,0 @@
 From 462175659674a10c0d39c7c328f1a5324ce2e38b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
 Date: Tue, 13 Nov 2018 13:50:47 +0100
 Subject: [PATCH 3022/3677] Fix a shutdown race in bin/dig/dighost.c
 If a tool using the routines defined in bin/dig/dighost.c is sent an
 interruption signal around the time a connection timeout is scheduled to
 fire, connect_timeout() may be executed after destroy_libs() detaches
 from the global task (setting 'global_task' to NULL), which results in a
 crash upon a UDP retry due to bringup_timer() attempting to create a
 timer with 'task' set to NULL.  Fix by preventing connect_timeout() from
 attempting a retry when shutdown is in progress.
 ---
 bin/dig/dighost.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
 index f4e5e55..410b634 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
@@ -2902,6 +2902,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 	INSIST(!free_now);
 +	if (cancel_now) {
 +		UNLOCK_LOOKUP;
 +		return;
 +	}
 +
 	if ((query != NULL) && (query->lookup->current_query != NULL) &&
 	    ISC_LINK_LINKED(query->lookup->current_query, link) &&
 	    (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
 -- 
 1.8.3.1
--- a/3046-uninitalize-memory-read-on-error-path.patch
+++ b/3046-uninitalize-memory-read-on-error-path.patch
@ -1,25 +0,0 @@
 From 4eadebe2b2feade839d8f178e6ddf8b4406d093a Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 9 Nov 2018 15:32:33 +1100
 Subject: [PATCH 3046/3677] uninitalize memory read on error path
 ---
 lib/dns/nta.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/dns/nta.c b/lib/dns/nta.c
 index 73674b3..498b7f1 100644
 --- a/lib/dns/nta.c
 +++ b/lib/dns/nta.c
@@ -149,7 +149,7 @@ dns_ntatable_create(dns_view_t *view,
 	isc_task_detach(&ntatable->task);
    cleanup_ntatable:
 -	isc_mem_put(ntatable->view->mctx, ntatable, sizeof(*ntatable));
 +	isc_mem_put(view->mctx, ntatable, sizeof(*ntatable));
 	return (result);
 }
 -- 
 1.8.3.1
--- a/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch
+++ b/3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch
@ -1,77 +0,0 @@
 From 1dd11fc754baf396bb3040527087b14f0678dd83 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <github@pletterpet.nl>
 Date: Tue, 18 Dec 2018 12:14:04 +0100
 Subject: [PATCH 3318/3677] Allow unsupported alg in zone /w dnssec-signzone
 dnssec-signzone should sign a zonefile that contains a DNSKEY record
 with an unsupported algorithm.  Current behavior is that it will
 fail, hitting a fatal error.  The fix detects unsupported algorithms
 and will not try to add it to the keylist.
 Also when determining the maximum iterations for NSEC3, don't take
 into account DNSKEY records in the zonefile with an unsupported
 algorithm.
 ---
 lib/dns/dnssec.c             |  8 ++++++++
 lib/dns/include/dns/dnssec.h |  2 +-
 lib/dns/nsec3.c              | 11 ++++++++++-
 3 files changed, 19 insertions(+), 2 deletions(-)
 diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
 index c12ecac..e255b6e 100644
 --- a/lib/dns/dnssec.c
 +++ b/lib/dns/dnssec.c
@@ -1622,6 +1622,14 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin,
 	     result = dns_rdataset_next(&keys)) {
 		dns_rdata_reset(&rdata);
 		dns_rdataset_current(&keys, &rdata);
 +
 +		/* Skip unsupported algorithms */
 +		REQUIRE(rdata.type == dns_rdatatype_key ||
 +			rdata.type == dns_rdatatype_dnskey);
 +		REQUIRE(rdata.length > 3);
 +		if (!dst_algorithm_supported(rdata.data[3]))
 +			goto skip;
 +
 		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
 		dst_key_setttl(pubkey, keys.ttl);
 diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
 index 50930b6..e60375e 100644
 --- a/lib/dns/include/dns/dnssec.h
 +++ b/lib/dns/include/dns/dnssec.h
@@ -274,7 +274,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
 /*%<
  * Search 'directory' for K* key files matching the name in 'origin'.
  * Append all such keys, along with use hints gleaned from their
 - * metadata, onto 'keylist'.
 + * metadata, onto 'keylist'.  Skip any unsupported algorithms.
  *
  *	Requires:
  *\li		'keylist' is not NULL
 diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
 index 861e909..f30d695 100644
 --- a/lib/dns/nsec3.c
 +++ b/lib/dns/nsec3.c
@@ -1811,8 +1811,17 @@ dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdataset_next(&rdataset)) {
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 -
 		dns_rdataset_current(&rdataset, &rdata);
 +
 +		/* Skip unsupported algorithms when
 +		 * calculating the maximum iterations.
 +		 */
 +		REQUIRE(rdata.type == dns_rdatatype_key ||
 +			rdata.type == dns_rdatatype_dnskey);
 +		REQUIRE(rdata.length > 3);
 +		if (!dst_algorithm_supported(rdata.data[3]))
 +			continue;
 +
 		isc_buffer_init(&buffer, rdata.data, rdata.length);
 		isc_buffer_add(&buffer, rdata.length);
 		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
 -- 
 1.8.3.1
--- a/3543-fix-memory-leak.patch
+++ b/3543-fix-memory-leak.patch
@ -1,112 +0,0 @@
 From 7114d16098b0cf4910e06490fa70758f1c2c62a3 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 15 Feb 2019 08:52:16 +1100
 Subject: [PATCH 3543/3677] fix memory leak
 ---
 lib/dns/spnego_asn1.c | 56 +++++++++++++++++++++++++++++++--------------------
 1 file changed, 34 insertions(+), 22 deletions(-)
 diff --git a/lib/dns/spnego_asn1.c b/lib/dns/spnego_asn1.c
 index fb51b0d..46e487a 100644
 --- a/lib/dns/spnego_asn1.c
 +++ b/lib/dns/spnego_asn1.c
@@ -467,25 +467,25 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
 	FORW;
 	{
 		int dce_fix;
 -		if ((dce_fix = fix_dce(reallen, &len)) < 0)
 -			return ASN1_BAD_FORMAT;
 +		if ((dce_fix = fix_dce(reallen, &len)) < 0) {
 +			e = ASN1_BAD_FORMAT;
 +			goto fail;
 +		}
 		{
 			size_t newlen, oldlen;
 			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
 -			if (e)
 -				return e;
 -			else {
 -				p += l;
 -				len -= l;
 -				ret += l;
 +			FORW;
 +			{
 				e = der_get_length(p, len, &newlen, &l);
 				FORW;
 				{
 					int mydce_fix;
 					oldlen = len;
 -					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
 -						return ASN1_BAD_FORMAT;
 +					if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
 +						e = ASN1_BAD_FORMAT;
 +						goto fail;
 +					}
 					e = decode_MechTypeList(p, len, &(data)->mechTypes, &l);
 					FORW;
 					if (mydce_fix) {
@@ -511,11 +511,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
 				{
 					int mydce_fix;
 					oldlen = len;
 -					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
 -						return ASN1_BAD_FORMAT;
 +					if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
 +						e = ASN1_BAD_FORMAT;
 +						goto fail;
 +					}
 					(data)->reqFlags = malloc(sizeof(*(data)->reqFlags));
 -					if ((data)->reqFlags == NULL)
 -						return ENOMEM;
 +					if ((data)->reqFlags == NULL) {
 +						e = ENOMEM;
 +						goto fail;
 +					}
 					e = decode_ContextFlags(p, len, (data)->reqFlags, &l);
 					FORW;
 					if (mydce_fix) {
@@ -541,11 +545,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
 				{
 					int mydce_fix;
 					oldlen = len;
 -					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
 -						return ASN1_BAD_FORMAT;
 +					if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
 +						e = ASN1_BAD_FORMAT;
 +						goto fail;
 +					}
 					(data)->mechToken = malloc(sizeof(*(data)->mechToken));
 -					if ((data)->mechToken == NULL)
 -						return ENOMEM;
 +					if ((data)->mechToken == NULL) {
 +						e = ENOMEM;
 +						goto fail;
 +					}
 					e = decode_octet_string(p, len, (data)->mechToken, &l);
 					FORW;
 					if (mydce_fix) {
@@ -571,11 +579,15 @@ decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, siz
 				{
 					int mydce_fix;
 					oldlen = len;
 -					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
 -						return ASN1_BAD_FORMAT;
 +					if ((mydce_fix = fix_dce(newlen, &len)) < 0) {
 +						e = ASN1_BAD_FORMAT;
 +						goto fail;
 +					}
 					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
 -					if ((data)->mechListMIC == NULL)
 -						return ENOMEM;
 +					if ((data)->mechListMIC == NULL) {
 +						e = ENOMEM;
 +						goto fail;
 +					}
 					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
 					FORW;
 					if (mydce_fix) {
 -- 
 1.8.3.1
--- a/2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch
+++ b/2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch
@ -11,7 +11,7 @@
 +        }
 	if (query->waiting_senddone) {
 		debug("send_done not yet called");
- 		query->pending_free = ISC_TRUE;
+ 		query->pending_free = true;
@@ -1833,13 +1833,15 @@ clear_query(dig_query_t *query) {
 	lookup = query->lookup;
@ -58,7 +58,7 @@
 +		debug("create query %p linked to lookup %p", query, lookup);
 		query->lookup = lookup;
 		query->timer = NULL;
- 		query->waiting_connect = ISC_FALSE;
+ 		query->waiting_connect = false;
@@ -2838,9 +2842,9 @@ setup_lookup(dig_lookup_t *lookup) {
 		ISC_LIST_INIT(query->lengthlist);
 		query->sock = NULL;
@ -82,21 +82,21 @@
@@ -2856,9 +2861,10 @@ setup_lookup(dig_lookup_t *lookup) {
 		extrabytes = 0;
 		dighost_printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
- 			     ISC_TRUE);
+ 			     true);
 -		if (lookup->stats)
 +		if (lookup->stats){
 			printf(";; QUERY SIZE: %u\n\n",
 			       isc_buffer_usedlength(&lookup->renderbuf));
 +                }
 	}
- 	return (ISC_TRUE);
+ 	return (true);
 }
@@ -2893,20 +2899,26 @@ send_done(isc_task_t *_task, isc_event_t
 	}
 	query = event->ev_arg;
 +        REQUIRE(DIG_VALID_QUERY(query));
- 	query->waiting_senddone = ISC_FALSE;
+ 	query->waiting_senddone = false;
 	l = query->lookup;
 -	if (l->ns_search_only && !l->trace_root && !l->tcp_mode) {
@ -189,9 +189,9 @@
 +        REQUIRE(DIG_VALID_QUERY(query));
 	INSIST(query->waiting_connect);
- 	query->waiting_connect = ISC_FALSE;
+ 	query->waiting_connect = false;
@@ -4460,6 +4475,7 @@ do_lookup(dig_lookup_t *lookup) {
- 	lookup->pending = ISC_TRUE;
+ 	lookup->pending = true;
 	query = ISC_LIST_HEAD(lookup->q);
 	if (query != NULL) {
 +                REQUIRE(DIG_VALID_QUERY(query));
@ -224,5 +224,5 @@
 struct dig_query {
 +        unsigned int magic;
 	dig_lookup_t *lookup;
- 	isc_boolean_t waiting_connect,
+ 	bool waiting_connect,
 		pending_free,
--- a/CVE-2018-5743-atomic-fix.patch
+++ b/CVE-2018-5743-atomic-fix.patch
@ -1,131 +0,0 @@
 Backport of:
 From 17623d26e4e7b0fd45f2b39f00cd46e6044ce4c1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
 Date: Wed, 17 Apr 2019 15:22:27 +0200
 Subject: [PATCH] Replace atomic operations in bin/named/client.c with
 isc_refcount reference counting
 ---
 bin/named/client.c                     | 18 +++++++-----------
 bin/named/include/named/interfacemgr.h |  5 +++--
 bin/named/interfacemgr.c               |  7 +++++--
 3 files changed, 15 insertions(+), 15 deletions(-)
 Index: bind9-9.11.4+dfsg/bin/named/client.c
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/bin/named/client.c	2019-04-24 15:25:11.891463104 -0400
 +++ bind9-9.11.4+dfsg/bin/named/client.c	2019-04-24 15:25:42.091541114 -0400
@@ -399,12 +399,10 @@ tcpconn_detach(ns_client_t *client) {
 static void
 mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
 	if (active && !client->tcpactive) {
 -		isc_atomic_xadd(&client->interface->ntcpactive, 1);
 +		isc_refcount_increment0(&client->interface->ntcpactive, NULL);
 		client->tcpactive = active;
 	} else if (!active && client->tcpactive) {
 -		uint32_t old =
 -			isc_atomic_xadd(&client->interface->ntcpactive, -1);
 -		INSIST(old > 0);
 +		isc_refcount_decrement(&client->interface->ntcpactive, NULL);
 		client->tcpactive = active;
 	}
 }
@@ -551,7 +549,7 @@ exit_check(ns_client_t *client) {
 		if (client->mortal && TCP_CLIENT(client) &&
 		    client->newstate != NS_CLIENTSTATE_FREED &&
 		    !ns_g_clienttest &&
 -		    isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
 +		    isc_refcount_current(&client->interface->ntcpaccepting) == 0)
 		{
 			/* Nobody else is accepting */
 			client->mortal = ISC_FALSE;
@@ -3314,7 +3312,6 @@ client_newconn(isc_task_t *task, isc_eve
 	isc_result_t result;
 	ns_client_t *client = event->ev_arg;
 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
 -	isc_uint32_t old;
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
 	REQUIRE(NS_CLIENT_VALID(client));
@@ -3334,8 +3331,7 @@ client_newconn(isc_task_t *task, isc_eve
 	INSIST(client->naccepts == 1);
 	client->naccepts--;
 -	old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
 -	INSIST(old > 0);
 +	isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
 	/*
 	 * We must take ownership of the new socket before the exit
@@ -3466,8 +3462,8 @@ client_accept(ns_client_t *client) {
 		 * quota is tcp-clients plus the number of listening
 		 * interfaces plus 1.)
 		 */
 -		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
 -			(client->tcpactive ? 1 : 0));
 +		exit = (isc_refcount_current(&client->interface->ntcpactive) >
 +			(client->tcpactive ? 1U : 0U));
 		if (exit) {
 			client->newstate = NS_CLIENTSTATE_INACTIVE;
 			(void)exit_check(client);
@@ -3525,7 +3521,7 @@ client_accept(ns_client_t *client) {
 	 * listening for connections itself to prevent the interface
 	 * going dead.
 	 */
 -	isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
 +	isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
 }
 static void
 Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h	2019-04-24 15:25:11.891463104 -0400
 +++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h	2019-04-24 15:26:03.943597701 -0400
@@ -43,6 +43,7 @@
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/socket.h>
 +#include <isc/refcount.h>
 #include <dns/result.h>
@@ -73,11 +74,11 @@ struct ns_interface {
 						/*%< UDP dispatchers. */
 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
 -	isc_int32_t		ntcpaccepting;	/*%< Number of clients
 +	isc_refcount_t		ntcpaccepting;	/*%< Number of clients
 						     ready to accept new
 						     TCP connections on this
 						     interface */
 -	isc_int32_t		ntcpactive;	/*%< Number of clients
 +	isc_refcount_t		ntcpactive;	/*%< Number of clients
 						     servicing TCP queries
 						     (whether accepting or
 						     connected) */
 Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c	2019-04-24 15:25:11.891463104 -0400
 +++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c	2019-04-24 15:25:11.891463104 -0400
@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *m
 	 * connections will be handled in parallel even though there is
 	 * only one client initially.
 	 */
 -	ifp->ntcpaccepting = 0;
 -	ifp->ntcpactive = 0;
 +	isc_refcount_init(&ifp->ntcpaccepting, 0);
 +	isc_refcount_init(&ifp->ntcpactive, 0);
 	ifp->nudpdispatch = 0;
@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp
 	ns_interfacemgr_detach(&ifp->mgr);
 +	isc_refcount_destroy(&ifp->ntcpactive);
 +	isc_refcount_destroy(&ifp->ntcpaccepting);
 +
 	ifp->magic = 0;
 	isc_mem_put(mctx, ifp, sizeof(*ifp));
 }
--- a/CVE-2018-5743.patch
+++ b/CVE-2018-5743.patch
@ -1,872 +0,0 @@
 Description: fix limiting simultaneous TCP clients is ineffective
 Origin: backported from patch provided by ISC
 Index: bind9-9.11.4+dfsg/bin/named/client.c
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/bin/named/client.c	2019-04-24 05:05:24.068523718 -0400
 +++ bind9-9.11.4+dfsg/bin/named/client.c	2019-04-24 05:16:21.089731949 -0400
@@ -243,10 +243,11 @@ static void ns_client_dumpmessage(ns_cli
 static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
 			       dns_dispatch_t *disp, isc_boolean_t tcp);
 static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
 -			       isc_socket_t *sock);
 +			       isc_socket_t *sock, ns_client_t *oldclient);
 static inline isc_boolean_t
 -allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
 -	isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl);
 +allowed(isc_netaddr_t *addr, dns_name_t *signer,
 +	isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen,
 +	isc_uint8_t *ecs_scope, dns_acl_t *acl);
 static void compute_cookie(ns_client_t *client, isc_uint32_t when,
 			   isc_uint32_t nonce, const unsigned char *secret,
 			   isc_buffer_t *buf);
@@ -296,6 +297,119 @@ ns_client_settimeout(ns_client_t *client
 }
 /*%
 + * Allocate a reference-counted object that will maintain a single pointer to
 + * the (also reference-counted) TCP client quota, shared between all the
 + * clients processing queries on a single TCP connection, so that all
 + * clients sharing the one socket will together consume only one slot in
 + * the 'tcp-clients' quota.
 + */
 +static isc_result_t
 +tcpconn_init(ns_client_t *client, isc_boolean_t force) {
 +	isc_result_t result;
 +	isc_quota_t *quota = NULL;
 +	ns_tcpconn_t *tconn = NULL;
 +
 +	REQUIRE(client->tcpconn == NULL);
 +
 +	/*
 +	 * Try to attach to the quota first, so we won't pointlessly
 +	 * allocate memory for a tcpconn object if we can't get one.
 +	 */
 +	if (force) {
 +		result = isc_quota_force(&ns_g_server->tcpquota, &quota);
 +	} else {
 +		result = isc_quota_attach(&ns_g_server->tcpquota, &quota);
 +	}
 +	if (result != ISC_R_SUCCESS) {
 +		return (result);
 +	}
 +
 +	/*
 +	 * A global memory context is used for the allocation as different
 +	 * client structures may have different memory contexts assigned and a
 +	 * reference counter allocated here might need to be freed by a
 +	 * different client.  The performance impact caused by memory context
 +	 * contention here is expected to be negligible, given that this code
 +	 * is only executed for TCP connections.
 +	 */
 +	tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
 +
 +	isc_refcount_init(&tconn->refs, 1);
 +	tconn->tcpquota = quota;
 +	quota = NULL;
 +	tconn->pipelined = ISC_FALSE;
 +
 +	client->tcpconn = tconn;
 +
 +	return (ISC_R_SUCCESS);
 +}
 +
 +/*%
 + * Increase the count of client structures sharing the TCP connection
 + * that 'source' is associated with; add a pointer to the same tcpconn
 + * to 'target', thus associating it with the same TCP connection.
 + */
 +static void
 +tcpconn_attach(ns_client_t *source, ns_client_t *target) {
 +	int refs;
 +
 +	REQUIRE(source->tcpconn != NULL);
 +	REQUIRE(target->tcpconn == NULL);
 +	REQUIRE(source->tcpconn->pipelined);
 +
 +	isc_refcount_increment(&source->tcpconn->refs, &refs);
 +	INSIST(refs > 1);
 +	target->tcpconn = source->tcpconn;
 +}
 +
 +/*%
 + * Decrease the count of client structures sharing the TCP connection that
 + * 'client' is associated with.  If this is the last client using this TCP
 + * connection, we detach from the TCP quota and free the tcpconn
 + * object. Either way, client->tcpconn is set to NULL.
 + */
 +static void
 +tcpconn_detach(ns_client_t *client) {
 +	ns_tcpconn_t *tconn = NULL;
 +	int refs;
 +
 +	REQUIRE(client->tcpconn != NULL);
 +
 +	tconn = client->tcpconn;
 +	client->tcpconn = NULL;
 +
 +	isc_refcount_decrement(&tconn->refs, &refs);
 +	if (refs == 0) {
 +		isc_quota_detach(&tconn->tcpquota);
 +		isc_mem_free(ns_g_mctx, tconn);
 +	}
 +}
 +
 +/*%
 + * Mark a client as active and increment the interface's 'ntcpactive'
 + * counter, as a signal that there is at least one client servicing
 + * TCP queries for the interface. If we reach the TCP client quota at
 + * some point, this will be used to determine whether a quota overrun
 + * should be permitted.
 + *
 + * Marking the client active with the 'tcpactive' flag ensures proper
 + * accounting, by preventing us from incrementing or decrementing
 + * 'ntcpactive' more than once per client.
 + */
 +static void
 +mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
 +	if (active && !client->tcpactive) {
 +		isc_atomic_xadd(&client->interface->ntcpactive, 1);
 +		client->tcpactive = active;
 +	} else if (!active && client->tcpactive) {
 +		uint32_t old =
 +			isc_atomic_xadd(&client->interface->ntcpactive, -1);
 +		INSIST(old > 0);
 +		client->tcpactive = active;
 +	}
 +}
 +
 +/*%
  * Check for a deactivation or shutdown request and take appropriate
  * action.  Returns ISC_TRUE if either is in progress; in this case
  * the caller must no longer use the client object as it may have been
@@ -384,7 +498,8 @@ exit_check(ns_client_t *client) {
 		INSIST(client->recursionquota == NULL);
 		if (NS_CLIENTSTATE_READING == client->newstate) {
 -			if (!client->pipelined) {
 +			INSIST(client->tcpconn != NULL);
 +			if (!client->tcpconn->pipelined) {
 				client_read(client);
 				client->newstate = NS_CLIENTSTATE_MAX;
 				return (ISC_TRUE); /* We're done. */
@@ -402,10 +517,13 @@ exit_check(ns_client_t *client) {
 		 */
 		INSIST(client->recursionquota == NULL);
 		INSIST(client->newstate <= NS_CLIENTSTATE_READY);
 -		if (client->nreads > 0)
 +
 +		if (client->nreads > 0) {
 			dns_tcpmsg_cancelread(&client->tcpmsg);
 -		if (client->nreads != 0) {
 -			/* Still waiting for read cancel completion. */
 +		}
 +
 +		/* Still waiting for read cancel completion. */
 +		if (client->nreads > 0) {
 			return (ISC_TRUE);
 		}
@@ -413,14 +531,49 @@ exit_check(ns_client_t *client) {
 			dns_tcpmsg_invalidate(&client->tcpmsg);
 			client->tcpmsg_valid = ISC_FALSE;
 		}
 +
 +		/*
 +		 * Soon the client will be ready to accept a new TCP
 +		 * connection or UDP request, but we may have enough
 +		 * clients doing that already.  Check whether this client
 +		 * needs to remain active and allow it go inactive if
 +		 * not.
 +		 *
 +		 * UDP clients always go inactive at this point, but a TCP
 +		 * client may need to stay active and return to READY
 +		 * state if no other clients are available to listen
 +		 * for TCP requests on this interface.
 +		 *
 +		 * Regardless, if we're going to FREED state, that means
 +		 * the system is shutting down and we don't need to
 +		 * retain clients.
 +		 */
 +		if (client->mortal && TCP_CLIENT(client) &&
 +		    client->newstate != NS_CLIENTSTATE_FREED &&
 +		    !ns_g_clienttest &&
 +		    isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
 +		{
 +			/* Nobody else is accepting */
 +			client->mortal = ISC_FALSE;
 +			client->newstate = NS_CLIENTSTATE_READY;
 +		}
 +
 +		/*
 +		 * Detach from TCP connection and TCP client quota,
 +		 * if appropriate. If this is the last reference to
 +		 * the TCP connection in our pipeline group, the
 +		 * TCP quota slot will be released.
 +		 */
 +		if (client->tcpconn) {
 +			tcpconn_detach(client);
 +		}
 +
 		if (client->tcpsocket != NULL) {
 			CTRACE("closetcp");
 			isc_socket_detach(&client->tcpsocket);
 +			mark_tcp_active(client, ISC_FALSE);
 		}
 -		if (client->tcpquota != NULL)
 -			isc_quota_detach(&client->tcpquota);
 -
 		if (client->timerset) {
 			(void)isc_timer_reset(client->timer,
 					      isc_timertype_inactive,
@@ -428,45 +581,26 @@ exit_check(ns_client_t *client) {
 			client->timerset = ISC_FALSE;
 		}
 -		client->pipelined = ISC_FALSE;
 -
 		client->peeraddr_valid = ISC_FALSE;
 		client->state = NS_CLIENTSTATE_READY;
 -		INSIST(client->recursionquota == NULL);
 -
 -		/*
 -		 * Now the client is ready to accept a new TCP connection
 -		 * or UDP request, but we may have enough clients doing
 -		 * that already.  Check whether this client needs to remain
 -		 * active and force it to go inactive if not.
 -		 *
 -		 * UDP clients go inactive at this point, but TCP clients
 -		 * may remain active if we have fewer active TCP client
 -		 * objects than desired due to an earlier quota exhaustion.
 -		 */
 -		if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
 -			LOCK(&client->interface->lock);
 -			if (client->interface->ntcpcurrent <
 -				    client->interface->ntcptarget)
 -				client->mortal = ISC_FALSE;
 -			UNLOCK(&client->interface->lock);
 -		}
 		/*
 		 * We don't need the client; send it to the inactive
 		 * queue for recycling.
 		 */
 		if (client->mortal) {
 -			if (client->newstate > NS_CLIENTSTATE_INACTIVE)
 +			if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
 				client->newstate = NS_CLIENTSTATE_INACTIVE;
 +			}
 		}
 		if (NS_CLIENTSTATE_READY == client->newstate) {
 			if (TCP_CLIENT(client)) {
 				client_accept(client);
 -			} else
 +			} else {
 				client_udprecv(client);
 +			}
 			client->newstate = NS_CLIENTSTATE_MAX;
 			return (ISC_TRUE);
 		}
@@ -478,41 +612,50 @@ exit_check(ns_client_t *client) {
 		/*
 		 * We are trying to enter the inactive state.
