!158 fix some patches from 9.16.23 and delete useless patches

From: @zhang-hao-jon Reviewed-by: @kircher Signed-off-by: @kircher
2023-02-17 09:34:02 +00:00 · 2023-02-17 09:34:02 +00:00 · f68363ec76
commit f68363ec76
parent 3c2c6bdd89 20fe1e3605
87 changed files with 127 additions and 10033 deletions
--- a/CVE-2021-25220.patch
+++ b/CVE-2021-25220.patch
@ -1,208 +0,0 @@
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/f1bc36f19362f9f2173bf9511e85781058f19c64
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index dd82f273a4d5a2d34edd1cbcba8c9daf78a71b34..677384b1081d060ccc0acc92e476eb7664577806 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -65,6 +65,8 @@
 #include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/validator.h>
 +#include <dns/zone.h>
 +
 #ifdef WANT_QUERYTRACE
 #define RTRACE(m)                                                             \
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,                     \
@@ -339,6 +341,8 @@ struct fetchctx {
 	dns_fetch_t *qminfetch;
 	dns_rdataset_t qminrrset;
 	dns_name_t qmindcname;
 +	dns_fixedname_t fwdfname;
 +	dns_name_t *fwdname;
 	/*%
 	 * The number of events we're waiting for.
@@ -3766,6 +3770,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 		if (result == ISC_R_SUCCESS) {
 			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
 			fctx->fwdpolicy = forwarders->fwdpolicy;
 +			dns_name_copynf(domain, fctx->fwdname);
 			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
 			    isstrictsubdomain(domain, &fctx->domain))
 			{
@@ -5155,6 +5160,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
 	fctx->restarts = 0;
 	fctx->querysent = 0;
 	fctx->referrals = 0;
 +
 +	fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
 +
 	TIME_NOW(&fctx->start);
 	fctx->timeouts = 0;
 	fctx->lamecount = 0;
@@ -5217,6 +5225,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
 					   fname, &forwarders);
 		if (result == ISC_R_SUCCESS) {
 			fctx->fwdpolicy = forwarders->fwdpolicy;
 +			dns_name_copynf(fname, fctx->fwdname);
 		}
 		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
@@ -7120,6 +7129,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
 	}
 }
 +/*
 + * Returns true if 'name' is external to the namespace for which
 + * the server being queried can answer, either because it's not a
 + * subdomain or because it's below a forward declaration or a
 + * locally served zone.
 + */
 +static inline bool
 +name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
 +	isc_result_t result;
 +	dns_forwarders_t *forwarders = NULL;
 +	dns_fixedname_t fixed, zfixed;
 +	dns_name_t *fname = dns_fixedname_initname(&fixed);
 +	dns_name_t *zfname = dns_fixedname_initname(&zfixed);
 +	dns_name_t *apex = NULL;
 +	dns_name_t suffix;
 +	dns_zone_t *zone = NULL;
 +	unsigned int labels;
 +	dns_namereln_t rel;
 +
 +	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
 +
 +	/*
 +	 * The name is outside the queried namespace.
 +	 */
 +	rel = dns_name_fullcompare(name, apex, &(int){ 0 },
 +				   &(unsigned int){ 0U });
 +	if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
 +		return (true);
 +	}
 +
 +	/*
 +	 * If the record lives in the parent zone, adjust the name so we
 +	 * look for the correct zone or forward clause.
 +	 */
 +	labels = dns_name_countlabels(name);
 +	if (dns_rdatatype_atparent(type) && labels > 1U) {
 +		dns_name_init(&suffix, NULL);
 +		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
 +		name = &suffix;
 +	} else if (rel == dns_namereln_equal) {
 +		/* If 'name' is 'apex', no further checking is needed. */
 +		return (false);
 +	}
 +
 +	/*
 +	 * If there is a locally served zone between 'apex' and 'name'
 +	 * then don't cache.
 +	 */
 +	LOCK(&fctx->res->view->lock);
 +	if (fctx->res->view->zonetable != NULL) {
 +		unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
 +		result = dns_zt_find(fctx->res->view->zonetable, name, options,
 +				     zfname, &zone);
 +		if (zone != NULL) {
 +			dns_zone_detach(&zone);
 +		}
 +		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 +			if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
 +						 &(unsigned int){ 0U }) ==
 +			    dns_namereln_subdomain)
 +			{
 +				UNLOCK(&fctx->res->view->lock);
 +				return (true);
 +			}
 +		}
 +	}
 +	UNLOCK(&fctx->res->view->lock);
 +
 +	/*
 +	 * Look for a forward declaration below 'name'.
 +	 */
 +	result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
 +				   &forwarders);
 +
 +	if (ISFORWARDER(fctx->addrinfo)) {
 +		/*
 +		 * See if the forwarder declaration is better.
 +		 */
 +		if (result == ISC_R_SUCCESS) {
 +			return (!dns_name_equal(fname, fctx->fwdname));
 +		}
 +
 +		/*
 +		 * If the lookup failed, the configuration must have
 +		 * changed: play it safe and don't cache.
 +		 */
 +		return (true);
 +	} else if (result == ISC_R_SUCCESS &&
 +		   forwarders->fwdpolicy == dns_fwdpolicy_only &&
 +		   !ISC_LIST_EMPTY(forwarders->fwdrs))
 +	{
 +		/*
 +		 * If 'name' is covered by a 'forward only' clause then we
 +		 * can't cache this repsonse.
 +		 */
 +		return (true);
 +	}
 +
 +	return (false);
 +}
 +
 static isc_result_t
 check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
 	      dns_section_t section) {
@@ -7146,7 +7256,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
 	result = dns_message_findname(rctx->query->rmessage, section, addname,
 				      dns_rdatatype_any, 0, &name, NULL);
 	if (result == ISC_R_SUCCESS) {
 -		external = !dns_name_issubdomain(name, &fctx->domain);
 +		external = name_external(name, type, fctx);
 		if (type == dns_rdatatype_a) {
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
@@ -8770,6 +8880,13 @@ rctx_answer_scan(respctx_t *rctx) {
 			break;
 		case dns_namereln_subdomain:
 +			/*
 +			 * Don't accept DNAME from parent namespace.
 +			 */
 +			if (name_external(name, dns_rdatatype_dname, fctx)) {
 +				continue;
 +			}
 +
 			/*
 			 * In-scope DNAME records must have at least
 			 * as many labels as the domain being queried.
@@ -9083,13 +9200,11 @@ rctx_authority_positive(respctx_t *rctx) {
 				       DNS_SECTION_AUTHORITY);
 	while (!done && result == ISC_R_SUCCESS) {
 		dns_name_t *name = NULL;
 -		bool external;
 		dns_message_currentname(rctx->query->rmessage,
 					DNS_SECTION_AUTHORITY, &name);
 -		external = !dns_name_issubdomain(name, &fctx->domain);
 -		if (!external) {
 +		if (!name_external(name, dns_rdatatype_ns, fctx)) {
 			dns_rdataset_t *rdataset = NULL;
 			/*
@@ -9476,7 +9591,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
 		}
 		if (!dns_name_issubdomain(name, &fctx->domain)) {
 -			/* Invalid name found; preserve it for logging later */
 +			/*
 +			 * Invalid name found; preserve it for logging
 +			 * later.
 +			 */
 			rctx->found_name = name;
 			rctx->found_type = ISC_LIST_HEAD(name->list)->type;
 			continue;
--- a/CVE-2022-0396.patch
+++ b/CVE-2022-0396.patch
@ -1,79 +0,0 @@
 From bfa4b9c1418ca1ae504f3474e8ffe6fddb6d3e98 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 8 Feb 2022 12:42:34 +0100
 Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb()
 When sock->closehandle_cb is set, we need to run nmhandle_detach_cb()
 asynchronously to ensure correct order of multiple packets processing in
 the isc__nm_process_sock_buffer().  When not run asynchronously, it
 would cause:
  a) out-of-order processing of the return codes from processbuffer();
  b) stack growth because the next TCP DNS message read callback will
     be called from within the current TCP DNS message read callback.