 		 */
 -		if (client->naccepts > 0)
 +		if (client->naccepts > 0) {
 			isc_socket_cancel(client->tcplistener, client->task,
 					  ISC_SOCKCANCEL_ACCEPT);
 +		}
 		/* Still waiting for accept cancel completion. */
 -		if (! (client->naccepts == 0))
 +		if (client->naccepts > 0) {
 			return (ISC_TRUE);
 +		}
 		/* Accept cancel is complete. */
 -		if (client->nrecvs > 0)
 +		if (client->nrecvs > 0) {
 			isc_socket_cancel(client->udpsocket, client->task,
 					  ISC_SOCKCANCEL_RECV);
 +		}
 		/* Still waiting for recv cancel completion. */
 -		if (! (client->nrecvs == 0))
 +		if (client->nrecvs > 0) {
 			return (ISC_TRUE);
 +		}
 		/* Still waiting for control event to be delivered */
 -		if (client->nctls > 0)
 +		if (client->nctls > 0) {
 			return (ISC_TRUE);
 -
 -		/* Deactivate the client. */
 -		if (client->interface)
 -			ns_interface_detach(&client->interface);
 +		}
 		INSIST(client->naccepts == 0);
 		INSIST(client->recursionquota == NULL);
 -		if (client->tcplistener != NULL)
 +		if (client->tcplistener != NULL) {
 			isc_socket_detach(&client->tcplistener);
 -
 -		if (client->udpsocket != NULL)
 +			mark_tcp_active(client, ISC_FALSE);
 +		}
 +		if (client->udpsocket != NULL) {
 			isc_socket_detach(&client->udpsocket);
 +		}
 -		if (client->dispatch != NULL)
 +		/* Deactivate the client. */
 +		if (client->interface != NULL) {
 +			ns_interface_detach(&client->interface);
 +		}
 +
 +		if (client->dispatch != NULL) {
 			dns_dispatch_detach(&client->dispatch);
 +		}
 		client->attributes = 0;
 		client->mortal = ISC_FALSE;
@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) {
 			client->newstate = NS_CLIENTSTATE_MAX;
 			if (!ns_g_clienttest && manager != NULL &&
 			    !manager->exiting)
 +			{
 				ISC_QUEUE_PUSH(manager->inactive, client,
 					       ilink);
 -			if (client->needshutdown)
 +			}
 +			if (client->needshutdown) {
 				isc_task_shutdown(client->task);
 +			}
 			return (ISC_TRUE);
 		}
 	}
@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event
 		return;
 	if (TCP_CLIENT(client)) {
 -		if (client->pipelined) {
 +		if (client->tcpconn != NULL) {
 			client_read(client);
 		} else {
 			client_accept(client);
@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event
 	}
 }
 -
 /*%
  * The client's task has received a shutdown event.
  */
@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_eve
 		client->nrecvs--;
 	} else {
 		INSIST(TCP_CLIENT(client));
 +		INSIST(client->tcpconn != NULL);
 		REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
 		REQUIRE(event->ev_sender == &client->tcpmsg);
 		buffer = &client->tcpmsg.buffer;
@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_eve
 	/*
 	 * Pipeline TCP query processing.
 	 */
 -	if (client->message->opcode != dns_opcode_query)
 -		client->pipelined = ISC_FALSE;
 -	if (TCP_CLIENT(client) && client->pipelined) {
 -		result = isc_quota_reserve(&ns_g_server->tcpquota);
 -		if (result == ISC_R_SUCCESS)
 -			result = ns_client_replace(client);
 +	if (TCP_CLIENT(client) &&
 +	    client->message->opcode != dns_opcode_query)
 +	{
 +		client->tcpconn->pipelined = ISC_FALSE;
 +	}
 +	if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
 +		/*
 +		 * We're pipelining. Replace the client; the
 +		 * replacement can read the TCP socket looking
 +		 * for new messages and this one can process the
 +		 * current message asynchronously.
 +		 *
 +		 * There will now be at least three clients using this
 +		 * TCP socket - one accepting new connections,
 +		 * one reading an existing connection to get new
 +		 * messages, and one answering the message already
 +		 * received.
 +		 */
 +		result = ns_client_replace(client);
 		if (result != ISC_R_SUCCESS) {
 -			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 -				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
 -				      "no more TCP clients(read): %s",
 -				      isc_result_totext(result));
 -			client->pipelined = ISC_FALSE;
 +			client->tcpconn->pipelined = ISC_FALSE;
 		}
 	}
@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, n
 	client->signer = NULL;
 	dns_name_init(&client->signername, NULL);
 	client->mortal = ISC_FALSE;
 -	client->pipelined = ISC_FALSE;
 -	client->tcpquota = NULL;
 +	client->tcpconn = NULL;
 	client->recursionquota = NULL;
 	client->interface = NULL;
 	client->peeraddr_valid = ISC_FALSE;
@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, n
 	client->filter_aaaa = dns_aaaa_ok;
 #endif
 	client->needshutdown = ns_g_clienttest;
 +	client->tcpactive = ISC_FALSE;
 	ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
 		       NS_EVENT_CLIENTCONTROL, client_start, client, client,
@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) {
 static void
 client_newconn(isc_task_t *task, isc_event_t *event) {
 +	isc_result_t result;
 	ns_client_t *client = event->ev_arg;
 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
 -	isc_result_t result;
 +	isc_uint32_t old;
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
 	REQUIRE(NS_CLIENT_VALID(client));
@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_eve
 	INSIST(client->state == NS_CLIENTSTATE_READY);
 +	/*
 +	 * The accept() was successful and we're now establishing a new
 +	 * connection. We need to make note of it in the client and
 +	 * interface objects so client objects can do the right thing
 +	 * when going inactive in exit_check() (see comments in
 +	 * client_accept() for details).
 +	 */
 	INSIST(client->naccepts == 1);
 	client->naccepts--;
 -	LOCK(&client->interface->lock);
 -	INSIST(client->interface->ntcpcurrent > 0);
 -	client->interface->ntcpcurrent--;
 -	UNLOCK(&client->interface->lock);
 +	old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
 +	INSIST(old > 0);
 	/*
 	 * We must take ownership of the new socket before the exit
@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_eve
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "accept failed: %s",
 			      isc_result_totext(nevent->result));
 +		tcpconn_detach(client);
 	}
 	if (exit_check(client))
@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_eve
 		 * telnetting to port 53 (once per CPU) will
 		 * deny service to legitimate TCP clients.
 		 */
 -		client->pipelined = ISC_FALSE;
 -		result = isc_quota_attach(&ns_g_server->tcpquota,
 -					  &client->tcpquota);
 -		if (result == ISC_R_SUCCESS)
 -			result = ns_client_replace(client);
 -		if (result != ISC_R_SUCCESS) {
 -			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 -				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
 -				      "no more TCP clients(accept): %s",
 -				      isc_result_totext(result));
 -		} else if (ns_g_server->keepresporder == NULL ||
 -			   !allowed(&netaddr, NULL, NULL, 0, NULL,
 -				    ns_g_server->keepresporder)) {
 -			client->pipelined = ISC_TRUE;
 +		result = ns_client_replace(client);
 +		if (result == ISC_R_SUCCESS &&
 +		    (ns_g_server->keepresporder == NULL ||
 +		     !allowed(&netaddr, NULL, NULL, 0, NULL,
 +			      ns_g_server->keepresporder)))
 +		{
 +			client->tcpconn->pipelined = ISC_TRUE;
 		}
 		client_read(client);
@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) {
 	CTRACE("accept");
 +	/*
 +	 * Set up a new TCP connection. This means try to attach to the
 +	 * TCP client quota (tcp-clients), but fail if we're over quota.
 +	 */
 +	result = tcpconn_init(client, ISC_FALSE);
 +	if (result != ISC_R_SUCCESS) {
 +		isc_boolean_t exit;
 +
 +		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
 +			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
 +			      "TCP client quota reached: %s",
 +			      isc_result_totext(result));
 +
 +		/*
 +		 * We have exceeded the system-wide TCP client quota.  But,
 +		 * we can't just block this accept in all cases, because if
 +		 * we did, a heavy TCP load on other interfaces might cause
 +		 * this interface to be starved, with no clients able to
 +		 * accept new connections.
 +		 *
 +		 * So, we check here to see if any other clients are
 +		 * already servicing TCP queries on this interface (whether
 +		 * accepting, reading, or processing). If we find that at
 +		 * least one client other than this one is active, then
 +		 * it's okay *not* to call accept - we can let this
 +		 * client go inactive and another will take over when it's
 +		 * done.
 +		 *
 +		 * If there aren't enough active clients on the interface,
 +		 * then we can be a little bit flexible about the quota.
 +		 * We'll allow *one* extra client through to ensure we're
 +		 * listening on every interface; we do this by setting the
 +		 * 'force' option to tcpconn_init().
 +		 *
 +		 * (Note: In practice this means that the real TCP client
 +		 * quota is tcp-clients plus the number of listening
 +		 * interfaces plus 1.)
 +		 */
 +		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
 +			(client->tcpactive ? 1 : 0));
 +		if (exit) {
 +			client->newstate = NS_CLIENTSTATE_INACTIVE;
 +			(void)exit_check(client);
 +			return;
 +		}
 +
 +		result = tcpconn_init(client, ISC_TRUE);
 +		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 +	}
 +
 +	/*
 +	 * If this client was set up using get_client() or get_worker(),
 +	 * then TCP is already marked active. However, if it was restarted
 +	 * from exit_check(), it might not be, so we take care of it now.
 +	 */
 +	mark_tcp_active(client, ISC_TRUE);
 +
 	result = isc_socket_accept(client->tcplistener, client->task,
 				   client_newconn, client);
 	if (result != ISC_R_SUCCESS) {
 -		UNEXPECTED_ERROR(__FILE__, __LINE__,
 -				 "isc_socket_accept() failed: %s",
 -				 isc_result_totext(result));
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
 		 *	   it didn't work.  If we just give up, then TCP
@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) {
 		 *
 		 *	   For now, we just go idle.
 		 */
 +		UNEXPECTED_ERROR(__FILE__, __LINE__,
 +				 "isc_socket_accept() failed: %s",
 +				 isc_result_totext(result));
 +
 +		tcpconn_detach(client);
 +		mark_tcp_active(client, ISC_FALSE);
 		return;
 	}
 +
 +	/*
 +	 * The client's 'naccepts' counter indicates that this client has
 +	 * called accept() and is waiting for a new connection. It should
 +	 * never exceed 1.
 +	 */
 	INSIST(client->naccepts == 0);
 	client->naccepts++;
 -	LOCK(&client->interface->lock);
 -	client->interface->ntcpcurrent++;
 -	UNLOCK(&client->interface->lock);
 +
 +	/*
 +	 * The interface's 'ntcpaccepting' counter is incremented when
 +	 * any client calls accept(), and decremented in client_newconn()
 +	 * once the connection is established.
 +	 *
 +	 * When the client object is shutting down after handling a TCP
 +	 * request (see exit_check()), if this value is at least one, that
 +	 * means another client has called accept() and is waiting to
 +	 * establish the next connection. That means the client may be
 +	 * be free to become inactive; otherwise it may need to start
 +	 * listening for connections itself to prevent the interface
 +	 * going dead.
 +	 */
 +	isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
 }
 static void
@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) {
 	REQUIRE(client->manager != NULL);
 	tcp = TCP_CLIENT(client);
 -	if (tcp && client->pipelined) {
 +	if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
 		result = get_worker(client->manager, client->interface,
 -				    client->tcpsocket);
 +				    client->tcpsocket, client);
 	} else {
 		result = get_client(client->manager, client->interface,
 				    client->dispatch, tcp);
 +
 	}
 -	if (result != ISC_R_SUCCESS)
 +	if (result != ISC_R_SUCCESS) {
 		return (result);
 +	}
 	/*
 	 * The responsibility for listening for new requests is hereby
@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_i
 	client->dscp = ifp->dscp;
 	if (tcp) {
 +		mark_tcp_active(client, ISC_TRUE);
 +
 		client->attributes |= NS_CLIENTATTR_TCP;
 		isc_socket_attach(ifp->tcpsocket,
 				  &client->tcplistener);
 +
 	} else {
 		isc_socket_t *sock;
@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_i
 }
 static isc_result_t
 -get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
 +get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
 +	   ns_client_t *oldclient)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_event_t *ev;
@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_i
 	MTRACE("get worker");
 	REQUIRE(manager != NULL);
 +	REQUIRE(oldclient != NULL);
 	if (manager->exiting)
 		return (ISC_R_SHUTTINGDOWN);
@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_i
 	ns_interface_attach(ifp, &client->interface);
 	client->newstate = client->state = NS_CLIENTSTATE_WORKING;
 	INSIST(client->recursionquota == NULL);
 -	client->tcpquota = &ns_g_server->tcpquota;
 	client->dscp = ifp->dscp;
 	client->attributes |= NS_CLIENTATTR_TCP;
 -	client->pipelined = ISC_TRUE;
 	client->mortal = ISC_TRUE;
 +	tcpconn_attach(oldclient, client);
 +	mark_tcp_active(client, ISC_TRUE);
 +
 	isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
 	isc_socket_attach(sock, &client->tcpsocket);
 	isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
 Index: bind9-9.11.4+dfsg/bin/named/include/named/client.h
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/bin/named/include/named/client.h	2019-04-24 05:05:24.068523718 -0400
 +++ bind9-9.11.4+dfsg/bin/named/include/named/client.h	2019-04-24 05:18:09.894205195 -0400
@@ -9,8 +9,6 @@
  * information regarding copyright ownership.
  */
 -/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
 -
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -77,6 +75,13 @@
  *** Types
  ***/
 +/*% reference-counted TCP connection object */
 +typedef struct ns_tcpconn {
 +	isc_refcount_t		refs;
 +	isc_quota_t		*tcpquota;
 +	isc_boolean_t		pipelined;
 +} ns_tcpconn_t;
 +
 /*% nameserver client structure */
 struct ns_client {
 	unsigned int		magic;
@@ -91,6 +96,7 @@ struct ns_client {
 	int			nupdates;
 	int			nctls;
 	int			references;
 +	isc_boolean_t		tcpactive;
 	isc_boolean_t		needshutdown; 	/*
 						 * Used by clienttest to get
 						 * the client to go from
@@ -127,10 +133,9 @@ struct ns_client {
 	isc_stdtime_t		now;
 	isc_time_t		tnow;
 	dns_name_t		signername;   /*%< [T]SIG key name */
 -	dns_name_t *		signer;	      /*%< NULL if not valid sig */
 +	dns_name_t		*signer;      /*%< NULL if not valid sig */
 	isc_boolean_t		mortal;	      /*%< Die after handling request */
 -	isc_boolean_t		pipelined;   /*%< TCP queries not in sequence */
 -	isc_quota_t		*tcpquota;
 +	ns_tcpconn_t		*tcpconn;
 	isc_quota_t		*recursionquota;
 	ns_interface_t		*interface;
 Index: bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/bin/named/include/named/interfacemgr.h	2019-04-24 05:05:24.068523718 -0400
 +++ bind9-9.11.4+dfsg/bin/named/include/named/interfacemgr.h	2019-04-24 05:05:24.068523718 -0400
@@ -9,8 +9,6 @@
  * information regarding copyright ownership.
  */
 -/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
 -
 #ifndef NAMED_INTERFACEMGR_H
 #define NAMED_INTERFACEMGR_H 1
@@ -75,9 +73,14 @@ struct ns_interface {
 						/*%< UDP dispatchers. */
 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
 -	int			ntcptarget;	/*%< Desired number of concurrent
 -						     TCP accepts */
 -	int			ntcpcurrent;	/*%< Current ditto, locked */
 +	isc_int32_t		ntcpaccepting;	/*%< Number of clients
 +						     ready to accept new
 +						     TCP connections on this
 +						     interface */
 +	isc_int32_t		ntcpactive;	/*%< Number of clients
 +						     servicing TCP queries
 +						     (whether accepting or
 +						     connected) */
 	int			nudpdispatch;	/*%< Number of UDP dispatches */
 	ns_clientmgr_t *	clientmgr;	/*%< Client manager. */
 	ISC_LINK(ns_interface_t) link;
 Index: bind9-9.11.4+dfsg/bin/named/interfacemgr.c
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/bin/named/interfacemgr.c	2019-04-24 05:05:24.068523718 -0400
 +++ bind9-9.11.4+dfsg/bin/named/interfacemgr.c	2019-04-24 05:19:06.102432272 -0400
@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *m
 	 * connections will be handled in parallel even though there is
 	 * only one client initially.
 	 */
 -	ifp->ntcptarget = 1;
 -	ifp->ntcpcurrent = 0;
 +	ifp->ntcpaccepting = 0;
 +	ifp->ntcpactive = 0;
 +
 	ifp->nudpdispatch = 0;
 	ifp->dscp = -1;
@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *i
 	 */
 	(void)isc_socket_filter(ifp->tcpsocket, "dataready");
 -	result = ns_clientmgr_createclients(ifp->clientmgr,
 -					    ifp->ntcptarget, ifp,
 -					    ISC_TRUE);
 +	result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "TCP ns_clientmgr_createclients(): %s",
 Index: bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/lib/isc/include/isc/quota.h	2019-04-24 05:05:24.068523718 -0400
 +++ bind9-9.11.4+dfsg/lib/isc/include/isc/quota.h	2019-04-24 05:05:24.068523718 -0400
@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc
  * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
  */
 +isc_result_t
 +isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
 +/*%<
 + * Like isc_quota_attach, but will attach '*p' to the quota
 + * even if the hard quota has been exceeded.
 + */
 +
 void
 isc_quota_detach(isc_quota_t **p);
 /*%<
 Index: bind9-9.11.4+dfsg/lib/isc/quota.c
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/lib/isc/quota.c	2019-04-24 05:05:24.068523718 -0400
 +++ bind9-9.11.4+dfsg/lib/isc/quota.c	2019-04-24 05:05:24.068523718 -0400
@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
 	UNLOCK(&quota->lock);
 }
 -isc_result_t
 -isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
 -{
 +static isc_result_t
 +doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) {
 	isc_result_t result;
 -	INSIST(p != NULL && *p == NULL);
 +	REQUIRE(p != NULL && *p == NULL);
 +
 	result = isc_quota_reserve(quota);
 -	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
 +	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
 +		*p = quota;
 +	} else if (result == ISC_R_QUOTA && force) {
 +		/* attach anyway */
 +		LOCK(&quota->lock);
 +		quota->used++;
 +		UNLOCK(&quota->lock);
 +
 		*p = quota;
 +		result = ISC_R_SUCCESS;
 +	}
 +
 	return (result);
 }
 +isc_result_t
 +isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
 +	return (doattach(quota, p, ISC_FALSE));
 +}
 +
 +isc_result_t
 +isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
 +	return (doattach(quota, p, ISC_TRUE));
 +}
 +
 void
 -isc_quota_detach(isc_quota_t **p)
 -{
 +isc_quota_detach(isc_quota_t **p) {
 	INSIST(p != NULL && *p != NULL);
 	isc_quota_release(*p);
 	*p = NULL;
 Index: bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/lib/isc/win32/libisc.def.in	2019-04-24 05:05:24.068523718 -0400
 +++ bind9-9.11.4+dfsg/lib/isc/win32/libisc.def.in	2019-04-24 05:05:24.068523718 -0400
@@ -519,6 +519,7 @@ isc_portset_removerange
 isc_quota_attach
 isc_quota_destroy
 isc_quota_detach
 +isc_quota_force
 isc_quota_init
 isc_quota_max
 isc_quota_release
--- a/CVE-2018-5745.patch
+++ b/CVE-2018-5745.patch
@ -1,71 +0,0 @@
 Description: fix assertion failure when a trust anchor rolls over to an
 unsupported key algorithm when using managed-keys
 Origin: provided by ISC
 Index: bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/lib/dns/include/dst/dst.h	2019-02-20 09:01:27.450680701 +0100
 +++ bind9-9.11.4+dfsg/lib/dns/include/dst/dst.h	2019-02-20 09:01:27.446680698 +0100
@@ -67,8 +67,7 @@ typedef struct dst_context 	dst_context_
 #define DST_ALG_HMACSHA512	165	/* XXXMPA */
 #define DST_ALG_INDIRECT	252
 #define DST_ALG_PRIVATE		254
 -#define DST_ALG_EXPAND		255
 -#define DST_MAX_ALGS		255
 +#define DST_MAX_ALGS		256
 /*% A buffer of this size is large enough to hold any key */
 #define DST_KEY_MAXSIZE		1280
 Index: bind9-9.11.4+dfsg/lib/dns/zone.c
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/lib/dns/zone.c	2019-02-20 09:01:27.450680701 +0100
 +++ bind9-9.11.4+dfsg/lib/dns/zone.c	2019-02-20 09:01:27.450680701 +0100
@@ -3873,9 +3873,10 @@ compute_tag(dns_name_t *name, dns_rdata_
 			     dns_rdatatype_dnskey, dnskey, &buffer);
 	result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
 -	if (result == ISC_R_SUCCESS)
 +	if (result == ISC_R_SUCCESS) {
 		*tag = dst_key_id(dstkey);
 -	dst_key_free(&dstkey);
 +		dst_key_free(&dstkey);
 +	}
 	return (result);
 }
@@ -9315,6 +9316,17 @@ keyfetch_done(isc_task_t *task, isc_even
 		dns_keydata_todnskey(&keydata, &dnskey, NULL);
 		result = compute_tag(keyname, &dnskey, mctx, &keytag);
 +		if (result != ISC_R_SUCCESS) {
 +			/*
 +			 * Skip if we cannot compute the key tag.
 +			 * This may happen if the algorithm is unsupported
 +			 */
 +			dns_zone_log(zone, ISC_LOG_ERROR,
 +				"Cannot compute tag for key in zone %s: %s "
 +				"(skipping)",
 +				namebuf, dns_result_totext(result));
 +			continue;
 +		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		/*
@@ -9426,6 +9438,17 @@ keyfetch_done(isc_task_t *task, isc_even
 			continue;
 		result = compute_tag(keyname, &dnskey, mctx, &keytag);
 +		if (result != ISC_R_SUCCESS) {
 +			/*
 +			 * Skip if we cannot compute the key tag.
 +			 * This may happen if the algorithm is unsupported
 +			 */
 +			dns_zone_log(zone, ISC_LOG_ERROR,
 +				"Cannot compute tag for key in zone %s: %s "
 +				"(skipping)",
 +				namebuf, dns_result_totext(result));
 +			continue;
 +		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);
--- a/CVE-2019-6465.patch
+++ b/CVE-2019-6465.patch
@ -1,25 +0,0 @@
 Description: fix controls for zone transfers not being properly applied to
 Dynamically Loadable Zones (DLZs) if the zones are writable
 Origin: provided by ISC
 Index: bind9-9.11.4+dfsg/bin/named/xfrout.c
 ===================================================================
 --- bind9-9.11.4+dfsg.orig/bin/named/xfrout.c	2019-02-20 09:02:00.710689380 +0100
 +++ bind9-9.11.4+dfsg/bin/named/xfrout.c	2019-02-20 09:02:00.706689381 +0100
@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rd
 	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
 			     &zone);
 -	if (result != ISC_R_SUCCESS) {
 +	if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
 		/*
 -		 * Normal zone table does not have a match.
 -		 * Try the DLZ database
 +		 * The normal zone table does not have a match, or this is
 +		 * marked in the zone table as a DLZ zone. Check the DLZ
 +		 * databases for a match.