 The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP
 sockets which calls isc__nm_process_sock_buffer().  If the read callback
 (called from isc__nm_process_sock_buffer()->processbuffer()) doesn't
 attach to the nmhandle (f.e. because it wants to drop the processing or
 we send the response directly via uv_try_write()), the
 isc__nm_resume_processing() (via .closehandle_cb) would call
 isc__nm_process_sock_buffer() recursively.
 The below shortened code path shows how the stack can grow:
 1: ns__client_request(handle, ...);
 2: isc_nm_tcpdns_sequential(handle);
 3: ns_query_start(client, handle);
 4:   query_lookup(qctx);
 5:     query_send(qctcx->client);
 6:       isc__nmhandle_detach(&client->reqhandle);
 7:         nmhandle_detach_cb(&handle);
 8:           sock->closehandle_cb(sock); // isc__nm_resume_processing
 9:             isc__nm_process_sock_buffer(sock);
 10:               processbuffer(sock); // isc__nm_tcpdns_processbuffer
 11:                 isc_nmhandle_attach(req->handle, &handle);
 12:                 isc__nm_readcb(sock, req, ISC_R_SUCCESS);
 13:                   isc__nm_async_readcb(NULL, ...);
 14:                     uvreq->cb.recv(...); // ns__client_request
 Instead, if 'sock->closehandle_cb' is set, we need to run detach the
 handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in
 the code flow above does not start this recursion. This ensures the
 correct order when processing multiple packets in the function
 'isc__nm_process_sock_buffer()' and prevents the stack growth.
 When not run asynchronously, the out-of-order processing leaves the
 first TCP socket open until all requests on the stream have been
 processed.
 If the pipelining is disabled on the TCP via `keep-response-order`
 configuration option, named would keep the first socket in lingering
 CLOSE_WAIT state when the client sends an incomplete packet and then
 closes the connection from the client side.
 ---
 lib/isc/netmgr/netmgr.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index cabe9d5..c405a9b 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -1731,8 +1731,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
 	handle = *handlep;
 	*handlep = NULL;
 +	/*
 +	 * If the closehandle_cb is set, it needs to run asynchronously to
 +	 * ensure correct ordering of the isc__nm_process_sock_buffer().
 +	 */
 	sock = handle->sock;
 -	if (sock->tid == isc_nm_tid()) {
 +	if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) {
 		nmhandle_detach_cb(&handle FLARG_PASS);
 	} else {
 		isc__netievent_detach_t *event =
 -- 
 1.8.3.1
--- a/CVE-2022-2795.patch
+++ b/CVE-2022-2795.patch
@ -1,62 +0,0 @@
 From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
 Date: Thu, 8 Sep 2022 11:11:30 +0200
 Subject: [PATCH] Bound the amount of work performed for delegations
 Limit the amount of database lookups that can be triggered in
 fctx_getaddresses() (i.e. when determining the name server addresses to
 query next) by setting a hard limit on the number of NS RRs processed
 for any delegation encountered.  Without any limit in place, named can
 be forced to perform large amounts of database lookups per each query
 received, which severely impacts resolver performance.
 The limit used (20) is an arbitrary value that is considered to be big
 enough for any sane DNS delegation.
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
 (cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
 ---
 lib/dns/resolver.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index d2cf14bbc8b..73a0ee9f779 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -195,6 +195,12 @@
  */
 #define NS_FAIL_LIMIT 4
 #define NS_RR_LIMIT   5
 +/*
 + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
 + * any NS RRset encountered, to avoid excessive resource use while processing
 + * large delegations.
 + */
 +#define NS_PROCESSING_LIMIT 20
 /* Number of hash buckets for zone counters */
 #ifndef RES_DOMAIN_BUCKETS
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 	bool need_alternate = false;
 	bool all_spilled = true;
 	unsigned int no_addresses = 0;
 +	unsigned int ns_processed = 0;
 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
@@ -3902,6 +3909,11 @@ normal_nses:
 		dns_rdata_reset(&rdata);
 		dns_rdata_freestruct(&ns);
 +
 +		if (++ns_processed >= NS_PROCESSING_LIMIT) {
 +			result = ISC_R_NOMORE;
 +			break;
 +		}
 	}
 	if (result != ISC_R_NOMORE) {
 		return (result);
 -- 
 GitLab
--- a/CVE-2022-2881.patch
+++ b/CVE-2022-2881.patch
@ -1,45 +0,0 @@
 From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Tue, 16 Aug 2022 16:26:02 -0700
 Subject: [PATCH] compression buffer was not reused correctly
 when the compression buffer was reused for multiple statistics
 requests, responses could grow beyond the correct size. this was
 because the buffer was not cleared before reuse; compressed data
 was still written to the beginning of the buffer, but then the size
 of used region was increased by the amount written, rather than set
 to the amount written. this caused responses to grow larger and
 larger, potentially reading past the end of the allocated buffer.
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/13333db69f9b9710a98c86f44276e01e95420fa0
 (cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b)
 ---
 lib/isc/httpd.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
 index 776455a..e55330b 100644
 --- a/lib/isc/httpd.c
 +++ b/lib/isc/httpd.c
@@ -246,6 +246,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
 	if (r.length > 0) {
 		isc_mem_put(mctx, r.base, r.length);
 	}
 +
 +       isc_buffer_initnull(buffer);
 }
 static void
@@ -910,6 +912,7 @@ isc_httpd_compress(isc_httpd_t *httpd) {
 	if (result != ISC_R_SUCCESS) {
 		return (result);
 	}
 +       isc_buffer_clear(&httpd->compbuffer);
 	isc_buffer_region(&httpd->compbuffer, &r);
 	/*
 -- 
 2.23.0
--- a/CVE-2022-3080.patch
+++ b/CVE-2022-3080.patch
@ -1,149 +0,0 @@
 From 3f68e2ad838b3c12a725ccb1082a54b0e8b69562 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Fri, 2 Sep 2022 16:50:39 +0200
 Subject: [PATCH] Only refresh RRset once
 Don't attempt to resolve DNS responses for intermediate results. This
 may create multiple refreshes and can cause a crash.
 One scenario is where for the query there is a CNAME and canonical
 answer in cache that are both stale. This will trigger a refresh of
 the RRsets because we encountered stale data and we prioritized it over
 the lookup. It will trigger a refresh of both RRsets. When we start
 recursing, it will detect a recursion loop because the recursion
 parameters will eventually be the same. In 'dns_resolver_destroyfetch'
 the sanity check fails, one of the callers did not get its event back
 before trying to destroy the fetch.
 Move the call to 'query_refresh_rrset' to 'ns_query_done', so that it
 is only called once per client request.
 Another scenario is where for the query there is a stale CNAME in the
 cache that points to a record that is also in cache but not stale. This
 will trigger a refresh of the RRset (because we encountered stale data
 and we prioritized it over the lookup).
 We mark RRsets that we add to the message with
 DNS_RDATASETATTR_STALE_ADDED to prevent adding a duplicate RRset when
 a stale lookup and a normal lookup conflict with each other. However,
 the other non-stale RRset when following a CNAME chain will be added to
 the message without setting that attribute, because it is not stale.
 This is a variant of the bug in #2594. The fix covered the same crash
 but for stale-answer-client-timeout > 0.
 Fix this by clearing all RRsets from the message before refreshing.
 This requires the refresh to happen after the query is send back to
 the client.