 		 */
 -		// Temporary: only searching the first DLZ database
 		if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
 			result = dns_dlzallowzonexfr(client->view,
 						     question_name,
--- a/Use-clock_gettime-instead-of-gettimeofday.patch
+++ b/Use-clock_gettime-instead-of-gettimeofday.patch
@ -27,16 +27,16 @@ index f06d31a5508c2d3f7227063c21d9d4563789e72a..da25e5bf8e07639c8f70420a5c3f3c98
 -#if ISC_FIX_TV_USEC
 -static inline void
 -fix_tv_usec(struct timeval *tv) {
-	isc_boolean_t fixed = ISC_FALSE;
+-	bool fixed = false;
 -
 -	if (tv->tv_usec < 0) {
-		fixed = ISC_TRUE;
+-		fixed = true;
 -		do {
 -			tv->tv_sec -= 1;
 -			tv->tv_usec += US_PER_S;
 -		} while (tv->tv_usec < 0);
 -	} else if (tv->tv_usec >= US_PER_S) {
-		fixed = ISC_TRUE;
+-		fixed = true;
 -		do {
 -			tv->tv_sec += 1;
 -			tv->tv_usec -= US_PER_S;
--- a/bind-9.10-dist-native-pkcs11.patch
+++ b/bind-9.10-dist-native-pkcs11.patch
@ -14,25 +14,26 @@ index f0c504a..ce7a2da 100644
 @BIND9_MAKE_RULES@
 diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
-index 1d0c4ce..7b7f89b 100644
+index 4b8ca13..32f4470 100644
 --- a/bin/dnssec-pkcs11/Makefile.in
 +++ b/bin/dnssec-pkcs11/Makefile.in
-@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
+@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 -CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
 +CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
- CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
 -		@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
 +CDEFINES =	-DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
 +		@CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
 CWARNINGS =
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 -ISCLIBS =	../../lib/isc/libisc.@A@
 -ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
-+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 +ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
 +ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
@ -43,7 +44,7 @@ index 1d0c4ce..7b7f89b 100644
 DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
-@@ -37,10 +37,10 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+@@ -35,10 +35,10 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
 # Alphabetically
@ -58,7 +59,7 @@ index 1d0c4ce..7b7f89b 100644
 OBJS =		dnssectool.@O@
-@@ -61,15 +61,15 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
+@@ -59,15 +59,15 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 @BIND9_MAKE_RULES@
@ -77,7 +78,7 @@ index 1d0c4ce..7b7f89b 100644
 	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
-@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
+@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/dnssec-signzone.c
@ -86,7 +87,7 @@ index 1d0c4ce..7b7f89b 100644
 	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
 	${FINALBUILDCMD}
-@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c
+@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
 		-c ${srcdir}/dnssec-verify.c
@ -110,7 +111,7 @@ index 1d0c4ce..7b7f89b 100644
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 	dnssec-importkey.@O@ ${OBJS} ${LIBS}
-@@ -108,16 +108,14 @@ docclean manclean maintainer-clean::
+@@ -106,16 +106,14 @@ docclean manclean maintainer-clean::
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -121,18 +122,18 @@ index 1d0c4ce..7b7f89b 100644
 -install:: ${TARGETS} installdirs install-man8
 +install:: ${TARGETS} installdirs
- 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
+ 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
 uninstall::
-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
- 	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
+ 	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
 clean distclean::
 diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 1d0c4ce..11538cf 100644
+index 4b8ca13..4175996 100644
 --- a/bin/dnssec/Makefile.in
 +++ b/bin/dnssec/Makefile.in
-@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
+@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
@ -142,10 +143,10 @@ index 1d0c4ce..11538cf 100644
 CWARNINGS =
 diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
-index d92bc9a..a8c42a4 100644
+index 70e5571..b5a4a6b 100644
 --- a/bin/named-pkcs11/Makefile.in
 +++ b/bin/named-pkcs11/Makefile.in
-@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
 DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
@ -153,20 +154,22 @@ index d92bc9a..a8c42a4 100644
 -		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
 +		${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
 +		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
- 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
 		@DST_OPENSSL_INC@
-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
-+CDEFINES =      @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@
+CDEFINES =      @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@
 CWARNINGS =
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-+DNSLIBS =  ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
 -ISCLIBS =	../../lib/isc/libisc.@A@
 -ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
 +ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
- ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
+ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
@ -179,7 +182,7 @@ index d92bc9a..a8c42a4 100644
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
 BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-@@ -71,15 +71,15 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+@@ -72,15 +72,15 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -193,12 +196,12 @@ index d92bc9a..a8c42a4 100644
 SUBDIRS =	unix
-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
+-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
-+TARGETS =  named-pkcs11@EXEEXT@
+TARGETS =	named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
 GEOIPLINKOBJS = geoip.@O@
- 
+ GEOIP2LINKOBJS = geoip.@O@
-@@ -90,8 +90,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
+@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
 		zoneconf.@O@ \
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -208,7 +211,7 @@ index d92bc9a..a8c42a4 100644
 UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
-@@ -106,8 +105,7 @@ SRCS =		builtin.c client.c config.c control.c \
+@@ -113,8 +112,7 @@ SRCS =		builtin.c client.c config.c control.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -218,7 +221,7 @@ index d92bc9a..a8c42a4 100644
 MANPAGES =	named.8 lwresd.8 named.conf.5
-@@ -146,14 +144,14 @@ server.@O@: server.c
+@@ -154,21 +152,21 @@ server.@O@: server.c
 		-DPRODUCT=\"${PRODUCT}\" \
 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -234,9 +237,17 @@ index d92bc9a..a8c42a4 100644
 -	@LN@ named@EXEEXT@ lwresd@EXEEXT@
 +	@LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
- doc man:: ${MANOBJS}
+ # Bit of hack, do not produce intermediate .o object for featuretest
 feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-c ${top_srcdir}/bin/tests/system/feature-test.c
-@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
+-feature-test@EXEEXT@: feature-test.@O@
 +feature-test-pkcs11@EXEEXT@: feature-test.@O@
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
 		-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
@@ -201,16 +199,11 @@ install-man8: named.8 lwresd.8
 install-man: install-man5 install-man8
@ -257,15 +268,15 @@ index d92bc9a..a8c42a4 100644
 @DLZ_DRIVER_RULES@
 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index d92bc9a..6d2bfd1 100644
+index 70e5571..4cfed4d 100644
 --- a/bin/named/Makefile.in
 +++ b/bin/named/Makefile.in
-@@ -47,7 +47,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+@@ -48,7 +48,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
- 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
- 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ 		@DST_OPENSSL_INC@
-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
-+CDEFINES =      @CONTRIB_DLZ@ @CRYPTO@
+CDEFINES =      @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
 CWARNINGS =
@ -290,11 +301,11 @@ index a058c91..d4b689a 100644
 DEPLIBS =	${ISCDEPLIBS}
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 849fa94..69e6373 100644
+index 9b7d778..59ba20b 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI)
+@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
 AC_SUBST(DNS_GSSAPI_LIBS)
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -309,10 +320,10 @@ index 849fa94..69e6373 100644
 #
 # was --with-randomdev specified?
-@@ -1554,11 +1556,11 @@ fi
+@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
 AC_MSG_CHECKING(for OpenSSL library)
 OPENSSL_WARNING=
- openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+ openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
 -if test "yes" = "$want_native_pkcs11"
 -then
 -	use_openssl="native_pkcs11"
@ -326,7 +337,7 @@ index 849fa94..69e6373 100644
 if test "auto" = "$use_openssl"
 then
-@@ -1571,6 +1573,7 @@ then
+@@ -1511,6 +1513,7 @@ then
 		fi
 	done
 fi
@ -334,7 +345,7 @@ index 849fa94..69e6373 100644
 OPENSSL_ECDSA=""
 OPENSSL_GOST=""
 OPENSSL_ED25519=""
-@@ -1592,11 +1595,10 @@ case "$with_gost" in
+@@ -1532,11 +1535,10 @@ case "$with_gost" in
 		;;
 esac
@ -349,7 +360,7 @@ index 849fa94..69e6373 100644
 		CRYPTOLIB="pkcs11"
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
-@@ -1606,7 +1608,9 @@ case "$use_openssl" in
+@@ -1546,7 +1548,9 @@ case "$use_openssl" in
 		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
@ -360,7 +371,7 @@ index 849fa94..69e6373 100644
 	no)
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
-@@ -1638,7 +1642,7 @@ case "$use_openssl" in
+@@ -1578,7 +1582,7 @@ case "$use_openssl" in
 If you do not want OpenSSL, use --without-openssl])
 		;;
 	*)
@ -369,7 +380,7 @@ index 849fa94..69e6373 100644
 		then
 			AC_MSG_RESULT()
 			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519)
+@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
 AC_SUBST(OPENSSL_GOST)
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -377,7 +388,7 @@ index 849fa94..69e6373 100644
 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
 if test "yes" = "$with_aes"
-@@ -2384,6 +2389,7 @@ esac
+@@ -2291,6 +2296,7 @@ esac
 AC_SUBST(PKCS11LINKOBJS)
 AC_SUBST(PKCS11LINKSRCS)
 AC_SUBST(CRYPTO)
@ -385,7 +396,7 @@ index 849fa94..69e6373 100644
 AC_SUBST(PKCS11_ECDSA)
 AC_SUBST(PKCS11_GOST)
 AC_SUBST(PKCS11_ED25519)
-@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([
+@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
 	bin/delv/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
@ -397,7 +408,7 @@ index 849fa94..69e6373 100644
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
-@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([
+@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
 	lib/dns/include/dns/Makefile
 	lib/dns/include/dst/Makefile
 	lib/dns/tests/Makefile
@ -408,7 +419,7 @@ index 849fa94..69e6373 100644
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
-@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([
+@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
 	lib/isc/unix/include/Makefile
 	lib/isc/unix/include/isc/Makefile
 	lib/isc/unix/include/pkcs11/Makefile
@ -447,17 +458,18 @@ index 81270a0..bcb5312 100644
 @BIND9_MAKE_RULES@
 diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
-index 4a8549e..6a19906 100644
+index 7f09bd6..c388d9e 100644
 --- a/lib/dns-pkcs11/Makefile.in
 +++ b/lib/dns-pkcs11/Makefile.in
-@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
+@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
 USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
 -CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
-		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+-		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
 -		@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 +CINCLUDES =	-I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
-+		${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+		${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 -CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
 +CDEFINES =	-DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
@ -470,9 +482,9 @@ index 4a8549e..6a19906 100644
 -ISCDEPLIBS =	../../lib/isc/libisc.@A@
 +ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
- LIBS =		@LIBS@
+ LIBS =		${MAXMINDDB_LIBS} @LIBS@
-@@ -146,15 +146,15 @@ version.@O@: version.c
+@@ -150,15 +149,15 @@ version.@O@: version.c
 		-DLIBAGE=${LIBAGE} \
 		-c ${srcdir}/version.c
@ -492,13 +504,9 @@ index 4a8549e..6a19906 100644
 include: gen
 	${MAKE} include/dns/enumtype.h
-@@ -180,25 +180,25 @@ code.h:	gen
+@@ -189,22 +188,22 @@ gen: gen.c
- 	./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
+ 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
- 
+ 	${BUILD_LIBS} ${LFS_LIBS}
 gen: gen.c
 -	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
 +	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \
 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
 -timestamp: include libdns.@A@
 +timestamp: include libdns-pkcs11.@A@
@ -523,9 +531,9 @@ index 4a8549e..6a19906 100644
 +	rm -f libdns-pkcs11.@A@ timestamp
 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
 	rm -f include/dns/rdatastruct.h
- 	rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
+ 	rm -f dnstap.pb-c.c dnstap.pb-c.h
 diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
-index ba53ef1..d1f1771 100644
+index 8ad54bb..a3ecdfb 100644
 --- a/lib/isc-pkcs11/Makefile.in
 +++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES =	-I${srcdir}/unix/include \
@ -539,7 +547,7 @@ index ba53ef1..d1f1771 100644
 CWARNINGS =
 # Alphabetically
-@@ -107,40 +107,40 @@ version.@O@: version.c
+@@ -103,40 +103,40 @@ version.@O@: version.c
 		-DLIBAGE=${LIBAGE} \
 		-c ${srcdir}/version.c
--- a/bind-9.10-sdb.patch
+++ b/bind-9.10-sdb.patch
@ -14,7 +14,7 @@ index ce7a2da..4e6a824 100644
 @BIND9_MAKE_RULES@
 diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
-index 6d2bfd1..d3f42e8 100644
+index 4cfed4d..c6b42b2 100644
 --- a/bin/named-sdb/Makefile.in
 +++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
@ -31,16 +31,16 @@ index 6d2bfd1..d3f42e8 100644
 DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
-@@ -79,7 +79,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+@@ -80,7 +80,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 SUBDIRS =	unix
-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
+-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
-+TARGETS =	named-sdb@EXEEXT@
+TARGETS =	named-sdb@EXEEXT@ feature-test-sdb@EXEEXT@
 GEOIPLINKOBJS = geoip.@O@
- 
+ GEOIP2LINKOBJS = geoip.@O@
-@@ -146,7 +146,7 @@ server.@O@: server.c
+@@ -154,7 +154,7 @@ server.@O@: server.c
 		-DPRODUCT=\"${PRODUCT}\" \
 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -49,7 +49,16 @@ index 6d2bfd1..d3f42e8 100644
 	export MAKE_SYMTABLE="yes"; \
 	export BASEOBJS="${OBJS} ${UOBJS}"; \
 	${FINALBUILDCMD}
-@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h
+@@ -168,7 +168,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-c ${top_srcdir}/bin/tests/system/feature-test.c
 -feature-test@EXEEXT@: feature-test.@O@
 +feature-test-sdb@EXEEXT@: feature-test.@O@
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
 		-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
@@ -190,8 +190,6 @@ statschannel.@O@: bind9.xsl.h
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -58,7 +67,7 @@ index 6d2bfd1..d3f42e8 100644
 install-man5: named.conf.5
 	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
-@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
+@@ -201,16 +199,11 @@ install-man8: named.8 lwresd.8
 install-man: install-man5 install-man8
@ -79,10 +88,10 @@ index 6d2bfd1..d3f42e8 100644
 @DLZ_DRIVER_RULES@
 diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
-index bb639d9..555c4d9 100644
+index c9fc3cc..148ebb3 100644
 --- a/bin/named-sdb/main.c
 +++ b/bin/named-sdb/main.c
-@@ -91,6 +91,10 @@
+@@ -97,6 +97,10 @@
  * Include header files for database drivers here.
  */
 /* #include "xxdb.h" */
@ -93,7 +102,7 @@ index bb639d9..555c4d9 100644
 #ifdef CONTRIB_DLZ
 /*
-@@ -1061,6 +1065,11 @@ setup(void) {
+@@ -1134,6 +1138,11 @@ setup(void) {
 		ns_main_earlyfatal("isc_app_start() failed: %s",
 				   isc_result_totext(result));
@ -105,7 +114,7 @@ index bb639d9..555c4d9 100644
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
 		      ns_g_product, ns_g_version,
-@@ -1261,6 +1270,75 @@ setup(void) {
+@@ -1334,6 +1343,75 @@ setup(void) {
 				   isc_result_totext(result));
 #endif
@ -181,7 +190,7 @@ index bb639d9..555c4d9 100644
 	ns_server_create(ns_g_mctx, &ns_g_server);
 #ifdef HAVE_LIBSECCOMP
-@@ -1303,6 +1381,11 @@ cleanup(void) {
+@@ -1376,6 +1454,11 @@ cleanup(void) {
 	dns_name_destroy();
@ -194,22 +203,23 @@ index bb639d9..555c4d9 100644
 		      ISC_LOG_NOTICE, "exiting");
 	ns_log_shutdown();
 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index 6d2bfd1..86f8587 100644
+index 4cfed4d..f4bce7b 100644
 --- a/bin/named/Makefile.in
 +++ b/bin/named/Makefile.in
-@@ -45,9 +45,9 @@ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+@@ -45,10 +45,10 @@ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
-		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+-		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
-+		@DST_OPENSSL_INC@
+		${MAXMINDDB_CFLAGS} \
 		@DST_OPENSSL_INC@
-CDEFINES =      @CONTRIB_DLZ@ @CRYPTO@
+-CDEFINES =      @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
-+CDEFINES =      @CRYPTO@
+CDEFINES =      @USE_GSSAPI@ @CRYPTO@
 CWARNINGS =
-@@ -71,11 +71,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+@@ -72,11 +72,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -223,7 +233,7 @@ index 6d2bfd1..86f8587 100644
 SUBDIRS =	unix
-@@ -90,8 +90,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
+@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
 		zoneconf.@O@ \
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -233,7 +243,7 @@ index 6d2bfd1..86f8587 100644
 UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
-@@ -106,8 +105,7 @@ SRCS =		builtin.c client.c config.c control.c \
+@@ -113,8 +112,7 @@ SRCS =		builtin.c client.c config.c control.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -243,7 +253,7 @@ index 6d2bfd1..86f8587 100644
 MANPAGES =	named.8 lwresd.8 named.conf.5
-@@ -195,7 +193,5 @@ uninstall::
+@@ -212,7 +210,5 @@ uninstall::
 	rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
@ -286,11 +296,11 @@ index c7e0868..95ab742 100644
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 62536a6..f571a4f 100644
+index f85f45f..7d28c52 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([
+@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
 	bin/named/unix/Makefile
 	bin/named-pkcs11/Makefile
 	bin/named-pkcs11/unix/Makefile
@ -299,9 +309,9 @@ index 62536a6..f571a4f 100644
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
-@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([
+@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
 	bin/python/isc/tests/dnskey_test.py
 	bin/python/isc/tests/policy_test.py
 	bin/python/isc/utils.py
 	bin/rndc/Makefile
 +	bin/sdb_tools/Makefile
 	bin/tests/Makefile
--- a/bind-9.11-engine-pkcs11.patch
+++ b/bind-9.11-engine-pkcs11.patch
@ -0,0 +1,27 @@
 From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Tue, 27 Aug 2019 20:39:59 +0200
 Subject: [PATCH] Do not set engine for native PKCS11
 It resets already set lib_path to pkcs11, which is invalid in native
 pkcs11 crypto. Engine has to be path to PKCS#11 module.
 ---
 bin/named/include/named/globals.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
 index eda2214..2a611d5 100644
 --- a/bin/named/include/named/globals.h
 +++ b/bin/named/include/named/globals.h
@@ -160,7 +160,7 @@ EXTERN const char *		ns_g_defaultdnstap	INIT(NULL);
 EXTERN const char *		ns_g_username		INIT(NULL);
 -#if defined(USE_PKCS11)
 +#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO)
 EXTERN const char *		ns_g_engine		INIT(PKCS11_ENGINE);
 #else
 EXTERN const char *		ns_g_engine		INIT(NULL);
 -- 
 2.20.1
--- a/bind-9.11-export-suffix.patch
+++ b/bind-9.11-export-suffix.patch
@ -1,8 +1,8 @@
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index e6cd6a4..988b0a7 100644
+index c1bfd62..7c5ad51 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
+@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
 AC_SUBST(BUILD_LDFLAGS)
 AC_SUBST(BUILD_LIBS)
@ -12,10 +12,10 @@ index e6cd6a4..988b0a7 100644
 # Commands to run at the end of config.status.
 # Don't just put these into configure, it won't work right if somebody
 diff --git a/isc-config.sh.in b/isc-config.sh.in
-index 110191a..5a64004 100644
+index b5e94ed..d2857e0 100644
 --- a/isc-config.sh.in
 +++ b/isc-config.sh.in
-@@ -12,16 +12,17 @@ prefix=@prefix@
+@@ -13,16 +13,17 @@ prefix=@prefix@
 exec_prefix=@exec_prefix@
 exec_prefix_set=
 includedir=@includedir@
--- a/bind-9.11-feature-test-named.patch
+++ b/bind-9.11-feature-test-named.patch
@ -0,0 +1,71 @@
 From 3f2fafe5368655225eddf0537e58e425bbc297be Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 30 Jan 2019 14:37:17 +0100
 Subject: [PATCH] Create feature-test in source directory
 Feature-test tool is used in system tests to test compiled in changes.
 Because we build more variants of named with different configuration,
 compile feature-test for each of them this way.
 Named variant specific feature-test does not have defined gss support,
 even when it was enabled by configure. bin/tests/system Makefile defines
 it, so define it also in named variants.
 ---
 bin/named/Makefile.in       | 13 +++++++++++--
 bin/tests/system/conf.sh.in |  2 +-
 2 files changed, 12 insertions(+), 3 deletions(-)
 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
 index 3166368..70e5571 100644
 --- a/bin/named/Makefile.in
 +++ b/bin/named/Makefile.in
@@ -48,7 +48,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
 		@DST_OPENSSL_INC@
 -CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
 +CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
 CWARNINGS =
@@ -80,7 +80,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
 SUBDIRS =	unix
 -TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
 +TARGETS =	named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
 GEOIPLINKOBJS = geoip.@O@
 GEOIP2LINKOBJS = geoip.@O@
@@ -163,6 +163,15 @@ lwresd@EXEEXT@: named@EXEEXT@
 	rm -f lwresd@EXEEXT@
 	@LN@ named@EXEEXT@ lwresd@EXEEXT@
 +# Bit of hack, do not produce intermediate .o object for featuretest
 +feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
 +	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 +		-c ${top_srcdir}/bin/tests/system/feature-test.c
 +
 +feature-test@EXEEXT@: feature-test.@O@
 +	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
 +		-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
 +
 doc man:: ${MANOBJS}
 docclean manclean maintainer-clean::
 diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
 index cedabbe..e1bf5da 100644
 --- a/bin/tests/system/conf.sh.in
 +++ b/bin/tests/system/conf.sh.in
@@ -71,7 +71,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
 MDIG=$TOP/bin/tools/mdig
 NZD2NZF=$TOP/bin/tools/named-nzd2nzf
 FSTRM_CAPTURE=@FSTRM_CAPTURE@
 -FEATURETEST=$TOP/bin/tests/system/feature-test
 +FEATURETEST=$TOP/bin/named/feature-test
 RANDFILE=$TOP/bin/tests/system/random.data
 -- 
 2.20.1
--- a/bind-9.11-fips-code.patch
+++ b/bind-9.11-fips-code.patch
--- a/bind-9.11-fips-disable.patch
+++ b/bind-9.11-fips-disable.patch
@ -0,0 +1,121 @@
 From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Mon, 5 Aug 2019 11:54:03 +0200
 Subject: [PATCH] Allow explicit disabling of autodisabled MD5
 Default security policy might include explicitly disabled RSAMD5
 algorithm. Current FIPS code automatically disables in FIPS mode. But if
 RSAMD5 is included in security policy, it fails to start, because that
 algorithm is not recognized. Allow it disabled, but fail on any
 other usage.
 ---
 bin/named/server.c |  4 ++--
 lib/bind9/check.c  |  4 ++++
 lib/dns/rcode.c    | 33 +++++++++++++++------------------
 3 files changed, 21 insertions(+), 20 deletions(-)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index 5b57371..51702ab 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
 		r.length = strlen(r.base);
 		result = dns_secalg_fromtext(&alg, &r);
 -		if (result != ISC_R_SUCCESS) {
 +		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
 			uint8_t ui;
 			result = isc_parse_uint8(&ui, r.base, 10);
 			alg = ui;
 		}
 -		if (result != ISC_R_SUCCESS) {
 +		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
 			cfg_obj_log(cfg_listelt_value(element),
 				    ns_g_lctx, ISC_LOG_ERROR,
 				    "invalid algorithm");
 diff --git a/lib/bind9/check.c b/lib/bind9/check.c
 index e0803d4..8023784 100644
 --- a/lib/bind9/check.c
 +++ b/lib/bind9/check.c
@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
 		r.length = strlen(r.base);
 		tresult = dns_secalg_fromtext(&alg, &r);
 +		if (tresult == ISC_R_DISABLED) {
 +			// Recognize disabled algorithms, disable it explicitly
 +			tresult = ISC_R_SUCCESS;
 +		}
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(cfg_listelt_value(element), logctx,
 				    ISC_LOG_ERROR, "invalid algorithm '%s'",
 diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
 index f51d548..c49b8d1 100644
 --- a/lib/dns/rcode.c
 +++ b/lib/dns/rcode.c
@@ -126,7 +126,6 @@
 #endif
 #define SECALGNAMES \
 -	MD5_SECALGNAMES \
 	DH_SECALGNAMES \
 	DSA_SECALGNAMES \
 	{ DNS_KEYALG_ECC, "ECC", 0 }, \
@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
 static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
 static struct tbl certs[] = { CERTNAMES };
 static struct tbl secalgs[] = { SECALGNAMES };
 +static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
 static struct tbl secprotos[] = { SECPROTONAMES };
 static struct tbl hashalgs[] = { HASHALGNAMES };
 static struct tbl dsdigests[] = { DSDIGESTNAMES };
@@ -358,33 +358,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
 	return (dns_mnemonic_totext(cert, target, certs));
 }
 -static inline struct tbl *
 -secalgs_tbl_start() {
 -	struct tbl *algs = secalgs;
 -
 -#ifndef PK11_MD5_DISABLE
 -	if (!isc_md5_available()) {
 -		while (algs->name != NULL &&
 -		       algs->value == DNS_KEYALG_RSAMD5)
 -			++algs;
 -	}
 -#endif
 -	return algs;
 -}
 -
 isc_result_t
 dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
 	unsigned int value;
 +	isc_result_t result;
 -	RETERR(dns_mnemonic_fromtext(&value, source,
 -	                             secalgs_tbl_start(), 0xff));
 +	result = dns_mnemonic_fromtext(&value, source,
 +	                               secalgs, 0xff);
 +	if (result != ISC_R_SUCCESS) {
 +		result = dns_mnemonic_fromtext(&value, source,
 +	                                       md5_secalgs, 0xff);
 +		if (result != ISC_R_SUCCESS) {
 +			return (result);
 +		} else if (!isc_md5_available()) {
 +			*secalgp = value;
 +			return (ISC_R_DISABLED);
 +		}
 +	}
 	*secalgp = value;
 	return (ISC_R_SUCCESS);
 }
 isc_result_t
 dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
 -	return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
 +	return (dns_mnemonic_totext(secalg, target, secalgs));
 }
 void
 -- 
 2.20.1
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
--- a/bind-9.11-host-idn-disable.patch
+++ b/bind-9.11-host-idn-disable.patch
@ -1,4 +1,4 @@
-From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001
+From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 25 Sep 2018 18:08:46 +0200
 Subject: [PATCH] Disable IDN from environment as documented
@ -12,16 +12,16 @@ Support variable CHARSET=ASCII to disable IDN, supported in downstream
 RH patch since RHEL 5.
 ---
 bin/dig/dig.docbook      |  4 +++-
- bin/dig/dighost.c        |  9 +++++++--
+ bin/dig/dighost.c        |  5 +++++
 bin/dig/host.docbook     |  2 +-
 bin/dig/nslookup.docbook | 15 +++++++++++++++
- 4 files changed, 26 insertions(+), 4 deletions(-)
+ 4 files changed, 24 insertions(+), 2 deletions(-)
 diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
-index fedd288..d5dba72 100644
+index 5d19301..933af79 100644
 --- a/bin/dig/dig.docbook
 +++ b/bin/dig/dig.docbook
-@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       reply from the server.
       If you'd like to turn off the IDN support for some reason, use
       parameters <parameter>+noidnin</parameter> and
@ -33,34 +33,26 @@ index fedd288..d5dba72 100644
   </refsection>
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index 7408193..d46379d 100644
+index 5eabc1f..73aaab8 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
-@@ -822,12 +822,17 @@ make_empty_lookup(void) {
+@@ -826,6 +826,11 @@ make_empty_lookup(void) {
- 	looknew->seenbadcookie = ISC_FALSE;
+ 	looknew->badcookie = true;
 	looknew->badcookie = ISC_TRUE;
 #ifdef WITH_IDN_SUPPORT
-	looknew->idnin = ISC_TRUE;
+ 	looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
 +	looknew->idnin = (getenv("IDN_DISABLE") == NULL);
 +	if (looknew->idnin) {
 +		const char *charset = getenv("CHARSET");
 +		if (charset && !strcmp(charset, "ASCII"))
-+			looknew->idnin = ISC_FALSE;
+			looknew->idnin = false;
 +	}
 #else
- 	looknew->idnin = ISC_FALSE;
+ 	looknew->idnin = false;
 #endif
 #ifdef WITH_IDN_OUT_SUPPORT
 -	looknew->idnout = ISC_TRUE;
 +	looknew->idnout = looknew->idnin;
 #else
 	looknew->idnout = ISC_FALSE;
 #endif
 diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
-index 9c3aeaa..42cbbf9 100644
+index da0f8fb..9689b5a 100644
 --- a/bin/dig/host.docbook
 +++ b/bin/dig/host.docbook
-@@ -378,7 +378,7 @@
+@@ -379,7 +379,7 @@
       <command>host</command> appropriately converts character encoding of
       domain name before sending a request to DNS server or displaying a
       reply from the server.
@ -70,10 +62,10 @@ index 9c3aeaa..42cbbf9 100644
       The IDN support is disabled if the variable is set when
       <command>host</command> runs.
 diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
-index 3aff4e9..86a09c6 100644
+index d46fc2d..6d7d181 100644
 --- a/bin/dig/nslookup.docbook
 +++ b/bin/dig/nslookup.docbook
-@@ -478,6 +478,21 @@ nslookup -query=hinfo  -timeout=10
+@@ -495,6 +495,21 @@ nslookup -query=hinfo  -timeout=10
     </para>
   </refsection>
@ -96,5 +88,5 @@ index 3aff4e9..86a09c6 100644
     <para><filename>/etc/resolv.conf</filename>
 -- 
-2.14.4
+2.20.1
--- a/bind-9.11-json-c.patch
+++ b/bind-9.11-json-c.patch
@ -0,0 +1,50 @@
 From cb6d2019766a6c8c5516fd8859cedf0052f03293 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 25 Jul 2019 11:37:57 +0200
 Subject: [PATCH] Skip support of jsoncpp
 Bind cannot be compiled when jsoncpp-devel is installed. Remove support
 for jsoncpp, use only json-c-devel. Bind 9.15 has already support for
 --with-json-c, do not yet introduce it.