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/13333db69f9b9710a98c86f44276e01e95420fa0
 (cherry picked from commit d939d2ecde5639d11acd6eac33a997b3e3c78b02)
 ---
 lib/ns/include/ns/query.h |  1 +
 lib/ns/query.c            | 42 ++++++++++++++++++++++++---------------
 2 files changed, 27 insertions(+), 16 deletions(-)
 diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h
 index 142ef8c6c1d..be0dadd5099 100644
 --- a/lib/ns/include/ns/query.h
 +++ b/lib/ns/include/ns/query.h
@@ -147,6 +147,7 @@ struct query_ctx {
 	bool authoritative;		    /* authoritative query? */
 	bool want_restart;		    /* CNAME chain or other
 					     * restart needed */
 +	bool		refresh_rrset;	    /* stale RRset refresh needed */
 	bool		need_wildcardproof; /* wildcard proof needed */
 	bool		nxrewrite;	    /* negative answer from RPZ */
 	bool		findcoveringnsec;   /* lookup covering NSEC */
 diff --git a/lib/ns/query.c b/lib/ns/query.c
 index 5c2701eb718..98cfffe8c36 100644
 --- a/lib/ns/query.c
 +++ b/lib/ns/query.c
@@ -5737,7 +5737,6 @@ query_lookup(query_ctx_t *qctx) {
 	bool dbfind_stale = false;
 	bool stale_timeout = false;
 	bool stale_found = false;
 -	bool refresh_rrset = false;
 	bool stale_refresh_window = false;
 	CCTRACE(ISC_LOG_DEBUG(3), "query_lookup");
@@ -5921,8 +5920,7 @@ query_lookup(query_ctx_t *qctx) {
 					"%s stale answer used, an attempt to "
 					"refresh the RRset will still be made",
 					namebuf);
 -				refresh_rrset = STALE(qctx->rdataset);
 -				qctx->client->nodetach = refresh_rrset;
 +				qctx->refresh_rrset = STALE(qctx->rdataset);
 			}
 		} else {
 			/*
@@ -5960,17 +5958,6 @@ query_lookup(query_ctx_t *qctx) {
 	result = query_gotanswer(qctx, result);
 -	if (refresh_rrset) {
 -		/*
 -		 * If we reached this point then it means that we have found a
 -		 * stale RRset entry in cache and BIND is configured to allow
 -		 * queries to be answered with stale data if no active RRset
 -		 * is available, i.e. "stale-anwer-client-timeout 0". But, we
 -		 * still need to refresh the RRset.
 -		 */
 -		query_refresh_rrset(qctx);
 -	}
 -
 cleanup:
 	return (result);
 }
@@ -7760,11 +7747,14 @@ query_addanswer(query_ctx_t *qctx) {
 	/*
 	 * On normal lookups, clear any rdatasets that were added on a
 -	 * lookup due to stale-answer-client-timeout.
 +	 * lookup due to stale-answer-client-timeout. Do not clear if we
 +	 * are going to refresh the RRset, because the stale contents are
 +	 * prioritized.
 	 */
 	if (QUERY_STALEOK(&qctx->client->query) &&
 -	    !QUERY_STALETIMEOUT(&qctx->client->query))
 +	    !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset)
 	{
 +		CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale");
 		query_clear_stale(qctx->client);
 		/*
 		 * We can clear the attribute to prevent redundant clearing
@@ -11478,9 +11468,29 @@ ns_query_done(query_ctx_t *qctx) {
 	/*
 	 * Client may have been detached after query_send(), so
 	 * we test and store the flag state here, for safety.
 +	 * If we are refreshing the RRSet, we must not detach from the client
 +	 * in the query_send(), so we need to override the flag.
 	 */
 +	if (qctx->refresh_rrset) {
 +		qctx->client->nodetach = true;
 +	}
 	nodetach = qctx->client->nodetach;
 	query_send(qctx->client);
 +
 +	if (qctx->refresh_rrset) {
 +		/*
 +		 * If we reached this point then it means that we have found a
 +		 * stale RRset entry in cache and BIND is configured to allow
 +		 * queries to be answered with stale data if no active RRset
 +		 * is available, i.e. "stale-anwer-client-timeout 0". But, we
 +		 * still need to refresh the RRset. To prevent adding duplicate
 +		 * RRsets, clear the RRsets from the message before doing the
 +		 * refresh.