 ---
 configure.ac | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 6d05337..5ce83b5 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -2594,15 +2594,7 @@ case "$use_libjson" in
 	auto|yes)
 		for d in /usr /usr/local /opt/local
 		do
 -			if test -f "${d}/include/json/json.h"
 -			then
 -				if test ${d} != /usr
 -				then
 -					libjson_cflags="-I ${d}/include"
 -					LIBS="$LIBS -L${d}/lib"
 -				fi
 -				have_libjson="yes"
 -			elif test -f "${d}/include/json-c/json.h"
 +			if test -f "${d}/include/json-c/json.h"
 			then
 				if test ${d} != /usr
 				then
@@ -2615,12 +2607,7 @@ case "$use_libjson" in
 		done
 		;;
 	*)
 -		if test -f "${use_libjson}/include/json/json.h"
 -		then
 -			libjson_cflags="-I${use_libjson}/include"
 -			LIBS="$LIBS -L${use_libjson}/lib"
 -			have_libjson="yes"
 -		elif test -f "${use_libjson}/include/json-c/json.h"
 +		if test -f "${use_libjson}/include/json-c/json.h"
 		then
 			libjson_cflags="-I${use_libjson}/include"
 			LIBS="$LIBS -L${use_libjson}/lib"
 -- 
 2.20.1
--- a/bind-9.11-kyua-pkcs11.patch
+++ b/bind-9.11-kyua-pkcs11.patch
@ -1,4 +1,4 @@
-From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001
+From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Tue, 2 Jan 2018 18:13:07 +0100
 Subject: [PATCH] Fix pkcs11 variants atf tests
@ -7,20 +7,19 @@ Add dns-pkcs11 tests Makefile to configure
 Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
 ---
- configure.in                     |  1 +
+ configure.ac                     |  1 +
 lib/Atffile                      |  2 ++
 lib/Kyuafile                     |  2 ++
 lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
 lib/dns-pkcs11/tests/dh_test.c   |  3 ++-
 lib/isc-pkcs11/tests/Makefile.in |  6 +++---
 lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
- 7 files changed, 40 insertions(+), 16 deletions(-)
+ 6 files changed, 38 insertions(+), 16 deletions(-)
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 67b3aab..4767eeb 100644
+index 62ecf56..0940a7d 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([
+@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
 	lib/dns-pkcs11/include/Makefile
 	lib/dns-pkcs11/include/dns/Makefile
 	lib/dns-pkcs11/include/dst/Makefile
@ -28,25 +27,11 @@ index 67b3aab..4767eeb 100644
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
 diff --git a/lib/Atffile b/lib/Atffile
 index 93bbb01..4db3dce 100644
 --- a/lib/Atffile
 +++ b/lib/Atffile
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
 prop: test-suite = bind9
 tp: dns
 +tp: dns-pkcs11
 tp: irs
 tp: isc
 +tp: isc-pkcs11
 tp: isccfg
 tp: lwres
 diff --git a/lib/Kyuafile b/lib/Kyuafile
-index ff9fc56..eaaf0dc 100644
+index 7c8bab0..eec9564 100644
 --- a/lib/Kyuafile
 +++ b/lib/Kyuafile
-@@ -2,7 +2,9 @@ syntax(2)
+@@ -2,8 +2,10 @@ syntax(2)
 test_suite('bind9')
 include('dns/Kyuafile')
@ -54,67 +39,68 @@ index ff9fc56..eaaf0dc 100644
 include('irs/Kyuafile')
 include('isc/Kyuafile')
 +include('isc-pkcs11/Kyuafile')
 include('isccc/Kyuafile')
 include('isccfg/Kyuafile')
 include('lwres/Kyuafile')
 diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
-index 2a6571b..f25a784 100644
+index 22a06a8..5df5b15 100644
 --- a/lib/dns-pkcs11/tests/Makefile.in
 +++ b/lib/dns-pkcs11/tests/Makefile.in
-@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@
+@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
- 		@DST_OPENSSL_INC@
+ 		@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
 -CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
-+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
+CDEFINES =	@CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
 -ISCLIBS =	../../isc/libisc.@A@
 -ISCDEPLIBS =	../../isc/libisc.@A@
-DNSLIBS =	../libdns.@A@ @DNS_CRYPTO_LIBS@
+-DNSLIBS =	../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 -DNSDEPLIBS =	../libdns.@A@
 +ISCLIBS =	../../isc-pkcs11/libisc-pkcs11.@A@
 +ISCDEPLIBS =	../../isc-pkcs11/libisc-pkcs11.@A@
-+DNSLIBS =	../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS =	../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
 +DNSDEPLIBS =	../libdns-pkcs11.@A@
- LIBS =		@LIBS@ @ATFLIBS@
+ LIBS =		@LIBS@ @CMOCKA_LIBS@
- 
+ CFLAGS =	@CFLAGS@ @CMOCKA_CFLAGS@
 diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
-index 036d27a..eb6554f 100644
+index a5bf46c..9ff2b76 100644
 --- a/lib/dns-pkcs11/tests/dh_test.c
 +++ b/lib/dns-pkcs11/tests/dh_test.c
-@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
+@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
- 	ret = dst_key_computesecret(key, key, &buf);
+ 	result = dst_key_computesecret(key, key, &buf);
- 	ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
+ 	assert_int_equal(result, DST_R_NOTPRIVATEKEY);
- 	ret = key->func->computesecret(key, key, &buf);
+ 	result = key->func->computesecret(key, key, &buf);
-	ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
+-	assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
 +	/* PKCS11 variant gives different result, accept both */
-+	ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
+	assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
 	dst_key_free(&key);
- 	dns_test_end();
+ }
 diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
-index f7fa538..818dae4 100644
+index 36d2207..00dfbc9 100644
 --- a/lib/isc-pkcs11/tests/Makefile.in
 +++ b/lib/isc-pkcs11/tests/Makefile.in
-@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@
+@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 CINCLUDES =	-I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
 -CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
-+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
+CDEFINES =	@CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
 -ISCLIBS =	../libisc.@A@ @ISC_OPENSSL_LIBS@
 -ISCDEPLIBS =	../libisc.@A@
 +ISCLIBS =	../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
 +ISCDEPLIBS =	../libisc-pkcs11.@A@
- LIBS =		@LIBS@ @ATFLIBS@
+ LIBS =		@LIBS@ @CMOCKA_LIBS@
- 
+ CFLAGS =	@CFLAGS@ @CMOCKA_CFLAGS@
 diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
-index 5b8a374..c1891c2 100644
+index 4fafc38..5eb2be2 100644
 --- a/lib/isc-pkcs11/tests/hash_test.c
 +++ b/lib/isc-pkcs11/tests/hash_test.c
-@@ -74,7 +74,7 @@ typedef struct hash_testcase {
+@@ -84,7 +84,7 @@ typedef struct hash_testcase {
 typedef struct hash_test_key {
 	const char *key;
@ -123,7 +109,7 @@ index 5b8a374..c1891c2 100644
 } hash_test_key_t;
 /* non-hmac tests */
-@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
+@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -134,9 +120,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
 +		isc_hmacsha1_init(&hmacsha1, buffer, len);
 		isc_hmacsha1_update(&hmacsha1,
- 				    (const isc_uint8_t *) testcase->input,
+ 				    (const uint8_t *) testcase->input,
 				    testcase->input_len);
-@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
+@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -147,9 +133,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
 +		isc_hmacsha224_init(&hmacsha224, buffer, len);
 		isc_hmacsha224_update(&hmacsha224,
- 				      (const isc_uint8_t *) testcase->input,
+ 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
+@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -160,9 +146,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
 +		isc_hmacsha256_init(&hmacsha256, buffer, len);
 		isc_hmacsha256_update(&hmacsha256,
- 				      (const isc_uint8_t *) testcase->input,
+ 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
+@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -173,9 +159,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
 +		isc_hmacsha384_init(&hmacsha384, buffer, len);
 		isc_hmacsha384_update(&hmacsha384,
- 				      (const isc_uint8_t *) testcase->input,
+ 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
+@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -186,9 +172,9 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
 +		isc_hmacsha512_init(&hmacsha512, buffer, len);
 		isc_hmacsha512_update(&hmacsha512,
- 				      (const isc_uint8_t *) testcase->input,
+ 				      (const uint8_t *) testcase->input,
 				      testcase->input_len);
-@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
+@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
 	hash_test_key_t *test_key = test_keys;
 	while (testcase->input != NULL && testcase->result != NULL) {
@ -199,8 +185,8 @@ index 5b8a374..c1891c2 100644
 -		isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
 +		isc_hmacmd5_init(&hmacmd5, buffer, len);
 		isc_hmacmd5_update(&hmacmd5,
- 				   (const isc_uint8_t *) testcase->input,
+ 				   (const uint8_t *) testcase->input,
 				   testcase->input_len);
 -- 
-2.14.3
+2.21.1
--- a/bind-9.11-oot-manual.patch
+++ b/bind-9.11-oot-manual.patch
@ -1,4 +1,4 @@
-From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001
+From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 25 Jul 2018 12:24:16 +0200
 Subject: [PATCH] Use make automatic variables to install updated manuals
@ -19,7 +19,7 @@ Install all files in single command instead of iterating on each of them.
 9 files changed, 54 insertions(+), 38 deletions(-)
 diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
-index 12f48d2d23..d8eac4c714 100644
+index c124e80..1174f8d 100644
 --- a/bin/check/Makefile.in
 +++ b/bin/check/Makefile.in
@@ -83,12 +83,14 @@ installdirs:
@ -35,13 +35,13 @@ index 12f48d2d23..d8eac4c714 100644
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
 	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
 -	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
-index 87f13dda4b..7865c0c73e 100644
+index 87f13dd..7865c0c 100644
 --- a/bin/confgen/Makefile.in
 +++ b/bin/confgen/Makefile.in
@@ -95,13 +95,14 @@ installdirs:
@ -64,7 +64,7 @@ index 87f13dda4b..7865c0c73e 100644
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
 diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
-index e2d2802262..19361a83ea 100644
+index e2d2802..19361a8 100644
 --- a/bin/delv/Makefile.in
 +++ b/bin/delv/Makefile.in
@@ -63,10 +63,12 @@ installdirs:
@ -83,7 +83,7 @@ index e2d2802262..19361a83ea 100644
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man1/delv.1
 diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
-index 773ac46395..3edd951e7e 100644
+index a9830a9..d7ac0b6 100644
 --- a/bin/dig/Makefile.in
 +++ b/bin/dig/Makefile.in
@@ -91,16 +91,16 @@ installdirs:
@ -102,13 +102,13 @@ index 773ac46395..3edd951e7e 100644
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
 		nslookup@EXEEXT@ ${DESTDIR}${bindir}
 -	for m in ${MANPAGES}; do \
-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
+-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
 -	done
 uninstall::
 	for m in ${MANPAGES}; do \
 diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
-index 1be1d5ffc6..1d0c4ce5c1 100644
+index 2239ad1..ce0a177 100644
 --- a/bin/dnssec/Makefile.in
 +++ b/bin/dnssec/Makefile.in
@@ -110,9 +110,11 @@ installdirs:
@ -120,16 +120,16 @@ index 1be1d5ffc6..1d0c4ce5c1 100644
 +	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
 +
 +install:: ${TARGETS} installdirs install-man8
- 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
+ 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
 uninstall::
- 	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
+ 	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index 1c413973d0..03e4cb849b 100644
+index e1f85a9..d92bc9a 100644
 --- a/bin/named/Makefile.in
 +++ b/bin/named/Makefile.in
-@@ -172,12 +172,17 @@ installdirs:
+@@ -176,12 +176,17 @@ installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
@ -152,7 +152,7 @@ index 1c413973d0..03e4cb849b 100644
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man5/named.conf.5
 diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
-index ae9061626c..a058c91214 100644
+index ae90616..a058c91 100644
 --- a/bin/pkcs11/Makefile.in
 +++ b/bin/pkcs11/Makefile.in
@@ -71,7 +71,10 @@ installdirs:
@ -179,7 +179,7 @@ index ae9061626c..a058c91214 100644
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
 diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
-index aa678d47ab..064c404e2f 100644
+index aa678d4..064c404 100644
 --- a/bin/python/Makefile.in
 +++ b/bin/python/Makefile.in
@@ -47,13 +47,13 @@ installdirs:
@ -201,7 +201,7 @@ index aa678d47ab..064c404e2f 100644
 		if test -n "${DESTDIR}" ; then \
 			${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
 diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
-index 7bf2af4cea..c395bc7462 100644
+index 7bf2af4..c395bc7 100644
 --- a/bin/tools/Makefile.in
 +++ b/bin/tools/Makefile.in
@@ -119,17 +119,27 @@ installdirs:
--- a/bind-9.11-rh1410433.patch
+++ b/bind-9.11-rh1410433.patch
@ -1,14 +1,16 @@
 diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
-index 0ce5e42..556d920 100644
+index 15561ce..e4449b0 100644
 --- a/lib/dns/dyndb.c
 +++ b/lib/dns/dyndb.c
-@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
 		      instname, filename);
 	flags = RTLD_NOW|RTLD_LOCAL;
-#ifdef RTLD_DEEPBIND
+#if 0
-	flags |= RTLD_DEEPBIND;
+	/* Shared global namespace is required for dns-pkcs11 library */
-#endif
+ #if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
 	flags |= RTLD_DEEPBIND;
 +#endif
 #endif
 	handle = dlopen(filename, flags);
 	if (handle == NULL)
--- a/bind-9.11-rh1624100.patch
+++ b/bind-9.11-rh1624100.patch
@ -1,4 +1,4 @@
-From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001
+From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
 Date: Wed, 25 Apr 2018 14:04:31 +0200
 Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@ -14,20 +14,20 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
 (cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
 ---
 bin/dnssec/dnssec-signzone.c |  2 +-
- lib/dns/nsec3.c              |  4 +--
+ lib/dns/nsec3.c              |  4 +-
- lib/dns/spnego.c             |  4 +--
+ lib/dns/spnego.c             |  4 +-
- lib/isc/Makefile.in          |  8 ++---
+ lib/isc/Makefile.in          |  8 +---
- lib/isc/include/isc/safe.h   | 18 ++++------
+ lib/isc/include/isc/safe.h   | 18 ++------
- lib/isc/safe.c               | 81 --------------------------------------------
+ lib/isc/safe.c               | 83 ------------------------------------
- lib/isc/tests/safe_test.c    | 20 -----------
+ lib/isc/tests/safe_test.c    | 18 --------
- 7 files changed, 13 insertions(+), 124 deletions(-)
+ 7 files changed, 11 insertions(+), 126 deletions(-)
 delete mode 100644 lib/isc/safe.c
 diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
-index 53be1f5c60..351296a356 100644
+index 6dded0c..a9c5557 100644
 --- a/bin/dnssec/dnssec-signzone.c
 +++ b/bin/dnssec/dnssec-signzone.c
-@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
+@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
 static int
 hashlist_comp(const void *a, const void *b) {
@ -37,10 +37,10 @@ index 53be1f5c60..351296a356 100644
 static void
 diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
-index d364308aaf..37b6a8a7fe 100644
+index 6ae7ca8..01426d6 100644
 --- a/lib/dns/nsec3.c
 +++ b/lib/dns/nsec3.c
-@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 	 * Work out what this NSEC3 covers.
 	 * Inside (<0) or outside (>=0).
 	 */
@ -49,7 +49,7 @@ index d364308aaf..37b6a8a7fe 100644
 	/*
 	 * Prepare to compute all the hashes.
-@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
 			return (ISC_R_IGNORE);
 		}
@ -59,10 +59,10 @@ index d364308aaf..37b6a8a7fe 100644
 			/*
 			 * The hashes are the same.
 diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
-index ce3e42d650..079d4c1b4a 100644
+index ad77f24..670982a 100644
 --- a/lib/dns/spnego.c
 +++ b/lib/dns/spnego.c
-@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
+@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
 /* mod_auth_kerb.c */
@ -71,7 +71,7 @@ index ce3e42d650..079d4c1b4a 100644
 cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
 {
 	unsigned char *p;
-@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
+@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
 	if (((OM_uint32) *p++) != gssoid->length)
 		return (GSS_S_DEFECTIVE_TOKEN);
@ -81,26 +81,26 @@ index ce3e42d650..079d4c1b4a 100644
 /* accept_sec_context.c */
 diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
-index ba53ef1091..98acffffc9 100644
+index 149552a..8529a86 100644
 --- a/lib/isc/Makefile.in
 +++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS =		@ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
 		parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
 		ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
 		rwlock.@O@ \
-		safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+-		safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
-+		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+		serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
 		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
- 		tm.@O@ timer.@O@ version.@O@ \
+ 		tm.@O@ timer.@O@ utf8.@O@ version.@O@ \
 		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@@ -79,7 +79,7 @@ SRCS =		@ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
 		netaddr.c netscope.c pool.c ondestroy.c \
 		parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
 		ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
-		safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
+-		safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
-+		serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
+		serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
 		strtoul.c symtab.c task.c taskpool.c timer.c \
- 		tm.c version.c
+ 		tm.c utf8.c version.c
@@ -95,10 +95,6 @@ TESTDIRS =	@UNITTESTS@
@ -114,28 +114,28 @@ index ba53ef1091..98acffffc9 100644
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-DVERSION=\"${VERSION}\" \
 diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
-index f29f00bac6..b8a0b2290c 100644
+index 66ed08b..88b8f47 100644
 --- a/lib/isc/include/isc/safe.h
 +++ b/lib/isc/include/isc/safe.h
-@@ -15,27 +15,21 @@
+@@ -15,29 +15,19 @@
 /*! \file isc/safe.h */
 -#include <stdbool.h>
 -
 -#include <isc/types.h>
 -#include <stdlib.h>
 +#include <isc/boolean.h>
 +#include <isc/lang.h>
 +
 +#include <openssl/crypto.h>
 ISC_LANG_BEGINDECLS
-isc_boolean_t
+-bool
 -isc_safe_memequal(const void *s1, const void *s2, size_t n);
-+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n))
+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
 /*%<
-  * Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
+  * Returns true iff. two blocks of memory are equal, otherwise
-  * ISC_FALSE.
+  * false.
  *
  */
@ -153,10 +153,10 @@ index f29f00bac6..b8a0b2290c 100644
  *
 diff --git a/lib/isc/safe.c b/lib/isc/safe.c
 deleted file mode 100644
-index 5c9e1e2d13..0000000000
+index 7a464b6..0000000
 --- a/lib/isc/safe.c
 +++ /dev/null
-@@ -1,81 +0,0 @@
+@@ -1,83 +0,0 @@
 -/*
 - * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 - *
@ -172,6 +172,8 @@ index 5c9e1e2d13..0000000000
 -
 -#include <config.h>
 -
 -#include <stdbool.h>
 -
 -#include <isc/safe.h>
 -#include <isc/string.h>
 -#include <isc/util.h>
@ -184,18 +186,18 @@ index 5c9e1e2d13..0000000000
 -#pragma optimize("", off)
 -#endif
 -
-isc_boolean_t
+-bool
 -isc_safe_memequal(const void *s1, const void *s2, size_t n) {
-	isc_uint8_t acc = 0;
+-	uint8_t acc = 0;
 -
 -	if (n != 0U) {
-		const isc_uint8_t *p1 = s1, *p2 = s2;
+-		const uint8_t *p1 = s1, *p2 = s2;
 -
 -		do {
 -			acc |= *p1++ ^ *p2++;
 -		} while (--n != 0U);
 -	}
-	return (ISC_TF(acc == 0));
+-	return (acc == 0);
 -}
 -
 -
@ -239,35 +241,33 @@ index 5c9e1e2d13..0000000000
 -#endif
 -}
 diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
-index f721cd1096..ea3e61f98d 100644
+index 266ac75..60e9181 100644
 --- a/lib/isc/tests/safe_test.c
 +++ b/lib/isc/tests/safe_test.c
-@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
+@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) {
 				       "\x00\x00\x00\x00", 4));
 }
-ATF_TC(isc_safe_memcompare);
+-/* test isc_safe_memcompare() */
-ATF_TC_HEAD(isc_safe_memcompare, tc) {
+-static void
-	atf_tc_set_md_var(tc, "descr", "safe memcompare()");
+-isc_safe_memcompare_test(void **state) {
-}
+-	UNUSED(state);
 -ATF_TC_BODY(isc_safe_memcompare, tc) {
 -	UNUSED(tc);
 -
-	ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
+-	assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
-	ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
+-	assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
-	ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
+-	assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
-	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
+-	assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
-				      "\x00\x00\x00\x00", 4) == 0);
+-					     "\x00\x00\x00\x00", 4), 0);
-	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
+-	assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
 -					"\x00\x00\x00\x01", 4) < 0);
-	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
+-	assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
 -					"\x00\x00\x00\x00", 4) > 0);
 -}
 -
- ATF_TC(isc_safe_memwipe);
+ /* test isc_safe_memwipe() */
- ATF_TC_HEAD(isc_safe_memwipe, tc) {
+ static void
- 	atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
+ isc_safe_memwipe_test(void **state) {
-@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
+@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) {
 	/* These should pass. */
 	isc_safe_memwipe(NULL, 0);
 	isc_safe_memwipe((void *) -1, 0);
@ -275,14 +275,14 @@ index f721cd1096..ea3e61f98d 100644
 	/*
 	 * isc_safe_memwipe(ptr, size) should function same as
-@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
+@@ -108,7 +91,6 @@ main(void) {
-  */
+ 	const struct CMUnitTest tests[] = {
- ATF_TP_ADD_TCS(tp) {
+ 		cmocka_unit_test(isc_safe_memequal_test),
- 	ATF_TP_ADD_TC(tp, isc_safe_memequal);
+ 		cmocka_unit_test(isc_safe_memwipe_test),
-	ATF_TP_ADD_TC(tp, isc_safe_memcompare);
+-		cmocka_unit_test(isc_safe_memcompare_test),
- 	ATF_TP_ADD_TC(tp, isc_safe_memwipe);
+ 	};
- 	return (atf_no_error());
+ 
- }
+ 	return (cmocka_run_group_tests(tests, NULL, NULL));
-- 
+-- 
-2.14.4
+2.26.2
--- a/bind-9.11-rh1663318.patch
+++ b/bind-9.11-rh1663318.patch
@ -0,0 +1,48 @@
 From b16a1ff25644bb075f454afe68ee63f6f385ca9c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 23 Jan 2019 21:11:07 +0100
 Subject: [PATCH] Made RAND_status check optional (broke --disable-crypto-rand)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Unlike upstream, skip it also for DHCP.
 Disable RAND_status also in non-threaded builds. DHCP is built without
 threads and should not check RAND_status on dns library initialization.
 Lack of entropy is possible state for dhclient, but it must not fail
 even in this case. Because DHCP itself does not require custom random
 generator, leave default RAND_OpenSSL configured. It should help TLS
 connection to LDAP in single DHCP binary, while keeping secure random
 data if needed.
 (modified upstream commit 8a98277811ea50035ff37b744fa3dc5b75bee099)
 Signed-off-by: Petr Menšík <pemensik@redhat.com>
 ---
 lib/dns/openssl_link.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
 index 7a233dd..941eb17 100644
 --- a/lib/dns/openssl_link.c
 +++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
 #endif
 #endif /* !defined(OPENSSL_NO_ENGINE) */
 +#if defined(ISC_PLATFORM_CRYPTORANDOM) && defined(ISC_PLATFORM_USETHREADS)
 	/* Protect ourselves against unseeded PRNG */
 	if (RAND_status() != 1) {
 		FATAL_ERROR(__FILE__, __LINE__,
@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
 			    "cannot be initialized (see the `PRNG not "
 			    "seeded' message in the OpenSSL FAQ)");
 	}
 +#endif
 	return (ISC_R_SUCCESS);
 -- 
 2.20.1
--- a/bind-9.11-rh1666814.patch
+++ b/bind-9.11-rh1666814.patch
@ -0,0 +1,37 @@
 From 3bb29f45604ac6890f4ea5cdcbd1a62e6dad14a7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 16 Jan 2019 16:27:33 +0100
 Subject: [PATCH 2/2] Fix possible crash when loading corrupted file
 Some values passes internal triggers by coincidence. Fix the check and
 check also first_node_offset before even passing it further.
 ---
 lib/dns/rbt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
 index 62d0826..b029b7d 100644
 --- a/lib/dns/rbt.c
 +++ b/lib/dns/rbt.c
@@ -787,7 +787,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
 		return (ISC_R_SUCCESS);
 	CONFIRM((void *) n >= base);
 -	CONFIRM((char *) n - (char *) base <= (int) nodemax);
 +	CONFIRM((size_t)((char *) n - (char *) base) <= nodemax);
 	CONFIRM(DNS_RBTNODE_VALID(n));
 	dns_name_init(&nodename, NULL);
@@ -939,7 +939,8 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
 	rbt->root = (dns_rbtnode_t *)((char *)base_address +
 				header_offset + header->first_node_offset);
 -	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
 +	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
 +	    || header->first_node_offset > filesize) {
 		result = ISC_R_INVALIDFILE;
 		goto cleanup;
 	}
 -- 
 2.20.1
--- a/bind-9.11-rh1732883.patch
+++ b/bind-9.11-rh1732883.patch
@ -0,0 +1,194 @@
 From 6010876e561b4345e569ffd11eaec9ea52725817 Mon Sep 17 00:00:00 2001
 From: Pavel Zhukov <pzhukov@redhat.com>
 Date: Wed, 24 Jul 2019 17:15:55 +0200
 Subject: [PATCH] Detect system time jumps
 In case if system time was changed backward it's possible to have ip
 address dropped by the kernel due to lifetime expirity. Try to detect
 this situation using either monotonic time or saved timestamp and execute
 go_reboot() procedure to request lease extention
 ---
 lib/isc/include/isc/result.h    |  3 ++-
 lib/isc/include/isc/util.h      |  3 +++
 lib/isc/result.c                |  2 ++
 lib/isc/unix/app.c              | 39 +++++++++++++++++++++++++++++----
 lib/isc/unix/include/isc/time.h | 20 +++++++++++++++++
 lib/isc/unix/time.c             | 22 +++++++++++++++++++
 6 files changed, 84 insertions(+), 5 deletions(-)
 diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
 index 0389efa..149cde5 100644
 --- a/lib/isc/include/isc/result.h
 +++ b/lib/isc/include/isc/result.h
@@ -89,7 +89,8 @@
 #define ISC_R_DISCFULL			67	/*%< disc full */
 #define ISC_R_DEFAULT			68	/*%< default */
 #define ISC_R_IPV4PREFIX		69	/*%< IPv4 prefix */
 -#define ISC_R_NRESULTS 			70
 +#define ISC_R_TIMESHIFTED               70      /*%< system time changed */
 +#define ISC_R_NRESULTS 			71
 ISC_LANG_BEGINDECLS
 diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
 index 973c348..8160dd3 100644
 --- a/lib/isc/include/isc/util.h
 +++ b/lib/isc/include/isc/util.h
@@ -289,6 +289,9 @@ extern void mock_assert(const int result, const char* const expression,
  * Time
  */
 #define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
 +#ifdef CLOCK_BOOTTIME
 +#define TIME_MONOTONIC(tp) 	RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
 +#endif
 /*%
  * Alignment
 diff --git a/lib/isc/result.c b/lib/isc/result.c
 index a9db132..7c04831 100644
 --- a/lib/isc/result.c
 +++ b/lib/isc/result.c
@@ -105,6 +105,7 @@ static const char *description[ISC_R_NRESULTS] = {
 	"disc full",				/*%< 67 */
 	"default",				/*%< 68 */
 	"IPv4 prefix",				/*%< 69 */
 +        "time changed",                         /*%< 70 */
 };
 static const char *identifier[ISC_R_NRESULTS] = {
@@ -178,6 +179,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
 	"ISC_R_DISCFULL",
 	"ISC_R_DEFAULT",
 	"ISC_R_IPV4PREFIX",
 +        "ISC_R_TIMESHIFTED",
 };
 #define ISC_RESULT_RESULTSET			2
 diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
 index a6e9882..52eb3e0 100644
 --- a/lib/isc/unix/app.c
 +++ b/lib/isc/unix/app.c
@@ -442,15 +442,48 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
 static isc_result_t
 evloop(isc__appctx_t *ctx) {
 	isc_result_t result;
 +        isc_time_t now;
 +#ifdef CLOCK_BOOTTIME
 +        isc_time_t monotonic;
 +        uint64_t diff  = 0;
 +#else
 +        isc_time_t prev;
 +        TIME_NOW(&prev);
 +#endif
 +
 +
 	while (!ctx->want_shutdown) {
 		int n;
 -		isc_time_t when, now;
 +		isc_time_t when;
 		struct timeval tv, *tvp;
 		isc_socketwait_t *swait;
 		bool readytasks;
 		bool call_timer_dispatch = false;
 -
 +                uint64_t us;
 +
 +#ifdef CLOCK_BOOTTIME
 +                // TBD macros for following three lines
 +                TIME_NOW(&now);
 +                TIME_MONOTONIC(&monotonic);
 +                INSIST(now.seconds > monotonic.seconds)
 +                us = isc_time_microdiff (&now, &monotonic);
 +                if (us < diff){
 +                  us = diff - us;
 +                  if (us > 1000000){ // ignoring shifts less than one second
 +                    return ISC_R_TIMESHIFTED;
 +                  };
 +                  diff = isc_time_microdiff (&now, &monotonic);
 +                } else {
 +                  diff = isc_time_microdiff (&now, &monotonic);
 +                  // not implemented
 +                }
 +#else
 +                TIME_NOW(&now);
 +                if (isc_time_compare (&now, &prev) < 0)
 +                  return ISC_R_TIMESHIFTED;
 +                TIME_NOW(&prev);
 +#endif
 		/*
 		 * Check the reload (or suspend) case first for exiting the
 		 * loop as fast as possible in case:
@@ -475,8 +508,6 @@ evloop(isc__appctx_t *ctx) {
 			if (result != ISC_R_SUCCESS)
 				tvp = NULL;
 			else {
 -				uint64_t us;
 -
 				TIME_NOW(&now);
 				us = isc_time_microdiff(&when, &now);
 				if (us == 0)
 diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
 index b864c29..5dd43c9 100644
 --- a/lib/isc/unix/include/isc/time.h
 +++ b/lib/isc/unix/include/isc/time.h
@@ -132,6 +132,26 @@ isc_time_isepoch(const isc_time_t *t);
  *\li	't' is a valid pointer.
  */
 +#ifdef CLOCK_BOOTTIME
 +isc_result_t
 +isc_time_boottime(isc_time_t *t);
 +/*%<
 + * Set 't' to monotonic time from previous boot
 + * it's not affected by system time change. It also
 + * includes the time system was suspended
 + *
 + * Requires:
 + *\li	't' is a valid pointer.
 + *
 + * Returns:
 + *
 + *\li	Success
 + *\li	Unexpected error
 + *		Getting the time from the system failed.
 + */
 +#endif /* CLOCK_BOOTTIME */
 + 
 +
 isc_result_t
 isc_time_now(isc_time_t *t);
 /*%<
 diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
 index 8edc9df..fe0bb91 100644
 --- a/lib/isc/unix/time.c
 +++ b/lib/isc/unix/time.c
@@ -498,3 +498,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
 			 t->nanoseconds / NS_PER_MS);
 	}
 }
 +
 +
 +#ifdef CLOCK_BOOTTIME
 +isc_result_t
 +isc_time_boottime(isc_time_t *t) {
 +  struct timespec ts;
 +  
 +  char strbuf[ISC_STRERRORSIZE];
 +
 +  if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){
 +    isc__strerror(errno, strbuf, sizeof(strbuf));
 +    UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
 +    return (ISC_R_UNEXPECTED);    
 +  }
 +
 +  t->seconds = ts.tv_sec;
 +  t->nanoseconds = ts.tv_nsec;
 +
 +  return (ISC_R_SUCCESS);
 +  
 +};
 +#endif
 -- 
 2.20.1
--- a/bind-9.11-rh1736762-5.patch
+++ b/bind-9.11-rh1736762-5.patch
@ -0,0 +1,59 @@
 From 6257d829c9d7e71ac51bcdc6b5b981c7a19200e2 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Mon, 25 Nov 2019 05:46:55 +0000
 Subject: [PATCH] Merge branch
 '1373-threadsanitizer-data-race-rbtdb-c-5193-in-detachnode' into 'master'
 Resolve "ThreadSanitizer: data race rbtdb.c:5193 in detachnode"
 Closes #1373
 See merge request isc-projects/bind9!2598
 ---
 lib/dns/include/dns/rbt.h | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)
 diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
 index 67ac3e4d8a..a084bd6193 100644
 --- a/lib/dns/include/dns/rbt.h
 +++ b/lib/dns/include/dns/rbt.h
@@ -49,10 +49,7 @@ ISC_LANG_BEGINDECLS
 #define DNS_RBT_USEMAGIC 1
 -/*
 - * These should add up to 30.
 - */
 -#define DNS_RBT_LOCKLENGTH                      10
 +#define DNS_RBT_LOCKLENGTH		(sizeof(((dns_rbtnode_t *)0)->locknum)*8)
 #define DNS_RBT_REFLENGTH                       20
 #define DNS_RBTNODE_MAGIC               ISC_MAGIC('R','B','N','O')
@@ -159,16 +156,15 @@ struct dns_rbtnode {
 	 * separate region of memory.
 	 */
 	void *data;
 -	unsigned int :0;                /* start of bitfields c/o node lock */
 -	unsigned int dirty:1;
 -	unsigned int wild:1;
 -	unsigned int locknum:DNS_RBT_LOCKLENGTH;
 -#ifndef DNS_RBT_USEISCREFCOUNT
 -	unsigned int references:DNS_RBT_REFLENGTH;
 -#endif
 -	unsigned int :0;                /* end of bitfields c/o node lock */
 +	uint8_t :0;                /* start of bitfields c/o node lock */
 +	uint8_t dirty:1;
 +	uint8_t wild:1;
 +	uint8_t :0;                /* end of bitfields c/o node lock */
 +	uint16_t locknum;	   /* note that this is not in the bitfield */
 #ifdef DNS_RBT_USEISCREFCOUNT
 -	isc_refcount_t references; /* note that this is not in the bitfield */
 +	isc_refcount_t references;
 +#else
 +	unsigned int references:DNS_RBT_REFLENGTH;
 #endif
 	/*@}*/
 };
 -- 
 2.21.0
--- a/bind-9.11-rt31459.patch
+++ b/bind-9.11-rt31459.patch
--- a/bind-9.11-rt46047.patch
+++ b/bind-9.11-rt46047.patch
@ -1,4 +1,4 @@
-From 1ab1aabcf9b2b8de144bab7a3ff5d9f7e6ec9ad4 Mon Sep 17 00:00:00 2001
+From 344c19ad4b3f058e65a4b41650bb0ee20692cc5c Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 28 Sep 2017 10:09:22 -0700
 Subject: [PATCH] completed and corrected the crypto-random change
@ -24,32 +24,34 @@ Subject: [PATCH] completed and corrected the crypto-random change
 			"configure --disable-crypto-rand".
 			[RT #31459] [RT #46047]
 ---
- bin/confgen/keygen.c                     | 12 +++----
+ bin/confgen/keygen.c                     | 12 +++---
- bin/dnssec/dnssec-keygen.docbook         | 24 +++++++++-----
+ bin/dnssec/dnssec-keygen.docbook         | 24 +++++++----
- bin/dnssec/dnssectool.c                  | 12 +++----
+ bin/dnssec/dnssectool.c                  | 12 +++---
 bin/named/client.c                       |  3 +-
- bin/named/config.c                       |  4 ++-
+ bin/named/config.c                       |  4 +-
- bin/named/controlconf.c                  | 19 +++++++----
+ bin/named/controlconf.c                  | 19 +++++---
- bin/named/include/named/server.h         |  2 ++
+ bin/named/include/named/server.h         |  2 +
 bin/named/interfacemgr.c                 |  1 +
 bin/named/query.c                        |  1 +
- bin/named/server.c                       | 53 ++++++++++++++++++------------
+ bin/named/server.c                       | 52 ++++++++++++++--------
- bin/nsupdate/nsupdate.c                  |  4 +--
+ bin/nsupdate/nsupdate.c                  |  4 +-
- bin/tests/system/pipelined/pipequeries.c |  4 +--
+ bin/tests/system/pipelined/pipequeries.c |  4 +-
- bin/tests/system/tkey/keycreate.c        |  4 +--
+ bin/tests/system/tkey/keycreate.c        |  4 +-
- bin/tests/system/tkey/keydelete.c        |  4 +--
+ bin/tests/system/tkey/keydelete.c        |  5 +--
- doc/arm/Bv9ARM-book.xml                  | 55 ++++++++++++++++++++++----------
+ doc/arm/Bv9ARM-book.xml                  | 55 +++++++++++++++++-------
- doc/arm/notes.xml                        | 23 ++++++++++++-
+ doc/arm/notes-rh-changes.xml             | 42 ++++++++++++++++++
- lib/dns/dst_api.c                        |  7 ++--
+ doc/arm/notes.xml                        |  1 +
- lib/dns/include/dst/dst.h                | 14 ++++++--
+ lib/dns/dst_api.c                        |  4 +-
 lib/dns/include/dst/dst.h                | 14 +++++-
 lib/dns/openssl_link.c                   |  3 +-
- lib/isc/include/isc/entropy.h            | 50 +++++++++++++++++++++--------
+ lib/isc/include/isc/entropy.h            | 48 +++++++++++++++------
- lib/isc/include/isc/random.h             | 28 ++++++++++------
+ lib/isc/include/isc/random.h             | 28 +++++++-----
 lib/isccfg/namedconf.c                   |  2 +-
- 22 files changed, 219 insertions(+), 110 deletions(-)
+ 23 files changed, 240 insertions(+), 104 deletions(-)
 create mode 100644 doc/arm/notes-rh-changes.xml
 diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
-index fa439cc..a7ad417 100644
+index 295e16f..0f79aa8 100644
 --- a/bin/confgen/keygen.c
 +++ b/bin/confgen/keygen.c
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
@ -65,7 +67,7 @@ index fa439cc..a7ad417 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(ectx, ISC_TRUE);
+ 		isc_entropy_usehook(ectx, true);
 	}
 #endif
 +	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@ -76,7 +78,7 @@ index fa439cc..a7ad417 100644
 							     &entropy_source,
 							     randomfile,
 diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
-index 96dfef6..1c84b06 100644
+index 1826919..96543fc 100644
 --- a/bin/dnssec/dnssec-keygen.docbook
 +++ b/bin/dnssec/dnssec-keygen.docbook
@@ -349,15 +349,23 @@
@ -112,16 +114,16 @@ index 96dfef6..1c84b06 100644
 	</listitem>
       </varlistentry>
 diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
-index 4ea9eaf..5dd9475 100644
+index 5654435..24c0d5a 100644
 --- a/bin/dnssec/dnssectool.c
 +++ b/bin/dnssec/dnssectool.c
-@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
+@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 		ISC_LIST_INIT(sources);
 	}
 +#ifdef ISC_PLATFORM_CRYPTORANDOM
 +	if (randomfile == NULL) {
-+		isc_entropy_usehook(*ectx, ISC_TRUE);
+		isc_entropy_usehook(*ectx, true);
 +	}
 +#endif
 	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@ -133,17 +135,17 @@ index 4ea9eaf..5dd9475 100644
 -	if (randomfile != NULL &&
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
-		isc_entropy_usehook(*ectx, ISC_TRUE);
+-		isc_entropy_usehook(*ectx, true);
 -	}
 -#endif
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
 					   usekeyboard);
 diff --git a/bin/named/client.c b/bin/named/client.c
-index b9ebc93..20e5f39 100644
+index 9a0d3c8..c573177 100644
 --- a/bin/named/client.c
 +++ b/bin/named/client.c
-@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+@@ -1765,7 +1765,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
 		isc_buffer_init(&buf, cookie, sizeof(cookie));
 		isc_stdtime_get(&now);
@ -154,10 +156,10 @@ index b9ebc93..20e5f39 100644
 		compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
 diff --git a/bin/named/config.c b/bin/named/config.c
-index c50f759..c1e72ef 100644
+index dbdff64..63da4b0 100644
 --- a/bin/named/config.c
 +++ b/bin/named/config.c
-@@ -92,7 +92,9 @@ options {\n\
+@@ -98,7 +98,9 @@ options {\n\
 #	pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
 	port 53;\n\
 	prefetch 2 9;\n"
@ -169,10 +171,10 @@ index c50f759..c1e72ef 100644
 #endif
 "	recursing-file \"named.recursing\";\n\
 diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
-index 237e8dc..b905475 100644
+index d955c2f..40621f2 100644
 --- a/bin/named/controlconf.c
 +++ b/bin/named/controlconf.c
-@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
+@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
 static void
 control_recvmessage(isc_task_t *task, isc_event_t *event) {
@ -185,8 +187,8 @@ index 237e8dc..b905475 100644
 +	controlkey_t *key = NULL;
 	isccc_sexpr_t *request = NULL;
 	isccc_sexpr_t *response = NULL;
- 	isc_uint32_t algorithm;
+ 	uint32_t algorithm;
-@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t *text;
 	isc_result_t result;
 	isc_result_t eresult;
@ -194,7 +196,7 @@ index 237e8dc..b905475 100644
 +	isccc_sexpr_t *_ctrl = NULL;
 	isccc_time_t sent;
 	isccc_time_t exp;
- 	isc_uint32_t nonce;
+ 	uint32_t nonce;
 -	isccc_sexpr_t *data;
 +	isccc_sexpr_t *data = NULL;
@ -206,25 +208,25 @@ index 237e8dc..b905475 100644
 	algorithm = DST_ALG_UNKNOWN;
 	secret.rstart = NULL;
 	text = NULL;
-@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
 	 * Establish nonce.
 	 */
 	if (conn->nonce == 0) {
 -		while (conn->nonce == 0)
 -			isc_random_get(&conn->nonce);
 +		while (conn->nonce == 0) {
-+			isc_uint16_t r1 = isc_rng_random(server->rngctx);
+			uint16_t r1 = isc_rng_random(server->rngctx);
-+			isc_uint16_t r2 = isc_rng_random(server->rngctx);
+			uint16_t r2 = isc_rng_random(server->rngctx);
 +			conn->nonce = (r1 << 16) | r2;
 +		}
 		eresult = ISC_R_SUCCESS;
 	} else
 		eresult = ns_control_docommand(request, listener->readonly, &text);
 diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
-index d8179a6..e03d24d 100644
+index 3f96b7b..c92922e 100644
 --- a/bin/named/include/named/server.h
 +++ b/bin/named/include/named/server.h
-@@ -17,6 +17,7 @@
+@@ -20,6 +20,7 @@
 #include <isc/log.h>
 #include <isc/magic.h>
 #include <isc/quota.h>
@ -232,19 +234,19 @@ index d8179a6..e03d24d 100644
 #include <isc/sockaddr.h>
 #include <isc/types.h>
 #include <isc/xml.h>
-@@ -131,6 +132,7 @@ struct ns_server {
+@@ -134,6 +135,7 @@ struct ns_server {
 	char *			lockfile;
- 	isc_uint16_t		transfer_tcp_message_size;
+ 	uint16_t		transfer_tcp_message_size;
 +	isc_rng_t *		rngctx;
 };
 struct ns_altsecret {
 diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index d8c7188..50f924e 100644
+index 9dea7c1..272d300 100644
 --- a/bin/named/interfacemgr.c
 +++ b/bin/named/interfacemgr.c
-@@ -15,6 +15,7 @@
+@@ -17,6 +17,7 @@
 #include <isc/interfaceiter.h>
 #include <isc/os.h>
@ -253,10 +255,10 @@ index d8c7188..50f924e 100644
 #include <isc/task.h>
 #include <isc/util.h>
 diff --git a/bin/named/query.c b/bin/named/query.c
-index accbf3b..d89622d 100644
+index 203f1e6..25eeced 100644
 --- a/bin/named/query.c
 +++ b/bin/named/query.c
-@@ -18,6 +18,7 @@
+@@ -19,6 +19,7 @@
 #include <isc/hex.h>
 #include <isc/mem.h>
 #include <isc/print.h>
@ -265,10 +267,10 @@ index accbf3b..d89622d 100644
 #include <isc/serial.h>
 #include <isc/stats.h>
 diff --git a/bin/named/server.c b/bin/named/server.c
-index ca789e5..1413e85 100644
+index f27071f..f132c19 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
-@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8210,21 +8210,32 @@ load_configuration(const char *filename, ns_server_t *server,
 	 * Open the source of entropy.
 	 */
 	if (first_time) {
@ -277,11 +279,6 @@ index ca789e5..1413e85 100644
 		obj = NULL;
 		result = ns_config_get(maps, "random-device", &obj);
 -		if (result != ISC_R_SUCCESS) {
 -			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 -				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 -				      "no source of entropy found");
 -		} else {
 -			const char *randomdev = cfg_obj_asstring(obj);
 +		if (result == ISC_R_SUCCESS) {
 +			if (!cfg_obj_isvoid(obj)) {
 +				level = ISC_LOG_INFO;
@ -289,28 +286,33 @@ index ca789e5..1413e85 100644
 +			}
 +		}
 +		if (randomdev == NULL) {
- #ifdef ISC_PLATFORM_CRYPTORANDOM
+#ifdef ISC_PLATFORM_CRYPTORANDOM
-			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
+			isc_entropy_usehook(ns_g_entropy, true);
-				isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
+#else
 +			isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
 #else
 -			int level = ISC_LOG_ERROR;
 -			result = isc_entropy_createfilesource(ns_g_entropy,
 -							      randomdev);
 +			if ((obj != NULL) && !cfg_obj_isvoid(obj))
 +				level = ISC_LOG_INFO;
-+			isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL,
+ 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 -				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 +				      NS_LOGMODULE_SERVER, level,
-+				      "no source of entropy found");
+ 				      "no source of entropy found");
 +			if ((obj == NULL) || cfg_obj_isvoid(obj)) {
 +				CHECK(ISC_R_FAILURE);
 +			}
 +#endif
-+		} else {
+ 		} else {
 -			const char *randomdev = cfg_obj_asstring(obj);
 -#ifdef ISC_PLATFORM_CRYPTORANDOM
 -			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
 -				isc_entropy_usehook(ns_g_entropy, true);
 -#else
 -			int level = ISC_LOG_ERROR;
 			result = isc_entropy_createfilesource(ns_g_entropy,
 -							      randomdev);
 +			                                      randomdev);
 #ifdef PATH_RANDOMDEV
 			if (ns_g_fallbackentropy != NULL) {
 				level = ISC_LOG_INFO;
-@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8235,8 +8246,8 @@ load_configuration(const char *filename, ns_server_t *server,
 					      NS_LOGCATEGORY_GENERAL,
 					      NS_LOGMODULE_SERVER,
 					      level,
@ -321,15 +323,23 @@ index ca789e5..1413e85 100644
 					      randomdev,
 					      isc_result_totext(result));
 			}
-@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server,
+@@ -8256,7 +8267,6 @@ load_configuration(const char *filename, ns_server_t *server,
 				}
 				isc_entropy_detach(&ns_g_fallbackentropy);
 			}
 -#endif
 #endif
 		}
- 	}
+ 
-@@ -8911,6 +8919,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+@@ -9025,6 +9035,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->in_roothints = NULL;
 	server->blackholeacl = NULL;
 	server->keepresporder = NULL;
 +	server->rngctx = NULL;
 	/* Must be first. */
 	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
@@ -9051,6 +9062,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
 				      &server->tkeyctx),
 		   "creating TKEY context");
@ -339,7 +349,7 @@ index ca789e5..1413e85 100644
 	/*
 	 * Setup the server task, which is responsible for coordinating
-@@ -9117,7 +9128,8 @@ ns_server_destroy(ns_server_t **serverp) {
+@@ -9257,7 +9271,8 @@ ns_server_destroy(ns_server_t **serverp) {
 	if (server->zonemgr != NULL)
 		dns_zonemgr_detach(&server->zonemgr);
@ -349,7 +359,7 @@ index ca789e5..1413e85 100644
 	if (server->tkeyctx != NULL)
 		dns_tkeyctx_destroy(&server->tkeyctx);
-@@ -13018,10 +13030,10 @@ newzone_cfgctx_destroy(void **cfgp) {
+@@ -13263,10 +13278,10 @@ newzone_cfgctx_destroy(void **cfgp) {
 static isc_result_t
 generate_salt(unsigned char *salt, size_t saltlen) {
@ -357,19 +367,19 @@ index ca789e5..1413e85 100644
 +	size_t i, n;
 	union {
 		unsigned char rnd[256];
-		isc_uint32_t rnd32[64];
+-		uint32_t rnd32[64];
-+		isc_uint16_t rnd16[128];
+		uint16_t rnd16[128];
 	} rnd;
 	unsigned char text[512 + 1];
 	isc_region_t r;
-@@ -13031,9 +13043,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
+@@ -13276,9 +13291,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
 	if (saltlen > 256U)
 		return (ISC_R_RANGE);
-	n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
+-	n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t);
 -	for (i = 0; i < n; i++)
 -		isc_random_get(&rnd.rnd32[i]);
-+	n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t);
+	n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t);
 +	for (i = 0; i < n; i++) {
 +		rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
 +	}
@ -377,10 +387,10 @@ index ca789e5..1413e85 100644
 	memmove(salt, rnd.rnd, saltlen);
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 46c7acf..a0d0278 100644
+index 0286987..0376377 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
-@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
+@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
 	}
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -388,14 +398,14 @@ index 46c7acf..a0d0278 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(*ectx, ISC_TRUE);
+ 		isc_entropy_usehook(*ectx, true);
 	}
 #endif
 diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
-index 810d99e..d7d10e2 100644
+index f0a6ff2..55064f6 100644
 --- a/bin/tests/system/pipelined/pipequeries.c
 +++ b/bin/tests/system/pipelined/pipequeries.c
-@@ -279,9 +279,7 @@ main(int argc, char *argv[]) {
+@@ -280,9 +280,7 @@ main(int argc, char *argv[]) {
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -403,11 +413,11 @@ index 810d99e..d7d10e2 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(ectx, ISC_TRUE);
+ 		isc_entropy_usehook(ectx, true);
 	}
 #endif
 diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
-index 4f2f5b4..0894db7 100644
+index fe8698e..937fcc3 100644
 --- a/bin/tests/system/tkey/keycreate.c
 +++ b/bin/tests/system/tkey/keycreate.c
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
@ -418,14 +428,22 @@ index 4f2f5b4..0894db7 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(ectx, ISC_TRUE);
+ 		isc_entropy_usehook(ectx, true);
 	}
 #endif
 diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
-index 0975bbe..5b8a470 100644
+index 2146f9b..64b8e74 100644
 --- a/bin/tests/system/tkey/keydelete.c
 +++ b/bin/tests/system/tkey/keydelete.c
-@@ -182,9 +182,7 @@ main(int argc, char **argv) {
+@@ -171,6 +171,7 @@ main(int argc, char **argv) {
 		randomfile = argv[2];
 		argv += 2;
 		argc -= 2;
 +		POST(argc);
 	}
 	keyname = argv[1];
@@ -182,9 +183,7 @@ main(int argc, char **argv) {
 	ectx = NULL;
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -433,14 +451,14 @@ index 0975bbe..5b8a470 100644
 -	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
 -		randomfile = NULL;
 +	if (randomfile == NULL) {
- 		isc_entropy_usehook(ectx, ISC_TRUE);
+ 		isc_entropy_usehook(ectx, true);
 	}
 #endif
 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index a5d9e2e..2a96f71 100644
+index 93c7a08..bb1e81d 100644
 --- a/doc/arm/Bv9ARM-book.xml
 +++ b/doc/arm/Bv9ARM-book.xml
-@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -5081,22 +5081,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <term><command>random-device</command></term>
 	    <listitem>
 	      <para>
@ -502,15 +520,27 @@ index a5d9e2e..2a96f71 100644
 	      </para>
 	    </listitem>
 	  </varlistentry>
-diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
+diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
-index d3fdb5e..a8ad92d 100644
+new file mode 100644
--- a/doc/arm/notes.xml
+index 0000000..89a4961
-+++ b/doc/arm/notes.xml
+--- /dev/null
-@@ -105,7 +105,28 @@
+++ b/doc/arm/notes-rh-changes.xml
-     <itemizedlist>
+@@ -0,0 +1,42 @@
-       <listitem>
+<!--
- 	<para>
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-	  None.
+ -
 + - This Source Code Form is subject to the terms of the Mozilla Public
 + - License, v. 2.0. If a copy of the MPL was not distributed with this
 + - file, You can obtain one at http://mozilla.org/MPL/2.0/.
 + -
 + - See the COPYRIGHT file distributed with this work for additional
 + - information regarding copyright ownership.
 +-->
 +
 +<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
 +  <itemizedlist>
 +     <listitem>
 +      <para>
 +        By default, BIND now uses the random number generation functions
 +        in the cryptographic library (i.e., OpenSSL or a PKCS#11
 +        provider) as a source of high-quality randomness rather than
@ -533,25 +563,28 @@ index d3fdb5e..a8ad92d 100644
 +        <command>configure --disable-crypto-rand</command>, in which
 +        case <filename>/dev/random</filename> will be the default
 +        entropy source.  [RT #31459] [RT #46047]
- 	</para>
+      </para>
-       </listitem>
+    </listitem>
-     </itemizedlist>
+  </itemizedlist>
 +</section>
 +
 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
 index 589a347..052a0bd 100644
 --- a/doc/arm/notes.xml
 +++ b/doc/arm/notes.xml
@@ -40,6 +40,7 @@
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
 +  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-rh-changes.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
 </section>
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
-index 803e7b3..29a4fef 100644
+index 1eccbe7..1933993 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
-@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
 #endif
 #if defined(OPENSSL) || defined(PKCS11CRYPTO)
 #ifdef ISC_PLATFORM_CRYPTORANDOM
 -	if (dst_entropy_pool != NULL)
 +	if (dst_entropy_pool != NULL) {
 		isc_entropy_sethook(dst_random_getdata);
 +	}
 #endif
 #endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
 	dst_initialized = ISC_TRUE;
@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 	else
 		flags |= ISC_ENTROPY_BLOCKING;
 #ifdef ISC_PLATFORM_CRYPTORANDOM
@ -566,10 +599,10 @@ index 803e7b3..29a4fef 100644
 }
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
-index d9b6ab6..e8c1a3c 100644
+index 6813c96..665574d 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
-@@ -161,8 +161,18 @@ isc_result_t
+@@ -163,8 +163,18 @@ isc_result_t
 dst_random_getdata(void *data, unsigned int length,
 		   unsigned int *returned, unsigned int flags);
 /*%<
@ -589,12 +622,12 @@ index d9b6ab6..e8c1a3c 100644
 + * \li	DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
  */
- isc_boolean_t
+ bool
 diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
-index c1e1bde..91e87d0 100644
+index ffe0a69..5e48686 100644
 --- a/lib/dns/openssl_link.c
 +++ b/lib/dns/openssl_link.c
-@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
+@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
 isc_result_t
 dst_random_getdata(void *data, unsigned int length,
@ -605,19 +638,10 @@ index c1e1bde..91e87d0 100644
 #ifndef DONT_REQUIRE_DST_LIB_INIT
 	INSIST(dst__memory_pool != NULL);
 diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
-index d9deb8a..2d37363 100644
+index c40a18c..c7cb17d 100644
 --- a/lib/isc/include/isc/entropy.h
 +++ b/lib/isc/include/isc/entropy.h
-@@ -9,8 +9,6 @@
+@@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
  * information regarding copyright ownership.