 +		 */
 +		message_clearrdataset(qctx->client->message, 0);
 +		query_refresh_rrset(qctx);
 +	}
 +
 	if (!nodetach) {
 		qctx->detach_client = true;
 	}
 -- 
 GitLab
--- a/CVE-2022-38177.patch
+++ b/CVE-2022-38177.patch
@ -1,26 +0,0 @@
 From 5b2282afff760b1ed3471f6666bdfe8e1d34e590 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Thu, 11 Aug 2022 15:15:34 +1000
 Subject: [PATCH] Free eckey on siglen mismatch
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
 ---
 lib/dns/opensslecdsa_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
 index 1f16ca70738..5ee4342b387 100644
 --- a/lib/dns/opensslecdsa_link.c
 +++ b/lib/dns/opensslecdsa_link.c
@@ -230,7 +230,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	}
 	if (sig->length != siglen) {
 -		return (DST_R_VERIFYFAILURE);
 +		DST_RET(DST_R_VERIFYFAILURE);
 	}
 	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) {
 -- 
 GitLab
--- a/CVE-2022-38178.patch
+++ b/CVE-2022-38178.patch
@ -1,33 +0,0 @@
 From 1af23378ebb11da2eb0f412e4563d6c4165fbd3d Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Thu, 11 Aug 2022 15:28:13 +1000
 Subject: [PATCH] Free ctx on invalid siglen
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6c4165fbd3d
 (cherry picked from commit 6ddb480a84836641a0711768a94122972c166825)
 ---
 lib/dns/openssleddsa_link.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
 index b5ab3b3d8a2..12fdf650eb6 100644
 --- a/lib/dns/openssleddsa_link.c
 +++ b/lib/dns/openssleddsa_link.c
@@ -236,11 +236,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	}
 #endif /* if HAVE_OPENSSL_ED448 */
 	if (siglen == 0) {
 -		return (ISC_R_NOTIMPLEMENTED);
 +		DST_RET(ISC_R_NOTIMPLEMENTED);
 	}
 	if (sig->length != siglen) {
 -		return (DST_R_VERIFYFAILURE);
 +		DST_RET(DST_R_VERIFYFAILURE);
 	}
 	isc_buffer_usedregion(buf, &tbsreg);
 -- 
 GitLab
--- a/backport-0001-Do-not-convert-ISC_R_NOSPACE-to-DNS_R_SERVFAIL-too-e.patch
+++ b/backport-0001-Do-not-convert-ISC_R_NOSPACE-to-DNS_R_SERVFAIL-too-e.patch
@ -1,39 +0,0 @@
 From 4ace37bf7386e73af1d295d206b101c27a9edbad Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Wed, 24 Nov 2021 11:03:19 +1100
 Subject: [PATCH] Do not convert ISC_R_NOSPACE to DNS_R_SERVFAIL too early
 The parsing loop needs to process ISC_R_NOSPACE to properly
 size the buffer.  If result is still ISC_R_NOSPACE at the end
 of the parsing loop set result to DNS_R_SERVFAIL.