  */
 -/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
 -
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
 /*!<
  * \brief Create an entropy source that is polled via a callback.
  *
@ -629,18 +653,23 @@ index d9deb8a..2d37363 100644
  *
  * Samples are added via isc_entropy_addcallbacksample(), below.
  * _addcallbacksample() is the only function which may be called from
-@@ -233,15 +230,32 @@ isc_result_t
+@@ -232,15 +231,32 @@ isc_result_t
 isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
 		    unsigned int *returned, unsigned int flags);
 /*!<
 - * \brief Extract data from the entropy pool.  This may load the pool from various
 - * sources.
 + * \brief Get random data from entropy pool 'ent'.
-+ *
+  *
 - * Do this by stirring the pool and returning a part of hash as randomness.
 - * Note that no secrets are given away here since parts of the hash are
 - * xored together before returned.
 + * If a hook has been set up using isc_entropy_sethook() and
 + * isc_entropy_usehook(), then the hook function will be called to get
 + * random data.
-+ *
+  *
 - * Honor the request from the caller to only return good data, any data,
 - * etc.
 + * Otherwise, randomness is extracted from the entropy pool set up in BIND.
 + * This may cause the pool to be loaded from various sources. Ths is done
 + * by stirring the pool and returning a part of hash as randomness.
@ -651,17 +680,12 @@ index d9deb8a..2d37363 100644
 + * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
 + * not in use. If it is, the flags will be passed to the hook function
 + * but it may ignore them.
-  *
+ *
 - * Do this by stiring the pool and returning a part of hash as randomness.
 - * Note that no secrets are given away here since parts of the hash are
 - * xored together before returned.
 + * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
 + * (If 'returned' is not NULL, and the number of bytes copied is less than
 + * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
 + * number of bytes copied will be stored in *returned.)
-  *
+ *
 - * Honor the request from the caller to only return good data, any data,
 - * etc.
 + * Returns:
 + * \li	ISC_R_SUCCESS on success
 + * \li	ISC_R_NOENTROPY if entropy pool is empty
@ -669,9 +693,9 @@ index d9deb8a..2d37363 100644
  */
 void
-@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
+@@ -305,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
 void
- isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
+ isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
 /*!<
 - * \brief Mark/unmark the given entropy structure as being hooked.
 + * \brief Configure entropy context 'ectx' to use the hook function
@ -694,7 +718,7 @@ index d9deb8a..2d37363 100644
 ISC_LANG_ENDDECLS
 diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
-index ba53ebf..b575728 100644
+index f8aed34..17c551b 100644
 --- a/lib/isc/include/isc/random.h
 +++ b/lib/isc/include/isc/random.h
@@ -9,8 +9,6 @@
@ -737,8 +761,8 @@ index ba53ebf..b575728 100644
 ISC_LANG_BEGINDECLS
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
- isc_uint16_t
+ uint16_t
- isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound);
+ isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
 /*%<
 - * Returns a uniformly distributed pseudo random 16-bit unsigned
 - * integer.
@ -748,10 +772,10 @@ index ba53ebf..b575728 100644
 ISC_LANG_ENDDECLS
 diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index 8d496ff..dd08187 100644
+index 1c45d5c..91693b5 100644
 --- a/lib/isccfg/namedconf.c
 +++ b/lib/isccfg/namedconf.c
-@@ -1106,7 +1106,7 @@ options_clauses[] = {
+@@ -1109,7 +1109,7 @@ options_clauses[] = {
 	{ "pid-file", &cfg_type_qstringornone, 0 },
 	{ "port", &cfg_type_uint32, 0 },
 	{ "querylog", &cfg_type_boolean, 0 },
@ -761,5 +785,5 @@ index 8d496ff..dd08187 100644
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reserved-sockets", &cfg_type_uint32, 0 },
 -- 
-2.14.4
+2.21.1
--- a/bind-9.11-serve-stale-dbfix.patch
+++ b/bind-9.11-serve-stale-dbfix.patch
@ -0,0 +1,42 @@
 From 20848d8284951481051f6ebdeb8128c05c7e82e2 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Mon, 11 Nov 2019 16:56:52 +0100
 Subject: [PATCH] Move stale_ttl from middle to the end
 bind-dyndb-ldap is using rdataset structure. Do not modify its body,
 move stale_ttl to the end. Make it binary compatible.
 ---
 lib/dns/include/dns/rdataset.h | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
 index 97071ed496..a0c6afe624 100644
 --- a/lib/dns/include/dns/rdataset.h
 +++ b/lib/dns/include/dns/rdataset.h
@@ -137,11 +137,6 @@ struct dns_rdataset {
 	dns_rdataclass_t		rdclass;
 	dns_rdatatype_t			type;
 	dns_ttl_t			ttl;
 -	/*
 -	 * Stale ttl is used to see how long this RRset can still be used
 -	 * to serve to clients, after the TTL has expired.
 -	 */
 -	dns_ttl_t			stale_ttl;
 	dns_trust_t			trust;
 	dns_rdatatype_t			covers;
@@ -178,6 +173,11 @@ struct dns_rdataset {
 	void *				private7;
 	/*@}*/
 +	/*
 +	 * Stale ttl is used to see how long this RRset can still be used
 +	 * to serve to clients, after the TTL has expired.
 +	 */
 +	dns_ttl_t			stale_ttl;
 };
 /*!
 -- 
 2.20.1
--- a/bind-9.11-serve-stale.patch
+++ b/bind-9.11-serve-stale.patch
--- a/bind-9.11-tests-pkcs11.patch
+++ b/bind-9.11-tests-pkcs11.patch
@ -0,0 +1,39 @@
 From 66298a12b09784eab2c052ab22f87bb2b2f1267b Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 1 Mar 2019 15:55:46 +0100
 Subject: [PATCH] Detect correctly pkcs11 support
 It fails now always, because oot builds are not supported by
 cleanpkcs11.sh.
 ---
 bin/tests/system/cleanpkcs11.sh | 2 +-
 bin/tests/system/conf.sh.in     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 diff --git a/bin/tests/system/cleanpkcs11.sh b/bin/tests/system/cleanpkcs11.sh
 index b974708..3bbef4c 100644
 --- a/bin/tests/system/cleanpkcs11.sh
 +++ b/bin/tests/system/cleanpkcs11.sh
@@ -12,6 +12,6 @@
 SYSTEMTESTTOP=.
 . $SYSTEMTESTTOP/conf.sh
 -if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
 +if [ ! -x "$PK11DESTROY" ]; then exit 1; fi
 $PK11DEL -w0 > /dev/null 2>&1
 diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
 index a446c18..ede1203 100644
 --- a/bin/tests/system/conf.sh.in
 +++ b/bin/tests/system/conf.sh.in
@@ -46,6 +46,7 @@ CHECKZONE=$TOP/bin/check/named-checkzone
 CHECKCONF=$TOP/bin/check/named-checkconf
 PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
 PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
 +PK11DESTROY=$TOP/bin/pkcs11/pkcs11-destroy
 PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
 JOURNALPRINT=$TOP/bin/tools/named-journalprint
 VERIFY=$TOP/bin/dnssec/dnssec-verify
 -- 
 2.20.1
--- a/bind-9.11-tests-variants.patch
+++ b/bind-9.11-tests-variants.patch
@ -0,0 +1,65 @@
 From 9576e960ad3719aa9c1707734ad7ba0eccf16e5f Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Fri, 1 Mar 2019 15:48:20 +0100
 Subject: [PATCH] Make alternative named builds testable in system tests
 Red Hat has alternative variant builds of named, which are not ever
 tested by system tests. New variables make it relatively easy to test
 alternative variants.
 For sdb variant use:
 export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
 For pkcs variant use:
 export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
 ---
 bin/tests/system/conf.sh.in | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)
 diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
 index 6f2dbcd..05605ae 100644
 --- a/bin/tests/system/conf.sh.in
 +++ b/bin/tests/system/conf.sh.in
@@ -37,7 +37,7 @@ DISABLED_ALGORITHM=ECDSAP384SHA384
 DISABLED_ALGORITHM_NUMBER=14
 DISABLED_BITS=384
 -NAMED=$TOP/bin/named/named
 +NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
 # We must use "named -l" instead of "lwresd" because argv[0] is lost
 # if the program is libtoolized.
 LWRESD="$TOP/bin/named/named -l"
@@ -48,14 +48,14 @@ NSUPDATE=$TOP/bin/nsupdate/nsupdate
 DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
 TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
 RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
 -KEYGEN=$TOP/bin/dnssec/dnssec-keygen
 -KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
 -SIGNER=$TOP/bin/dnssec/dnssec-signzone
 -REVOKE=$TOP/bin/dnssec/dnssec-revoke
 -SETTIME=$TOP/bin/dnssec/dnssec-settime
 -DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
 +KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
 +KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
 +SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
 +REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
 +SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
 +DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
 HOST=$TOP/bin/dig/host
 -IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
 +IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
 CHECKDS=$TOP/bin/python/dnssec-checkds
 COVERAGE=$TOP/bin/python/dnssec-coverage
 KEYMGR=$TOP/bin/python/dnssec-keymgr
@@ -75,7 +75,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
 MDIG=$TOP/bin/tools/mdig
 NZD2NZF=$TOP/bin/tools/named-nzd2nzf
 FSTRM_CAPTURE=@FSTRM_CAPTURE@
 -FEATURETEST=$TOP/bin/named/feature-test
 +FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
 RANDFILE=$TOP/bin/tests/system/random.data
 -- 
 2.21.1
--- a/bind-9.11-unit-disable-random.patch
+++ b/bind-9.11-unit-disable-random.patch
@ -0,0 +1,30 @@
 From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Thu, 21 Feb 2019 22:42:27 +0100
 Subject: [PATCH] Disable random_test
 It fails too often on some architecture, failing the whole build along.
 Because it runs two times for pkcs11 and normal build and any of
 subtests can occasionally fail, stop it.
 It can be used again by defining 'unstable' variable in Kyuafile.
 ---
 lib/isc/tests/Kyuafile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
 index 4cd2574..9df2340 100644
 --- a/lib/isc/tests/Kyuafile
 +++ b/lib/isc/tests/Kyuafile
@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'}
 tap_test_program{name='print_test'}
 tap_test_program{name='queue_test'}
 tap_test_program{name='radix_test'}
 -tap_test_program{name='random_test'}
 +tap_test_program{name='random_test', required_configs='unstable'}
 tap_test_program{name='regex_test'}
 tap_test_program{name='result_test'}
 tap_test_program{name='safe_test'}
 -- 
 2.20.1
--- a/bind-9.11.21.tar.gz
+++ b/bind-9.11.21.tar.gz
--- a/bind-9.11.21.tar.gz.asc
+++ b/bind-9.11.21.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABAgAdFiEElc7aJWscoKFfMC+1lSGn7V2s6RgFAl8Fgc8ACgkQlSGn7V2s
 6Rj/ThAAlpExE5fpqdUFncwGzw1XTBHuHOlvQN4cJQseL/6c0O7lwjUxddAKYNyB
 +TnGEgbd+OG6ifvxIG7m/4JkTuuw7hdj88MNHhhD6r7BnnTnwWL50qlL1McbhOCG
 ThqbxCOL+ncg48f/LytXj02l38dt136lxJlpkwyHaykMJO4Im19Te69hWROftKpP
 X4c3/GtJL5ZMtFxUyHpvHv0MJbZrLgys9+R7FtOlSckSgCMIj/D2fiPBCpNkY2uN
 DdLkOe5oVqpypQfY2K1NbyJPaUUkDfnf2VHNF/c6DLLzCz/kYA14QxJjDKGtKV20
 5tDJF+7buDqi/egUCB3VNagPWgYyIbVFR/VGReepOR+gedEiqwyN0Q0B76VEtB7H
 lkeMRol07wm88tLHTIH+JpgGz7vYSyIPgZ3K/gJMmJUgk70zArlzb/WSMrfVtJqd
 irB/cPiKhlG3Ktau7/LgVeX7s5isoXImwQ3JgSTlw2ZlhkT7PzALkVbT7CRtjOT9
 +VqEA7iYClBuSgdFv9Dr41pho9bWBjGvATekSTHnQJfGvSvtGzD+XbxhyLhJQnZ+
 XgsZ0uQZxzxqHk23TirGIA3iWSwIFGxeLYsTzg9wY4Qx8pwjDZVD0hrkuKaRQZS3
 CrxBfqzT8zTD9okforH/E3tau38ENZO42XqQDXdAjw+ioMjqUOM=
 =I3HH
 -----END PGP SIGNATURE-----
--- a/bind-9.11.4-P2.tar.gz
+++ b/bind-9.11.4-P2.tar.gz
--- a/bind-9.3.2-redhat_doc.patch
+++ b/bind-9.3.2-redhat_doc.patch
@ -0,0 +1,68 @@
 diff --git a/bin/named/named.8 b/bin/named/named.8
 index ef10ef4..3150b22 100644
 --- a/bin/named/named.8
 +++ b/bin/named/named.8
@@ -349,6 +349,63 @@ The default configuration file\&.
 /var/run/named/named\&.pid
 .RS 4
 The default process\-id file\&.
 +.PP
 +.SH "NOTES"
 +.PP
 +.TP
 +\fBRed Hat SELinux BIND Security Profile:\fR
 +.PP
 +By default, Red Hat ships BIND with the most secure SELinux policy
 +that will not prevent normal BIND operation and will prevent exploitation
 +of all known BIND security vulnerabilities . See the selinux(8) man page
 +for information about SElinux.
 +.PP
 +It is not necessary to run named in a chroot environment if the Red Hat
 +SELinux policy for named is enabled. When enabled, this policy is far
 +more secure than a chroot environment. Users are recommended to enable
 +SELinux and remove the bind-chroot package.
 +.PP
 +With this extra security comes some restrictions:
 +.PP
 +By default, the SELinux policy does not allow named to write any master
 +zone database files. Only the root user may create files in the $ROOTDIR/var/named
 +zone database file directory (the options { "directory" } option), where
 +$ROOTDIR is set in /etc/sysconfig/named.
 +.PP
 +The "named" group must be granted read privelege to
 +these files in order for named to be enabled to read them.
 +.PP
 +Any file created in the zone database file directory is automatically assigned
 +the SELinux file context named_zone_t .
 +.PP
 +By default, SELinux prevents any role from modifying named_zone_t files; this
 +means that files in the zone database directory cannot be modified by dynamic
 +DNS (DDNS) updates or zone transfers.
 +.PP
 +The Red Hat BIND distribution and SELinux policy creates three directories where
 +named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
 +/var/named/data. By placing files you want named to modify, such as
 +slave or DDNS updateable zone files and database / statistics dump files in
 +these directories, named will work normally and no further operator action is
 +required. Files in these directories are automatically assigned the 'named_cache_t'
 +file context, which SELinux allows named to write.
 +.PP
 +\fBRed Hat BIND SDB support:\fR
 +.PP
 +Red Hat ships named with compiled in Simplified Database Backend modules that ISC
 +provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
 +.PP
 +The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
 +.PP
 +See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
 +.br
 +.PP
 +\fBRed Hat system-config-bind:\fR
 +.PP
 +Red Hat provides the system-config-bind GUI to configure named.conf and zone
 +database files. Run the "system-config-bind" command and access the manual
 +by selecting the Help menu.
 +.PP
 .RE
 .SH "SEE ALSO"
 .PP
--- a/bind-9.3.2b1-fix_sdb_ldap.patch
+++ b/bind-9.3.2b1-fix_sdb_ldap.patch
@ -1,5 +1,5 @@
 diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
-index 95ab742..6069f09 100644
+index 95ab742..5059a17 100644
 --- a/bin/sdb_tools/Makefile.in
 +++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@ -7,49 +7,46 @@ index 95ab742..6069f09 100644
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
 -TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-+TARGETS =	zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
 -OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
-+OBJS	=	zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
+OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
 -SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c
-+SRCS    =       zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
+SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
 MANPAGES =      zone2ldap.1
-@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
+@@ -47,6 +47,9 @@ EXT_CFLAGS =
- zone2sqlite@EXEEXT@: zone2sqlite.@O@  ${DEPLIBS}
+ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
- 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
 +ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
 +	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
 +
- clean distclean manclean maintainer-clean::
+ zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
- 	rm -f ${TARGETS} ${OBJS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
-@@ -62,6 +65,7 @@ installdirs:
+@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
 install:: ${TARGETS} installdirs
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
 +	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
 diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
-index 23dd873..d56bc56 100644
+index e0e9207..d59936c 100644
 --- a/bin/sdb_tools/zone2ldap.c
 +++ b/bin/sdb_tools/zone2ldap.c
-@@ -65,6 +66,9 @@ ldap_info;
+@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
- /* usage Info */
+ void init_ldap_conn (void);
 void usage (void);
-+/* Check for existence of (and possibly add) containing dNSZone objects */
+ /* Ldap error checking */
-+int lookup_dns_zones( ldap_info *ldinfo);
+-void ldap_result_check (const char *msg, char *dn, int err);
-+
+void ldap_result_check (const char *msg, const char *dn, int err);
 /* Add to the ldap dit */
 void add_ldap_values (ldap_info * ldinfo);
-@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
+ /* Put a hostname into a char ** array */
 char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
 int get_attr_list_size (char **tmp);
 /* Get a DN */
@ -58,7 +55,7 @@ index 23dd873..d56bc56 100644
 /* Add to RR list */
 void add_to_rr_list (char *dn, char *name, char *type, char *data,
-@@ -103,11 +107,27 @@ void
+@@ -104,11 +104,26 @@ void
 init_ldap_conn ();
 void usage();
@ -87,11 +84,19 @@ index 23dd873..d56bc56 100644
 +static char *objectClasses    []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
 +static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
 +static char *dn_buffer      [64]={NULL};
 +
 LDAP *conn;
 unsigned int debug = 0;
-@@ -131,12 +151,12 @@ main (int argc, char **argv)
+@@ -120,7 +135,7 @@ static void
 fatal(const char *msg) {
   perror(msg);
   if (conn != NULL)
 -    ldap_unbind_s(conn);
 +    ldap_unbind_ext_s(conn, NULL, NULL);
   exit(1);
 }
@@ -132,12 +147,13 @@ main (int argc, char **argv)
   isc_result_t result;
   char *basedn;
   ldap_info *tmp;
@ -102,12 +107,12 @@ index 23dd873..d56bc56 100644
   isc_buffer_t buff;
   char *zonefile=0L;
   char fullbasedn[1024];
-  char *ctmp;
+   char *ctmp;
-+  char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
+  char *zn, *dcp[2], *znp[2], *rdn[2];
   dns_fixedname_t fixedzone, fixedname;
   dns_rdataset_t rdataset;
   char **dc_list;
-@@ -149,7 +169,7 @@ main (int argc, char **argv)
+@@ -150,7 +166,7 @@ main (int argc, char **argv)
   extern char *optarg;
   extern int optind, opterr, optopt;
   int create_base = 0;
@ -116,7 +121,7 @@ index 23dd873..d56bc56 100644
   if (argc < 2)
     {
-@@ -157,7 +177,7 @@ main (int argc, char **argv)
+@@ -158,7 +174,7 @@ main (int argc, char **argv)
       exit (-1);
     }
@ -125,7 +130,7 @@ index 23dd873..d56bc56 100644
     {
       switch (topt)
 	{
-@@ -180,6 +200,9 @@ main (int argc, char **argv)
+@@ -181,6 +197,9 @@ main (int argc, char **argv)
 	  if (bindpw == NULL)
 	    fatal("strdup");
 	  break;
@ -135,34 +140,26 @@ index 23dd873..d56bc56 100644
 	case 'b':
 	  ldapbase = strdup (optarg);
 	  if (ldapbase == NULL)
-@@ -301,27 +324,62 @@ main (int argc, char **argv)
+@@ -302,17 +321,51 @@ main (int argc, char **argv)
     {
       if (debug)
 	printf ("Creating base zone DN %s\n", argzone);
-
+ 
 +      
       dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
 -      basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
 -      for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
 +      basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
 +      if (debug)
 +	printf ("base DN %s\n", basedn);
-+
+ 
 -      for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
 +      for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
 	{
-	  if ((*ctmp == ',') || (ctmp == &basedn[0]))
+ 	  if ((*ctmp == ',') || (ctmp == &basedn[0]))
 +	    if ((*ctmp == ',') || (ctmp == &basedn[0]))
 	    {
 +
 	      base.mod_op = LDAP_MOD_ADD;
 -	      base.mod_type = (char*)"objectClass";
 -	      base.mod_values = (char**)topObjectClasses;
 +	      base.mod_type = objectClass;
-+	      base.mod_values = topObjectClasses;
+ 	      base.mod_values = (char**)topObjectClasses;
 	      base_attrs[0] = (void*)&base;
 -	      base_attrs[1] = NULL;
 -
 +
 +	      dcBase.mod_op = LDAP_MOD_ADD;
 +	      dcBase.mod_type = dc;
@ -196,19 +193,10 @@ index 23dd873..d56bc56 100644
 +
 +	      base.mod_values = topObjectClasses;
 +	      base_attrs[4] = NULL;
-+	      
+ 
 	      if (ldapbase)
 		{
- 		  if (ctmp != &basedn[0])
+@@ -329,6 +382,10 @@ main (int argc, char **argv)
 		    sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
 		  else
 -		    sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
 -
 +		    sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);		  
 		}
 	      else
 		{
@@ -330,8 +388,13 @@ main (int argc, char **argv)
 		  else
 		    sprintf (fullbasedn, "%s", ctmp);
 		}
@ -217,12 +205,9 @@ index 23dd873..d56bc56 100644
 +		  printf("Full base dn: %s\n", fullbasedn);
 +
 	      result = ldap_add_s (conn, fullbasedn, base_attrs);
- 	      ldap_result_check ("intial ldap_add_s", fullbasedn, result);
+ 	      ldap_result_check ("initial ldap_add_s", fullbasedn, result);
 +
 	    }
- 
+@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
 	}
@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
   isc_result_check (result, "dns_rdata_totext");
   data[isc_buffer_usedlength (&buff)] = 0;
@ -240,7 +225,7 @@ index 23dd873..d56bc56 100644
 }
-@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
   int attrlist;
   char ldap_type_buffer[128];
   char charttl[64];
@ -250,7 +235,7 @@ index 23dd873..d56bc56 100644
   if ((tmp = locate_by_dn (dn)) == NULL)
     {
-@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
 	    fatal("malloc");
 	}
       tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
@ -262,12 +247,8 @@ index 23dd873..d56bc56 100644
 +	tmp->attrs[0]->mod_values = objectClasses;
       else
 	{
-	  tmp->attrs[0]->mod_values = (char**)topObjectClasses;
+ 	  tmp->attrs[0]->mod_values = (char**)topObjectClasses;
-+	  tmp->attrs[0]->mod_values =topObjectClasses;
+@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
 	  tmp->attrs[1] = NULL;
 	  tmp->attrcnt = 2;
 	  tmp->next = ldap_info_base;
@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type,
 	}
       tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
@ -276,7 +257,7 @@ index 23dd873..d56bc56 100644
       tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
       if (tmp->attrs[1]->mod_values == (char **)NULL)
-@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
 	 fatal("strdup");
       tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
@ -285,16 +266,16 @@ index 23dd873..d56bc56 100644
       tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
       if (tmp->attrs[3]->mod_values == (char **)NULL)
-@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
       if (tmp->attrs[3]->mod_values[0] == NULL)
 	 fatal("strdup");
 +      znlen=strlen(gbl_zone);
-+      if ( *(gbl_zone + (znlen-1)) == '.' )
+      if ( gbl_zone[znlen-1] == '.' )
 +      { /* ldapdb MUST search by relative zone name */
 +	  zn = (char*)malloc(znlen);
-+	  strncpy(zn,gbl_zone,znlen-1);
+	  memcpy(zn, gbl_zone, znlen-1);
-+	  *(zn + (znlen-1))='\0';	  
+	  zn[znlen-1]='\0';
 +      }else
 +      {
 +	  zn = gbl_zone;
@ -313,7 +294,7 @@ index 23dd873..d56bc56 100644
       tmp->attrs[4]->mod_values[1] = NULL;
       tmp->attrs[5] = NULL;
-@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type,
+@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
   else
     {
@ -322,7 +303,7 @@ index 23dd873..d56bc56 100644
 	{
 	  sprintf (ldap_type_buffer, "%sRecord", type);
 	  if (!strncmp
-@@ -632,44 +707,70 @@ char **
+@@ -631,44 +700,70 @@ char **
 hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
 {
   char *tmp;
@ -430,7 +411,7 @@ index 23dd873..d56bc56 100644
   dn_buffer[i] = NULL;
   return dn_buffer;
-@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
+@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
  * exception of "@"/SOA. */
 char *
@ -439,19 +420,21 @@ index 23dd873..d56bc56 100644
 {
   int size;
 -  int x;
 -  static char dn[1024];
 -  char tmp[128];
 +  int x, znlen;
-   static char dn[1024];
+  static char dn[DNS_NAME_MAXTEXT*3/2];
-   char tmp[128];
+  char tmp[DNS_NAME_MAXTEXT*3/2];
 +  char zn[DNS_NAME_MAXTEXT+1];
   bzero (tmp, sizeof (tmp));
   bzero (dn, sizeof (dn));
   size = get_attr_list_size (dc_list);
 +  znlen = strlen(zone);
-+  if ( *(zone + (znlen-1)) == '.' )
+  if ( zone[znlen-1] == '.' )
 +  { /* ldapdb MUST search by relative zone name */
 +      memcpy(&(zn[0]),zone,znlen-1);
-+      *(zn + (znlen-1))='\0';
+      zn[znlen-1]='\0';
 +      zone = zn;
 +  }
   for (x = size - 2; x > 0; x--)
@ -459,41 +442,48 @@ index 23dd873..d56bc56 100644
     if (flag == WI_SPEC)
     {
       if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
-	sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl);
+-	sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
-+	sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
+	snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
       else if (x == (size - 2))
 -	      sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
-+	      sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
+	      snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
       else
- 	      sprintf(tmp,"dc=%s,", dc_list[x]);
+-	      sprintf(tmp,"dc=%s,", dc_list[x]);
 +	      snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
     }
-@@ -724,6 +833,7 @@ void
+     else
 init_ldap_conn ()
     {
-   int result;
+-	    sprintf(tmp, "dc=%s,", dc_list[x]);
-+  char ldb_tag[]="LDAP Bind";
+	    snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
-   conn = ldap_open (ldapsystem, LDAP_PORT);
+     }
-   if (conn == NULL)
+ 
-     {
+ 
-@@ -733,7 +843,7 @@ init_ldap_conn ()
+@@ -732,19 +835,18 @@ init_ldap_conn ()
     }
   result = ldap_simple_bind_s (conn, binddn, bindpw);
 -  ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
-+  ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
+  ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
 }
 /* Like isc_result_check, only for LDAP */
@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err)
     }
 }
 -
 -
 /* For running the ldap_info run queue. */
 void
- add_ldap_values (ldap_info * ldinfo)
+-ldap_result_check (const char *msg, char *dn, int err)
-@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo)
+ldap_result_check (const char *msg, const char *dn, int err)
 {
   if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
     {
 -      fprintf(stderr, "Error while adding %s (%s):\n",
 -		      dn, msg);
 -      ldap_perror (conn, dn);
 -      ldap_unbind_s (conn);
 +      fprintf(stderr, "Error while adding %s (%s):\n%s",
 +		      dn, msg, ldap_err2string(err));
 +      ldap_unbind_ext_s (conn, NULL, NULL);
       exit (-1);
     }
 }
@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
   int result;
   char dnbuffer[1024];
@ -505,12 +495,14 @@ index 23dd873..d56bc56 100644
   result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
 -  ldap_result_check ("ldap_add_s", dnbuffer, result);
 -}
 +    ldap_result_check ("ldap_add_s", dnbuffer, result);
-+
+ 
- }
+}
-@@ -777,5 +885,5 @@ void
+ 
@@ -776,5 +877,5 @@ void
 usage ()
 {
   fprintf (stderr,
--- a/bind-9.9.1-P2-multlib-conflict.patch
+++ b/bind-9.9.1-P2-multlib-conflict.patch
@ -1,8 +1,8 @@
 diff --git a/config.h.in b/config.h.in
-index e1364dd921..1dc65cfb21 100644
+index 4ecaa8f..2f65ccc 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
+@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig);
 #undef PREFER_GOSTASN1
 /* The size of `void *', as computed by sizeof. */
@ -11,39 +11,8 @@ index e1364dd921..1dc65cfb21 100644
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 diff --git a/configure.in b/configure.in
 index 73b1c8ccbb..129fc3f311 100644
 --- a/configure.in
 +++ b/configure.in
@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
 #include <sys/socket.h>
 #include <netdb.h>
 int getnameinfo(const struct sockaddr *, socklen_t, char *,
 -		socklen_t, char *, socklen_t, unsigned int);],
 +		socklen_t, char *, socklen_t, int);],
 [ return (0);],
 -	[AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
 +	[AC_MSG_RESULT(socklen_t for buflen; int for flags)
 	 AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
 		   [Define to the sockaddr length type used by getnameinfo(3).])
 	 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
 		   [Define to the buffer length type used by getnameinfo(3).])
 -	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
 +	 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
 		   [Define to the flags type used by getnameinfo(3).])],
 [AC_TRY_COMPILE([
 #include <sys/types.h>
@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
 [AC_MSG_RESULT(not match any subspecies; assume standard definition)
 AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
 AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
 -AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
 +AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
 #
 # ...and same for gai_strerror().
 diff --git a/isc-config.sh.in b/isc-config.sh.in
-index a8a0a89e88..b5e94ed13e 100644
+index a8a0a89..b5e94ed 100644
 --- a/isc-config.sh.in
 +++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@
--- a/bind-95-rh452060.patch
+++ b/bind-95-rh452060.patch
@ -1,34 +1,34 @@
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index f657c30..ff9a2d2 100644
+index aa5315d..1fa711a 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
-@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
+@@ -1814,6 +1814,13 @@ clear_query(dig_query_t *query) {
 	if (query->timer != NULL)
 		isc_timer_detach(&query->timer);
 +
 +	if (query->waiting_senddone) {
 +		debug("send_done not yet called");
-+		query->pending_free = ISC_TRUE;
+		query->pending_free = true;
 +		return;
 +	}
 +
 	lookup = query->lookup;
 	if (lookup->current_query == query)
-@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
+@@ -1839,10 +1846,7 @@ clear_query(dig_query_t *query) {
 	isc_mempool_put(commctx, query->recvspace);
 	isc_buffer_invalidate(&query->recvbuf);
 	isc_buffer_invalidate(&query->lengthbuf);
 -	if (query->waiting_senddone)
-		query->pending_free = ISC_TRUE;
+-		query->pending_free = true;
 -	else
 -		isc_mem_free(mctx, query);
 +	isc_mem_free(mctx, query);
 }
 /*%
-@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
+@@ -2892,9 +2896,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
 	isc_event_free(&event);
 	if (query->pending_free)
--- a/bind.spec
+++ b/bind.spec
@ -1,12 +1,16 @@
-%bcond_with     LMDB
+%bcond_without  LMDB
 %bcond_without  JSON
 %bcond_with     DNSTAP
 %bcond_with     DLZ
 %bcond_with     KYUA
 %bcond_with     SYSTEMTEST
-%bcond_without  UNITTEST
+%bcond_with     UNITTEST
 %bcond_without  SDB
 %bcond_without  GSSTSIG
 %bcond_without  PKCS11
 %bcond_without  EXPORT_LIBS
 %bcond_with     GEOIP
 %bcond_without  GEOIP2
 %bcond_with     TSAN
 %{?!bind_uid:   %global bind_uid  25}
 %{?!bind_gid:   %global bind_gid  25}
@ -16,11 +20,11 @@
 Name:           bind
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPLv2.0
-Version:        9.11.4
+Version:        9.11.21
-Release:        13
+Release:        1
 Epoch:          32
 Url:            http://www.isc.org/products/BIND/
-Source0:        https://ftp.isc.org/isc/bind9/9.11.4/bind-%{version}-P2.tar.gz
+Source0:        https://ftp.isc.org/isc/bind9/9.11.21/bind-%{version}.tar.gz
 Source1:        named.sysconfig
 Source2:        named.logrotate
 Source3:        bind-9.3.1rc1-sdb_tools-Makefile.in
@ -28,7 +32,7 @@ Source4:        dnszone.schema
 Source5:        README.sdb_pgsql
 Source6:        named.conf.sample
 Source7:        named.conf
-Source8:        config-18.tar.bz2
+#Source8:        config-18.tar.bz2
 Source9:        ldap2zone.c
 Source10:       ldap2zone.1
 Source11:       named-sdb.8
@ -50,18 +54,23 @@ Source26:       named-pkcs11.service
 Source27:       setup-named-softhsm.sh
 Source28:       named-chroot.files
 Source29:       random.data
 Source30:       https://www.internic.net/domain/named.root
 Source31:       named.rfc1912.zones
 Source32:       named.empty
 Source33:       named.localhost
 Source34:       named.loopback
 Source35:       named.root.key
 BuildRequires:  openssl-devel libtool autoconf pkgconfig libcap-devel python3-devel python3-ply docbook-style-xsl
-BuildRequires:  libidn2-devel libxml2-devel GeoIP-devel make systemd selinux-policy findutils sed libxslt gdb
+BuildRequires:  libidn2-devel libxml2-devel make systemd selinux-policy findutils sed libxslt gdb
 BuildRequires:  bind-libs  bind-libs-lite bind-export-libs bind-pkcs11
 %if %{with SDB}
 BuildRequires:  openldap-devel libpq-devel sqlite-devel mariadb-connector-c-devel libdb-devel
 %endif
-%if %{with KYUA}
+%if %{with UNITTEST}
-#BuildRequires:  libatf-c-devel kyua
+BuildRequires:  libcmocka-devel kyua
 %else
 BuildRequires:  gcc-c++
 %endif
 %if %{with PKCS11}
@ -80,66 +89,88 @@ BuildRequires:  krb5-devel
 BuildRequires:  lmdb-devel
 %endif
 %if %{with JSON}
 BuildRequires:  json-c-devel
 %endif
 %if %{with GEOIP}
 BuildRequires:  GeoIP-devel
 %endif
 %if %{with GEOIP2}
 BuildRequires:  libmaxminddb-devel
 %endif
 %if %{with DNSTAP}
 BuildRequires:  fstrm-devel protobuf-c-devel
 %endif
 %if %{with TSAN}
 BuildRequires:  libtsan
 %endif
 Requires:       systemd coreutils shadow-utils glibc-common grep policycoreutils-python-utils
-Requires:       python3-bind = %{epoch}:%{version}-%{release} libselinux-utils selinux-policy bind-libs = %{epoch}:%{version}-%{release}
+Requires:       python3-bind = %{epoch}:%{version}-%{release} libselinux-utils selinux-policy bind-libs = %{epoch}:%{version}-%{release} bind-libs-lite = %{epoch}:%{version}-%{release}
 Provides:       bind-config = 30:9.3.2-34.fc6 caching-nameserver = 31:9.4.1-7.fc8 dnssec-conf = 1.27-2
 Provides:       bind-license
 Obsoletes:      bind-config < 30:9.3.2-34.fc6 caching-nameserver < 31:9.4.1-7.fc8 dnssec-conf < 1.27-2
 Obsoletes:      bind-license
-Patch0001:      bind-9.5-PIE.patch
+# Common patches
-Patch0003:      bind-9.5-dlz-64bit.patch
+Patch10: bind-9.5-PIE.patch
-Patch0004:      bind-95-rh452060.patch
+Patch16: bind-9.3.2-redhat_doc.patch
-Patch0005:      bind93-rh490837.patch
+Patch72: bind-9.5-dlz-64bit.patch
-Patch0006:      bind97-rh478718.patch
+Patch101:bind-96-old-api.patch
-Patch0007:      bind97-rh645544.patch
+Patch102:bind-95-rh452060.patch
-Patch0008:      bind-9.9.1-P2-dlz-libdb.patch
+Patch106:bind93-rh490837.patch
-Patch0009:      bind-9.9.1-P2-multlib-conflict.patch
+Patch109:bind97-rh478718.patch
-Patch0010:      bind-9.11-rh1410433.patch
+Patch112:bind97-rh645544.patch
-Patch0011:      bind-9.11-rh1205168.patch
+Patch130:bind-9.9.1-P2-dlz-libdb.patch
-Patch0012:      bind-9.11-export-suffix.patch
+Patch131:bind-9.9.1-P2-multlib-conflict.patch
-Patch0013:      bind-9.11-oot-manual.patch
+Patch133:bind99-rh640538.patch
-Patch0014:      bind-9.11-pk11.patch
+Patch134:bind97-rh669163.patch
-Patch0015:      bind-9.11-fips-code.patch
+# Fedora specific patch to distribute native-pkcs#11 functionality
-Patch0016:      bind-9.11-fips-tests.patch
+Patch136:bind-9.10-dist-native-pkcs11.patch
 Patch0017:      bind-9.11-rt31459.patch
 Patch0018:      bind-9.11-rt46047.patch
 Patch0019:      bind-9.11-rh1624100.patch
 Patch0020:      bind-9.11-host-idn-disable.patch
 Patch0021:      bind-9.10-dist-native-pkcs11.patch
 Patch0022:      bind-9.11-kyua-pkcs11.patch
 Patch0023:      bind-96-old-api.patch
 Patch0024:      bind-9.3.2b2-sdbsrc.patch
 Patch0025:      bind-9.10-sdb.patch
 Patch0026:      bind-9.3.2b1-fix_sdb_ldap.patch
 Patch0027:      bind-9.10-use-of-strlcat.patch
 Patch0028:      bind99-rh640538.patch
 Patch0029:      bind97-rh669163.patch
-Patch6001:      1314-master-dnssec-checkds-s.patch
+Patch137:bind-9.10-use-of-strlcat.patch
-Patch6002:      2432-check-param_template-i-.pValue-is-non-NULL.patch
+Patch140:bind-9.11-rh1410433.patch
-Patch6003:      2497-refcount-errors-on-error-paths.patch
+Patch145:bind-9.11-rh1205168.patch
-Patch6004:      2559-Do-not-remove-errors-from-the-OpenSSL-error-queue-in.patch
+Patch149:bind-9.11-kyua-pkcs11.patch
-Patch6005:      2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch
+Patch150:bind-9.11-engine-pkcs11.patch
-Patch6006:      2711-Align-CMSG-buffers-to-a-void-boundary-fixes-crash-on.patch
+Patch153:bind-9.11-export-suffix.patch
-Patch6007:      2776-Fix-crash-caused-by-race-condition-in-timer-creation.patch
+Patch154:bind-9.11-oot-manual.patch
-Patch6008:      2865-free-key-on-error.patch
+Patch155:bind-9.11-pk11.patch
-Patch6009:      2879-expand-the-pool-then-copy-over-the-old-entries-so-we.patch
+Patch156:bind-9.11-fips-code.patch
-Patch6010:      2985-Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch
+Patch157:bind-9.11-fips-tests.patch
-Patch6011:      2998-Use-larger-buffers-on-snprintf-buffer-overflow-false.patch
+Patch158:bind-9.11-rt31459.patch
-Patch6012:      3022-Fix-a-shutdown-race-in-bin-dig-dighost.c.patch
+Patch159:bind-9.11-rt46047.patch
-Patch6013:      3046-uninitalize-memory-read-on-error-path.patch
+Patch160:bind-9.11-rh1624100.patch
-Patch6014:      3318-Allow-unsupported-alg-in-zone-w-dnssec-signzone.patch
+Patch161:bind-9.11-host-idn-disable.patch
-Patch6015:      3543-fix-memory-leak.patch
+Patch163:bind-9.11-rh1663318.patch
-Patch6016:      Use-clock_gettime-instead-of-gettimeofday.patch
+Patch164:bind-9.11-rh1666814.patch
-Patch6017:      CVE-2018-5743.patch
+Patch168:bind-9.11-unit-disable-random.patch
-Patch6018:      CVE-2018-5743-atomic-fix.patch
+Patch170:bind-9.11-feature-test-named.patch
-Patch6019:      CVE-2018-5745.patch
+Patch171:bind-9.11-tests-variants.patch
-Patch6020:      CVE-2019-6465.patch
+Patch172:bind-9.11-tests-pkcs11.patch
 Patch173:bind-9.11-rh1732883.patch
 Patch174:bind-9.11-json-c.patch
 Patch175:bind-9.11-fips-disable.patch
 Patch177: bind-9.11-serve-stale.patch
 Patch178: bind-9.11-serve-stale-dbfix.patch
 Patch183: bind-9.11-rh1736762-5.patch
-Patch9000:      feature-bind99-euler-range-port.patch
+Patch184: feature-bind99-euler-range-port.patch
-Patch9001:      bugfix-nslookup-norec.patch
+Patch185: bugfix-nslookup-norec.patch
-Patch9002:      bugfix-named-log-time.patch
+Patch186: bugfix-named-log-time.patch
 Patch187: dnssec-checkds-s.patch
 Patch188: do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch
 Patch189: Add-some-DBC-checks-in-dighost-fix-race-between-clea.patch
 Patch190: Use-clock_gettime-instead-of-gettimeofday.patch
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
 Patch12: bind-9.10-sdb.patch
 # needs inpection
 Patch13: bind-9.3.2b1-fix_sdb_ldap.patch
 %description
 Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
@ -259,7 +290,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
 %package -n  python3-bind
 Summary:     A module allowing rndc commands to be sent from Python programs
 Requires:    bind = %{epoch}:%{version}-%{release}
-Requires:    python3 python3-ply %{py3_dist ply}
+Requires:    python3 python3-ply %{?py3_dist:%py3_dist ply}
 BuildArch:   noarch
 %{?python_provide:%python_provide python3-bind}
 %{?python_provide:%python_provide python3-isc}
@ -291,94 +322,108 @@ are used for building ISC DHCP.
 %endif
 %prep
-%setup -q -n %{name}-%{version}-P2
+%setup -q -n %{name}-%{version}
 # Common patches
 %patch10 -p1 -b .PIE
 %patch16 -p1 -b .redhat_doc
 %patch72 -p1 -b .64bit
 %patch102 -p1 -b .rh452060
 %patch106 -p1 -b .rh490837
 %patch109 -p1 -b .rh478718
 %patch112 -p1 -b .rh645544
 %patch130 -p1 -b .libdb
 %patch131 -p1 -b .multlib-conflict
 %patch140 -p1 -b .rh1410433
 %patch145 -p1 -b .rh1205168
 %patch153 -p1 -b .export_suffix
 %patch154 -p1 -b .oot-man
 %patch155 -p1 -b .pk11-internal
 %patch156 -p1 -b .fips-code
 %patch157 -p1 -b .fips-tests
 %patch158 -p1 -b .rt31459
 %patch159 -p1 -b .rt46047
 %patch160 -p1 -b .rh1624100
 %patch161 -p1 -b .host-idn-disable
 %patch163 -p1 -b .rh1663318
 %patch164 -p1 -b .rh1666814
 %patch168 -p1 -b .random_test-disable
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant
 %patch172 -p1 -b .test-pkcs11
 %patch173 -p1 -b .rh1732883
 %patch174 -p1 -b .json-c
 %patch175 -p1 -b .rh1709553
 %patch177 -p1 -b .serve-stale
 %patch178 -p1 -b .rh1770492
 %patch183 -p1 -b .rh1736762-5
-%patch0001 -p1
+%patch184 -p1
-%patch0003 -p1
+%patch185 -p1
-%patch0004 -p1
+%patch186 -p1
-%patch0005 -p0
+%patch187 -p1
-%patch0006 -p1
+%patch188 -p1
-%patch0007 -p1
+%patch189 -p1
-%patch0008 -p1
+%patch190 -p1
 %patch0009 -p1
 %patch0010 -p1
 %patch0011 -p1
 %patch0012 -p1
 %patch0013 -p1
 %patch0014 -p1
 %patch0015 -p1
 %patch0016 -p1
 %patch0017 -p1
 %patch0018 -p1
 %patch0019 -p1
 %patch0020 -p1
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE29} lib/dns/tests/testdata/dstrandom/random.data
 %if %{with PKCS11}
-cp -r bin/named     bin/named-pkcs11
+cp -r bin/named{,-pkcs11}
-cp -r bin/dnssec    bin/dnssec-pkcs11
+cp -r bin/dnssec{,-pkcs11}
-cp -r lib/isc       lib/isc-pkcs11
+cp -r lib/isc{,-pkcs11}
-cp -r lib/dns       lib/dns-pkcs11
+cp -r lib/dns{,-pkcs11}
-%patch0021 -p1
+%patch136 -p1 -b .dist_pkcs11
-%patch0022 -p1
+%patch149 -p1 -b .kyua-pkcs11
 %patch150 -p1 -b .engine-pkcs11
 %endif
 %if %{with SDB}
-%patch0023 -p1
+%patch101 -p1 -b .old-api
 mkdir bin/named-sdb
 mkdir bin/sdb_tools
 cp -r bin/named/* bin/named-sdb
-%patch0024 -p1
+%patch11 -p1 -b .sdbsrc
 # SDB ldap
 cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb
 # SDB postgreSQL
 cp -fp contrib/sdb/pgsql/pgsqldb.[ch] bin/named-sdb
 # SDB sqlite
 cp -fp contrib/sdb/sqlite/sqlitedb.[ch] bin/named-sdb
 # SDB Berkeley DB - needs to be ported to DB4!
 #cp -fp contrib/sdb/bdb/bdb.[ch] bin/named_sdb
 # SDB dir
 cp -fp contrib/sdb/dir/dirdb.[ch] bin/named-sdb
 # SDB tools
 mkdir -p bin/sdb_tools
 cp -fp %{SOURCE9} bin/sdb_tools/ldap2zone.c
 cp -fp %{SOURCE3} bin/sdb_tools/Makefile.in
 #cp -fp contrib/sdb/bdb/zone2bdb.c bin/sdb_tools
 cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools
 cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools
 cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools
-%patch0025 -p1
+
-%patch0026 -p1
+%patch12 -p1 -b .sdb
-%patch0027 -p1
+%patch13 -p1 -b .fix_sdb_ldap
 %patch137 -p1 -b .strlcat_fix
 %endif
-%patch0028 -p1
+%patch133 -p1 -b .rh640538
-%patch0029 -p1
+%patch134 -p1 -b .rh669163
-%patch9000 -p1
+# Sparc and s390 arches need to use -fPIE
-%patch9001 -p1
+%ifarch sparcv9 sparc64 s390 s390x
-%patch6001 -p1
+for i in bin/named{,-sdb}/{,unix}/Makefile.in; do
-%patch6002 -p1
+  sed -i 's|fpie|fPIE|g' $i
-%patch6003 -p1
+done
-%patch6004 -p1
+%endif
-%patch6005 -p1
+:;
 %patch6006 -p1
 %patch6007 -p1
 %patch6008 -p1
 %patch6009 -p1
 %patch6010 -p1
 %patch6011 -p1
 %patch6012 -p1
 %patch6013 -p1
 %patch6014 -p1
 %patch6015 -p1
 %patch6016 -p1
 %patch6017 -p1
 %patch6018 -p1
 %patch6019 -p1
 %patch6020 -p1
 %patch9002 -p1
 %build
 %define _configure "../configure"
 %define unit_prepare_build() \
-    cp -uv Kyuafile Atffile "%{1}/" \
+    cp -uv Kyuafile "%{1}/" \
    find lib -name 'K*.key'           -exec cp -uv  '{}' "%{1}/{}" ';' \
    find lib -name 'Kyuafile'         -exec cp -uv  '{}' "%{1}/{}" ';' \
    find lib -name 'Atffile'          -exec cp -uv  '{}' "%{1}/{}" ';' \
    find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
    find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
@ -386,13 +431,11 @@ cp -fp contrib/sdb/sqlite/zone2sqlite.c           bin/sdb_tools
    cp -Tuav bin/tests "%{1}/bin/tests/" \
    cp -uv   version   "%{1}"
-%if %{with KYUA}
+CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
-    ATF_PATH=/usr
+%if %{with TSAN}
-%else
+  CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
    ATF_PATH=yes
 %endif
-
+export CFLAGS
 export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
 export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
 export STD_CDEFINES="$CPPFLAGS"
@ -407,7 +450,7 @@ export LIBDIR_SUFFIXi=
 %configure \
    --with-python=%{__python3} --with-libtool --localstatedir=/var \
    --enable-threads --enable-ipv6 --enable-filter-aaaa --with-pic \
-    --disable-static --includedir=%{_includedir}/bind9 --with-geoip \
+    --disable-static --includedir=%{_includedir}/bind9 \
    --with-tuning=large --with-libidn2 --enable-openssl-hash \
    --enable-fixed-rrset --enable-full-report \
    --with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \
@ -426,8 +469,29 @@ export LIBDIR_SUFFIXi=
 %else
    --with-lmdb=no \
 %endif
 %if %{with JSON}
    --with-libjson \
 %endif 
 %if %{with DNSTAP}
    --enable-dnstap \
 %endif
 %if %{with GEOIP}
    --with-geoip \
 %endif
 %if %{with GEOIP2}
    --with-geoip2 \
 %endif
 %if %{with UNITTEST}
-    --with-atf=${ATF_PATH}
+    --with-cmocka \
 %endif
 %if %{with DNSTAP}
  pushd lib
  SRCLIB="../../../lib"
  (cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
 %if %{with PKCS11}
  (cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto)
 %endif
  popd
 %endif
 make -j32
@ -440,11 +504,6 @@ pushd bin/python
 make  man
 popd
 %if ! %{with KYUA}
 ATF_PATH="`pwd`/unit/atf"
 sed -i -e '/^SUBDIRS =/s/atf-src//i' unit/Makefile
 %endif
 popd # build
 %unit_prepare_build       build
@ -466,7 +525,7 @@ export LIBDIR_SUFFIX=%{_export_dir}
    --with-gssapi=yes --disable-isc-spnego \
 %endif
 %if %{with UNITTEST}
-    --with-atf=${ATF_PATH}
+    --with-cmocka \
 %endif
 mv isc-config.sh isc-export-config.sh
@ -478,7 +537,6 @@ sed -i \
 Makefile
 sed -i -e "/^SUBDIRS =/s/.*/SUBDIRS = isc dns isccfg irs/i" lib/Makefile
 sed -i -e '/^SUBDIRS =/s/atf-src//i' unit/Makefile
 for lib in isc dns isccfg irs; do
    find .  -name Makefile -exec sed  "s/lib${lib}\./lib${lib}-export\./g" -i {} \;
@ -491,10 +549,46 @@ make -j32
 popd
 %unit_prepare_build export-libs
-sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' -i export-libs/lib/Kyuafile
+# Test just compiled libraries
 for lib in %{bind_export_libs}
 do
  sed -e "s,^\s*include(.*${lib}/.*,-- use &," -i export-libs/lib/Kyuafile
 done
 sed -e "/^\s*include(/ d" -e 's/^-- use //' -i export-libs/lib/Kyuafile
 %endif #end EXPORT_LIBS
 %check
 %if %{with PKCS11}
  # Tests require initialization of pkcs11 token
  eval "$(bash %{SOURCE27} -A "`pwd`/softhsm-tokens")"
 %endif
 %if %{with TSAN}
  export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
 %endif
 %if %{with UNITTEST}
  pushd build
  make unit
  e=$?
  if [ "$e" -ne 0 ]; then
    echo "ERROR: this build of BIND failed 'make unit'. Aborting."
    exit $e;
  fi;
  popd
  %if %{with EXPORT_LIBS}
    pushd export-libs
    make unit
    e=$?
    if [ "$e" -ne 0 ]; then
      echo "ERROR: this build of BIND export-libs failed 'make unit'. Aborting."
      exit $e;
    fi;
    popd
  %endif
 %endif
 %if %{with SYSTEMTEST}
 if [ "`whoami`" = 'root' ]; then
@ -616,29 +710,44 @@ cp -fp build/config.h ${RPM_BUILD_ROOT}/%{_includedir}/bind9
 find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
 touch  ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log
-tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE8}
+
-touch ${RPM_BUILD_ROOT}/etc/rndc.key
+# configuration files
-touch ${RPM_BUILD_ROOT}/etc/rndc.conf
+install -m 640 %{SOURCE7} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
-install -m 640 %{SOURCE7} ${RPM_BUILD_ROOT}/etc/named.conf
+touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
 install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
 install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named
 # data files
 mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
 install -m 640 %{SOURCE30} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
 install -m 640 %{SOURCE33} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
 install -m 640 %{SOURCE34} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
 install -m 640 %{SOURCE32} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
 install -m 640 %{SOURCE31} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
 mkdir -p sample/etc sample/var/named/{data,slaves}
 mkdir ${RPM_BUILD_ROOT}/etc/named
 install -m 644 %{SOURCE15} ${RPM_BUILD_ROOT}/etc/trusted-key.key
 install -m 644 %{SOURCE6} sample/etc/named.conf
 install -m 644 %{SOURCE7} named.conf.default
-install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones
+install -m 644 %{SOURCE31} sample/etc/named.rfc1912.zones
-install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty}  sample/var/named
+install -m 644 %{SOURCE33} %{SOURCE34} %{SOURCE32}  sample/var/named
 install -m 644 %{SOURCE30} sample/var/named/named.ca
 mkdir -p                   ${RPM_BUILD_ROOT}%{_tmpfilesdir}
 mkdir -p                   ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
 install -m 644 %{SOURCE14} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
 install -m 644 %{SOURCE22} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
 cp -a %{_libdir}/%{_export_dir}/lib{dns,irs,isc,isccfg}-export.so.* %{buildroot}%{_libdir}/%{_export_dir}
 cp -a %{_libdir}/lib{dns,isc}-pkcs11.so.* %{buildroot}%{_libdir}
 cp -a %{_libdir}/lib{bind9,isccc,lwres,irs,isccfg}.so.160* %{buildroot}%{_libdir}
 cp -a %{_libdir}/lib{dns.so.1102*,isc.so.169*} %{buildroot}%{_libdir}
 %pre
 if [ "$1" -eq 1 ]; then
    /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
-    /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :;
+    /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
 fi
 %post
@ -649,8 +758,8 @@ if [ "$1" -eq 1 ]; then
    [ -e /etc/rndc.key ]    && chown root:named /etc/rndc.key
    [ -e /etc/rndc.key ]    && chmod 0640 /etc/rndc.key
 else
-if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then
+if getent passwd named | grep ':/bin/false$' >/dev/null; then
-    usermod -s /bin/false named
+    /sbin/usermod -s /sbin/nologin named
 fi
 fi
@ -712,9 +821,11 @@ fi
 %if %{with EXPORT_LIBS}
 %post export-libs
 /sbin/ldconfig
 %end
 %postun export-libs
 /sbin/ldconfig
 %end
 %endif
@ -826,12 +937,21 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libdir}/libisccc.so.160*
 %{_libdir}/liblwres.so.160*
 %{_libdir}/libbind9.so.161*
 %{_libdir}/libisccc.so.161*
 %{_libdir}/liblwres.so.161*
 %files libs-lite
 %{_libdir}/libdns.so.1102*
 %{_libdir}/libirs.so.160*
 %{_libdir}/libisc.so.169*
 %{_libdir}/libisccfg.so.160*
 %{_libdir}/libdns.so.1110*
 %{_libdir}/libirs.so.161*
 %{_libdir}/libisc.so.1105*
 %{_libdir}/libisccfg.so.163*
 %files utils
 %{_bindir}/dig
@ -875,6 +995,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %if %{with LMDB}
 %{_mandir}/man8/named-nzd2nzf.8*
 %endif
 %if %{with DNSTAP}
 %{_bindir}/dnstap-read
 %{_mandir}/man1/dnstap-read.1*
 %endif
 %{_sysconfdir}/trusted-key.key
 %if %{with SDB}
@ -1004,11 +1128,13 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_sbindir}/named-pkcs11
 %{_sbindir}/dnssec*pkcs11
 %{_sbindir}/pkcs11-*
-%{_libdir}/libdns-pkcs11.so.1102*
+%{_libdir}/libdns-pkcs11.so.1110*
-%{_libdir}/libisc-pkcs11.so.169*
+%{_libdir}/libisc-pkcs11.so.1105*
 %{_unitdir}/named-pkcs11.service
 %{_libexecdir}/setup-named-softhsm.sh
 %{_mandir}/man8/*pkcs11*.8*
 %{_libdir}/libdns-pkcs11.so.1102*
 %{_libdir}/libisc-pkcs11.so.169*
 %files pkcs11-devel
 %{_libdir}/lib*-pkcs11.so
@ -1022,10 +1148,16 @@ rm -rf ${RPM_BUILD_ROOT}
 %files export-libs
 %dir %{_libdir}/%{_export_dir}
 %{_libdir}/%{_export_dir}/libdns-export.so.1110*
 %{_libdir}/%{_export_dir}/libirs-export.so.161*
 %{_libdir}/%{_export_dir}/libisc-export.so.1105*
 %{_libdir}/%{_export_dir}/libisccfg-export.so.163*
 %{_libdir}/%{_export_dir}/libdns-export.so.1102*
 %{_libdir}/%{_export_dir}/libirs-export.so.160*
 %{_libdir}/%{_export_dir}/libisc-export.so.169*
 %{_libdir}/%{_export_dir}/libisccfg-export.so.160*
 %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf
 %files export-devel
@ -1045,6 +1177,12 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Mon Jul 27 2020 gaihuiying <gaihuiying1@huawei.com> - 9.11.21-1
 - Type:requirement
 - ID:NA
 - SUG:NA
 - DESC:update c-ares version to 9.11.21
 * Thu Mar 19 2020 songnannan <songnannan2@huawei.com> - 9.11.4-13
 - add gdb in buildrequires
--- a/bind93-rh490837.patch
+++ b/bind93-rh490837.patch
@ -1,13 +1,22 @@
-? patch
+diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
-? lib/isc/lex.c.rh490837
+index 1f44b5a..a3625f9 100644
-Index: lib/isc/lex.c
+--- a/lib/isc/include/isc/stdio.h
-===================================================================
+++ b/lib/isc/include/isc/stdio.h
-RCS file: /var/snap/bind9/lib/isc/lex.c,v
+@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f);
-retrieving revision 1.86
+  * direct counterpart in the stdio library.
-diff -p -u -r1.86 lex.c
+  */
--- lib/isc/lex.c	17 Sep 2007 09:56:29 -0000	1.86
+ 
-+++ lib/isc/lex.c	6 Apr 2009 13:24:15 -0000
+isc_result_t
-@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne
+isc_stdio_fgetc(FILE *f, int *ret);
 +
 ISC_LANG_ENDDECLS
 #endif /* ISC_STDIO_H */
 diff --git a/lib/isc/lex.c b/lib/isc/lex.c
 index a8955bc..fc6103b 100644
 --- a/lib/isc/lex.c
 +++ b/lib/isc/lex.c
@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 			if (source->is_file) {
 				stream = source->input;
@ -28,34 +37,14 @@ diff -p -u -r1.86 lex.c
 						goto done;
 					}
 +
- 					source->at_eof = ISC_TRUE;
+ 					source->at_eof = true;
 				}
 			} else {
-Index: lib/isc/include/isc/stdio.h
+diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
-===================================================================
+index 2f12bcc..5bfd648 100644
-RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v
+--- a/lib/isc/unix/errno2result.c
-retrieving revision 1.13
+++ b/lib/isc/unix/errno2result.c
-diff -p -u -r1.13 stdio.h
+@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog,
 --- lib/isc/include/isc/stdio.h	19 Jun 2007 23:47:18 -0000	1.13
 +++ lib/isc/include/isc/stdio.h	6 Apr 2009 13:24:15 -0000
@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f);
  * direct counterpart in the stdio library.
  */
 +isc_result_t
 +isc_stdio_fgetc(FILE *f, int *ret);
 +
 ISC_LANG_ENDDECLS
 #endif /* ISC_STDIO_H */
 Index: lib/isc/unix/errno2result.c
 ===================================================================
 RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v
 retrieving revision 1.17
 diff -p -u -r1.17 errno2result.c
 --- lib/isc/unix/errno2result.c	19 Jun 2007 23:47:18 -0000	1.17
 +++ lib/isc/unix/errno2result.c	6 Apr 2009 13:24:15 -0000
@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) {
 	case EINVAL:		/* XXX sometimes this is not for files */
 	case ENAMETOOLONG:
 	case EBADF:
@ -63,14 +52,11 @@ diff -p -u -r1.17 errno2result.c
 		return (ISC_R_INVALIDFILE);
 	case ENOENT:
 		return (ISC_R_FILENOTFOUND);
-Index: lib/isc/unix/stdio.c
+diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
-===================================================================
+index e60fa65..77f0b13 100644
-RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v
+--- a/lib/isc/unix/stdio.c
-retrieving revision 1.8
+++ b/lib/isc/unix/stdio.c
-diff -p -u -r1.8 stdio.c
+@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) {
 --- lib/isc/unix/stdio.c	19 Jun 2007 23:47:18 -0000	1.8
 +++ lib/isc/unix/stdio.c	6 Apr 2009 13:24:15 -0000
@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) {
 		return (isc__errno2result(errno));
 }
--- a/bind97-rh478718.patch
+++ b/bind97-rh478718.patch
@ -1,8 +1,8 @@
-diff --git a/configure.in b/configure.in
+diff --git a/configure.ac b/configure.ac
-index 896e81c1ce..73b1c8ccbb 100644
+index 26c509e..c1bfd62 100644
--- a/configure.in
+--- a/configure.ac
-+++ b/configure.in
+++ b/configure.ac
-@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
+@@ -4152,6 +4152,10 @@ if test "yes" = "$use_atomic"; then
 	AC_MSG_RESULT($arch)
 fi
@ -14,10 +14,10 @@ index 896e81c1ce..73b1c8ccbb 100644
 	AC_MSG_CHECKING([compiler support for inline assembly code])
 diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
-index 2ff522342f..58df86adb3 100644
+index c902d46..9c7c342 100644
 --- a/lib/isc/include/isc/platform.h.in
 +++ b/lib/isc/include/isc/platform.h.in
-@@ -289,19 +289,25 @@
+@@ -284,19 +284,25 @@
  * If the "xaddq" operation (64bit xadd) is available on this architecture,
  * ISC_PLATFORM_HAVEXADDQ will be defined.
  */
--- a/bind97-rh645544.patch
+++ b/bind97-rh645544.patch
@ -1,7 +1,8 @@
-diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544	2013-08-19 10:30:52.000000000 +0200
+index ecb3ddb..f7f73cd 100644
-+++ bind-9.9.4rc2/lib/dns/resolver.c	2013-09-06 17:58:03.864165823 +0200
+--- a/lib/dns/resolver.c
-@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
+++ b/lib/dns/resolver.c
@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) {
 	 */
 	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
@ -10,7 +11,7 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
 		      "success resolving '%s' (in '%s'?) after %s",
 		      fctx->info, domainbuf, fctx->reason);
-@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
+@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
 	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
 	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
@ -19,12 +20,12 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
 		      "lame server resolving '%s' (in '%s'?): %s",
 		      namebuf, domainbuf, addrbuf);
 }
-@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
+@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
- 	}
+ 	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
 -		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
 +		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
- 		      "DNS format error from %s resolving %s%s%s: %s",
+ 		      "DNS format error from %s resolving %s for %s: %s",
- 		      nsbuf, fctx->info, clmsg, clbuf, msgbuf);
+ 		      nsbuf, fctx->info, fctx->clientstr, msgbuf);
 }
--- a/bugfix-named-log-time.patch
+++ b/bugfix-named-log-time.patch
@ -1,15 +1,14 @@
 diff -upNr b/lib/isc/include/isc/util.h a/lib/isc/include/isc/util.h
 --- b/lib/isc/include/isc/util.h	2019-07-30 19:52:09.600000000 +0800
 +++ a/lib/isc/include/isc/util.h	2019-07-30 21:39:03.400000000 +0800
-@@ -233,7 +233,7 @@
+@@ -233,6 +233,7 @@
  * Time
  */
 #define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
 -
 +#define TIME_REAL_NOW(tp) 	RUNTIME_CHECK(isc_time_real_now((tp)) == ISC_R_SUCCESS)
- /*%
+ #ifdef CLOCK_BOOTTIME
-  * Alignment
+ #define TIME_MONOTONIC(tp) 	RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
-  */
+ #endif
 diff -upNr b/lib/isc/log.c a/lib/isc/log.c
 --- b/lib/isc/log.c	2019-07-30 19:52:09.610000000 +0800
 +++ a/lib/isc/log.c	2019-07-30 21:39:03.410000000 +0800
@ -55,44 +54,6 @@ diff -upNr b/lib/isc/unix/include/isc/time.h a/lib/isc/unix/include/isc/time.h
 diff -upNr b/lib/isc/unix/time.c a/lib/isc/unix/time.c
 --- b/lib/isc/unix/time.c	2019-07-30 19:52:09.600000000 +0800
 +++ a/lib/isc/unix/time.c	2019-07-30 21:39:03.400000000 +0800
@@ -36,6 +36,9 @@
 #define NS_PER_MS	1000000		/*%< Nanoseconds per millisecond. */
 #define US_PER_S	1000000		/*%< Microseconds per second. */
 +#ifndef ISC_FIX_TV_USEC
 +#define ISC_FIX_TV_USEC 1
 +#endif
 #define CLOCKSOURCE CLOCK_MONOTONIC
 /*%
@@ -44,6 +47,27 @@
 static const isc_interval_t zero_interval = { 0, 0 };
 const isc_interval_t * const isc_interval_zero = &zero_interval;
 +#if ISC_FIX_TV_USEC
 +static inline void
 +fix_tv_usec(struct timeval *tv) {
 +	isc_boolean_t fixed = ISC_FALSE;
 +	if (tv->tv_usec < 0) {
 +		fixed = ISC_TRUE;
 +		do {
 +			tv->tv_sec -= 1;
 +			tv->tv_usec += US_PER_S;
 +		} while (tv->tv_usec < 0);
 +	} else if (tv->tv_usec >= US_PER_S) {
 +		fixed = ISC_TRUE;
 +		do {
 +			tv->tv_sec += 1;
 +			tv->tv_usec -= US_PER_S;
 +		} while (tv->tv_usec >=US_PER_S);
 +	}
 +	if (fixed)
 +		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
 +}
 +#endif
 void
 isc_interval_set(isc_interval_t *i,
@@ -105,6 +129,50 @@ isc_time_isepoch(const isc_time_t *t) {
@ -142,5 +103,5 @@ diff -upNr b/lib/isc/unix/time.c a/lib/isc/unix/time.c
 +
 +isc_result_t
 isc_time_now(isc_time_t *t) {
- 	struct timespec ts;
+ 	struct timeval tv;
 	char strbuf[ISC_STRERRORSIZE];
--- a/config-18.tar.bz2
+++ b/config-18.tar.bz2
--- a/1314-master-dnssec-checkds-s.patch
+++ b/1314-master-dnssec-checkds-s.patch
@ -9,7 +9,6 @@ Subject: [PATCH 1314/3677] [master] dnssec-checkds -s
 ---
 CHANGES                                     |   8 +-
 bin/python/dnssec-checkds.docbook           |  24 +++---
 bin/python/isc/checkds.py.in                |  49 ++++++-----
 bin/tests/system/checkds/clean.sh           |   2 -
 bin/tests/system/checkds/dig.pl             |   2 -
 bin/tests/system/checkds/dig.sh             |   3 -
@ -71,20 +70,7 @@ diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in
 index ce50355..a161554 100644
 --- a/bin/python/isc/checkds.py.in
 +++ b/bin/python/isc/checkds.py.in
-@@ -34,7 +34,11 @@ class SECRR:
+@@ -89,39 +93,43 @@ class SECRR:
         if not rrtext:
             raise Exception
 -        fields = rrtext.decode('ascii').split()
 +        # 'str' does not have decode method in python3
 +        if type(rrtext) is not str:
 +            fields = rrtext.decode('ascii').split()
 +        else:
 +            fields = rrtext.split()
         if len(fields) < 7:
             raise Exception
@@ -89,35 +93,39 @@ class SECRR:
 # Generate a set of expected DS/DLV records from the DNSKEY RRset,
 # and report on congruency.
 ############################################################################
@ -103,6 +89,8 @@ index ce50355..a161554 100644
 +        fp, _ = Popen(cmd, stdout=PIPE).communicate()
     for line in fp.splitlines():
         if type(line) is not str:
             line = line.decode('ascii')
 -        rrlist.append(SECRR(line, lookaside))
 +        rrlist.append(SECRR(line, args.lookaside))
     rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg))
@ -131,6 +119,8 @@ index ce50355..a161554 100644
         fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods)
     for line in fp.splitlines():
         if type(line) is not str:
             line = line.decode('ascii')
 -        klist.append(SECRR(line, lookaside))
 +        klist.append(SECRR(line, args.lookaside))
@ -160,7 +150,7 @@ index ce50355..a161554 100644
@@ -162,6 +167,12 @@ def parse_args():
                         default=os.path.join(prefix(sbindir),
                                              'dnssec-dsfromkey'),
-                         type=str, help='path to \'dig\'')
+                         type=str, help='path to \'dnssec-dsfromkey\'')
 +    parser.add_argument('-f', '--file', dest='masterfile', type=str,
 +                        help='zone master file')
 +    parser.add_argument('-l', '--lookaside', dest='lookaside', type=str,
--- a/2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch
+++ b/2574-Do-not-treat-a-referral-with-a-non-empty-ANSWER-sect.patch
--- a/generate-rndc-key.sh
+++ b/generate-rndc-key.sh
@ -1,6 +1,17 @@
 #!/bin/bash
 if [ -r /etc/rc.d/init.d/functions ]; then
 	. /etc/rc.d/init.d/functions
 else
 success() {
 	echo $" OK "
 }
 failure() {
 	echo -n " "
 	echo $"FAILED"
 }
 fi
 # This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
@ -14,7 +25,9 @@ if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
    success $"/etc/rndc.key generation"
    echo
  else
    rc=$?
    failure $"/etc/rndc.key generation"
    echo
    exit $rc
  fi
 fi
--- a/named-chroot.service
+++ b/named-chroot.service
@ -20,7 +20,7 @@ PIDFile=/var/named/chroot/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
-ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/named-pkcs11.service
+++ b/named-pkcs11.service
@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
-ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/named-sdb-chroot.service
+++ b/named-sdb-chroot.service
@ -20,7 +20,7 @@ PIDFile=/var/named/chroot_sdb/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS
-ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/named-sdb.service
+++ b/named-sdb.service
@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS
-ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/named.empty
+++ b/named.empty
@ -0,0 +1,10 @@
 $TTL 3H
@	IN SOA	@ rname.invalid. (
 					0	; serial
 					1D	; refresh
 					1H	; retry
 					1W	; expire
 					3H )	; minimum
 	NS	@
 	A	127.0.0.1
 	AAAA	::1
--- a/named.localhost
+++ b/named.localhost
@ -0,0 +1,10 @@
 $TTL 1D
@	IN SOA	@ rname.invalid. (
 					0	; serial
 					1D	; refresh
 					1H	; retry
 					1W	; expire
 					3H )	; minimum
 	NS	@
 	A	127.0.0.1
 	AAAA	::1
--- a/named.loopback
+++ b/named.loopback
@ -0,0 +1,11 @@
 $TTL 1D
@	IN SOA	@ rname.invalid. (
 					0	; serial
 					1D	; refresh
 					1H	; retry
 					1W	; expire
 					3H )	; minimum
 	NS	@
 	A	127.0.0.1
 	AAAA	::1
 	PTR	localhost.
--- a/named.rfc1912.zones
+++ b/named.rfc1912.zones
@ -0,0 +1,45 @@
 // named.rfc1912.zones:
 //
 // Provided by Red Hat caching-nameserver package 
 //
 // ISC BIND named zone configuration for zones recommended by
 // RFC 1912 section 4.1 : localhost TLDs and address zones
 // and https://tools.ietf.org/html/rfc6303
 // (c)2007 R W Franks
 // 
 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 //
 // Note: empty-zones-enable yes; option is default.
 // If private ranges should be forwarded, add 
 // disable-empty-zone "."; into options
 // 
 zone "localhost.localdomain" IN {
 	type master;
 	file "named.localhost";
 	allow-update { none; };
 };
 zone "localhost" IN {
 	type master;
 	file "named.localhost";
 	allow-update { none; };
 };
 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
 	type master;
 	file "named.loopback";
 	allow-update { none; };
 };
 zone "1.0.0.127.in-addr.arpa" IN {
 	type master;
 	file "named.loopback";
 	allow-update { none; };
 };
 zone "0.in-addr.arpa" IN {
 	type master;
 	file "named.empty";
 	allow-update { none; };
 };
--- a/named.root
+++ b/named.root
@ -0,0 +1,61 @@
 ; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
 ; (2 servers found)
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
 ;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 1472
 ;; QUESTION SECTION:
 ;.				IN	NS
 ;; ANSWER SECTION:
 .			518400	IN	NS	a.root-servers.net.
 .			518400	IN	NS	b.root-servers.net.
 .			518400	IN	NS	c.root-servers.net.
 .			518400	IN	NS	d.root-servers.net.
 .			518400	IN	NS	e.root-servers.net.
 .			518400	IN	NS	f.root-servers.net.
 .			518400	IN	NS	g.root-servers.net.
 .			518400	IN	NS	h.root-servers.net.
 .			518400	IN	NS	i.root-servers.net.
 .			518400	IN	NS	j.root-servers.net.
 .			518400	IN	NS	k.root-servers.net.
 .			518400	IN	NS	l.root-servers.net.
 .			518400	IN	NS	m.root-servers.net.
 ;; ADDITIONAL SECTION:
 a.root-servers.net.	518400	IN	A	198.41.0.4
 b.root-servers.net.	518400	IN	A	199.9.14.201
 c.root-servers.net.	518400	IN	A	192.33.4.12
 d.root-servers.net.	518400	IN	A	199.7.91.13
 e.root-servers.net.	518400	IN	A	192.203.230.10
 f.root-servers.net.	518400	IN	A	192.5.5.241
 g.root-servers.net.	518400	IN	A	192.112.36.4
 h.root-servers.net.	518400	IN	A	198.97.190.53
 i.root-servers.net.	518400	IN	A	192.36.148.17
 j.root-servers.net.	518400	IN	A	192.58.128.30
 k.root-servers.net.	518400	IN	A	193.0.14.129
 l.root-servers.net.	518400	IN	A	199.7.83.42
 m.root-servers.net.	518400	IN	A	202.12.27.33
 a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
 b.root-servers.net.	518400	IN	AAAA	2001:500:200::b
 c.root-servers.net.	518400	IN	AAAA	2001:500:2::c
 d.root-servers.net.	518400	IN	AAAA	2001:500:2d::d
 e.root-servers.net.	518400	IN	AAAA	2001:500:a8::e
 f.root-servers.net.	518400	IN	AAAA	2001:500:2f::f
 g.root-servers.net.	518400	IN	AAAA	2001:500:12::d0d
 h.root-servers.net.	518400	IN	AAAA	2001:500:1::53
 i.root-servers.net.	518400	IN	AAAA	2001:7fe::53
 j.root-servers.net.	518400	IN	AAAA	2001:503:c27::2:30
 k.root-servers.net.	518400	IN	AAAA	2001:7fd::1
 l.root-servers.net.	518400	IN	AAAA	2001:500:9f::42
 m.root-servers.net.	518400	IN	AAAA	2001:dc3::35
 ;; Query time: 24 msec
 ;; SERVER: 198.41.0.4#53(198.41.0.4)
 ;; WHEN: Thu Apr 05 15:57:34 CEST 2018
 ;; MSG SIZE  rcvd: 811
--- a/named.root.key
+++ b/named.root.key
@ -0,0 +1,19 @@
 managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        #
        # This key (20326) was published in the root zone in 2017.
        # Servers which were already using the old key (19036) should
        # roll seamlessly to this new one via RFC 5011 rollover. Servers
        # being set up for the first time can use the contents of this
        # file as initializing keys; thereafter, the keys in the
        # managed key database will be trusted and maintained
        # automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
                R1AkUTV74bU=";
 };
--- a/named.service
+++ b/named.service
@ -15,8 +15,7 @@ PIDFile=/run/named/named.pid
 ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
-
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
 ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
 ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
--- a/setup-named-softhsm.sh
+++ b/setup-named-softhsm.sh
@ -2,6 +2,12 @@
 #
 # This script will initialise token storage of softhsm PKCS11 provider
 # in custom location. Is useful to store tokens in non-standard location.
 #
 # Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
 # Quotes around eval are mandatory!
 # Recommended use:
 # eval "$(bash setup-named-softhsm.sh -A)"
 #
 SOFTHSM2_CONF="$1"
 TOKENPATH="$2"
@ -10,14 +16,55 @@ GROUPNAME="$3"
 # This is intended for crypto accelerators using PKCS11 interface.
 # Uninitialized token would fail any crypto operation.
 PIN=1234
 SO_PIN=1234
 LABEL=rpm
 set -e
 echo_i()
 {
 	echo "#" $@
 }
 random()
 {
 	if [ -x "$(which openssl 2>/dev/null)" ]; then
 		openssl rand -base64 $1
 	else
 		dd if=/dev/urandom bs=1c count=$1 | base64
 	fi
 }
 usage()
 {
 	echo "Usage: $0 -A [token directory] [group]"
 	echo "   or: $0 <config file> <token directory> [group]"
 }
 if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
 	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
 fi
 if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
-	echo "Usage: $0 <config file> <token directory> [group]" >&2
+	usage >&2
 	exit 1
 fi
 if [ "$SOFTHSM2_CONF" = "-A" ]; then
 	# Automagic mode instead
 	MODE=secure
 	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
 	PIN_SOURCE="$TOKENPATH/pin"
 	SOPIN_SOURCE="$TOKENPATH/so-pin"
 	TOKENPATH="$TOKENPATH/tokens"
 else
 	MODE=legacy
 fi
 [ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
 umask 0022
 if ! [ -f "$SOFTHSM2_CONF" ]; then
 cat  << SED > "$SOFTHSM2_CONF"
 # SoftHSM v2 configuration file
@ -32,19 +79,36 @@ log.level = ERROR
 slots.removable = false
 SED
 else
-	echo "Config file $SOFTHSM2_CONF already exists" >&2
+	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
 fi
-[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+if [ -n "$PIN_SOURCE" ]; then
 	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
 	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
 	if [ -n "$GROUPNAME" ]; then
 		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
 		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
 	fi
 fi
 export SOFTHSM2_CONF
 if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
 then
-	echo "Token in ${TOKENPATH} is already initialized" >&2
+	echo_i "Token in ${TOKENPATH} is already initialized" >&2
 	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
 	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
 else
-	echo "Initializing tokens to ${TOKENPATH}..."
+	PIN=$(random 6)
-	softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
+	SO_PIN=$(random 18)
 	if [ -n "$PIN_SOURCE" ]; then
 		echo -n "$PIN" > "$PIN_SOURCE"
 		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
 	fi
 	echo_i "Initializing tokens to ${TOKENPATH}..."
 	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
 	if [ -n "$GROUPNAME" ]; then
 		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
@ -53,3 +117,8 @@ else
 fi
 echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
 echo "export PIN_SOURCE=\"$PIN_SOURCE\""
 echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
 # These are intentionaly not exported
 echo "PIN=\"$PIN\""
 echo "SO_PIN=\"$SO_PIN\""