 (cherry picked from commit 08f1cba096243cd14041731b7ea1ad45e54e87b0)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4ace37bf7386e73af1d295d206b101c27a9edbad
 ---
 lib/dns/sdlz.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
 index c8a615a0f3..0b46fb9efd 100644
 --- a/lib/dns/sdlz.c
 +++ b/lib/dns/sdlz.c
@@ -1875,7 +1875,6 @@ dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
 					    mctx, rdatabuf, &lookup->callbacks);
 		if (result != ISC_R_SUCCESS) {
 			isc_buffer_free(&rdatabuf);
 -			result = DNS_R_SERVFAIL;
 		}
 		if (size >= 65535) {
 			break;
@@ -1887,6 +1886,7 @@ dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
 	} while (result == ISC_R_NOSPACE);
 	if (result != ISC_R_SUCCESS) {
 +		result = DNS_R_SERVFAIL;
 		goto failure;
 	}
 -- 
 2.23.0
--- a/backport-0001-Exercise-ISC_R_NOSPACE-path-in-dns_sdlz_putrr.patch
+++ b/backport-0001-Exercise-ISC_R_NOSPACE-path-in-dns_sdlz_putrr.patch
@ -1,82 +0,0 @@
 From bf1eaf46611bdbfcc2a6f6f77871eebf8351a629 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Thu, 25 Nov 2021 13:16:56 +1100
 Subject: [PATCH] Exercise ISC_R_NOSPACE path in dns_sdlz_putrr
 Use relative names when adding SOA record and a long domain
 name to create SOA RR where the wire format is longer than
 the initial buffer allocation in dns_sdlz_putrr.
 (cherry picked from commit 6dc524860622277bd24fe17d4a82454b30f5f1b5)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/bf1eaf46611bdbfcc2a6f6f77871eebf8351a629
 ---
 bin/tests/system/dlzexternal/driver.c         | 23 +++++++++----------
 bin/tests/system/dlzexternal/ns1/dlzs.conf.in |  5 ++++
 2 files changed, 16 insertions(+), 12 deletions(-)
 diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
 index 26da9c5deb..9c8ed0080f 100644
 --- a/bin/tests/system/dlzexternal/driver.c
 +++ b/bin/tests/system/dlzexternal/driver.c
@@ -238,10 +238,9 @@ dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
 	struct dlz_example_data *state;
 	const char *helper_name;
 	va_list ap;
 -	char soa_data[1024];
 -	const char *extra;
 +	char soa_data[sizeof("@ hostmaster.root 123 900 600 86400 3600")];
 	isc_result_t result;
 -	int n;
 +	size_t n;
 	UNUSED(dlzname);
@@ -275,19 +274,19 @@ dlz_create(const char *dlzname, unsigned int argc, char *argv[], void **dbdata,
 		sprintf(state->zone_name, "%s.", argv[1]);
 	}
 +	/*
 +	 * Use relative names to trigger ISC_R_NOSPACE in dns_sdlz_putrr.
 +	 */
 	if (strcmp(state->zone_name, ".") == 0) {
 -		extra = ".root";
 +		n = strlcpy(soa_data,
 +			    "@ hostmaster.root 123 900 600 86400 3600",
 +			    sizeof(soa_data));
 	} else {
 -		extra = ".";
 +		n = strlcpy(soa_data, "@ hostmaster 123 900 600 86400 3600",
 +			    sizeof(soa_data));
 	}
 -	n = sprintf(soa_data, "%s hostmaster%s%s 123 900 600 86400 3600",
 -		    state->zone_name, extra, state->zone_name);
 -
 -	if (n < 0) {
 -		CHECK(ISC_R_FAILURE);
 -	}
 -	if ((unsigned)n >= sizeof(soa_data)) {
 +	if (n >= sizeof(soa_data)) {
 		CHECK(ISC_R_NOSPACE);
 	}
 diff --git a/bin/tests/system/dlzexternal/ns1/dlzs.conf.in b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
 index 07bf329b50..c679498118 100644
 --- a/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
 +++ b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
@@ -21,6 +21,11 @@ dlz "example three" {
 	database "dlopen ../driver.@SO@ example.org";
 };
 +dlz "example four" {
 +        // Long zone name to trigger ISC_R_NOSPACE in dns_sdlz_putrr.
 +        database "dlopen ../driver.@SO@ 123456789.123456789.123456789.123456789.123456789.example.foo";
 +};
 +
 dlz "unsearched1" {
 	database "dlopen ../driver.@SO@ other.nil";
 	search no;
 -- 
 2.23.0
--- a/backport-0002-Add-a-regression-test.patch
+++ b/backport-0002-Add-a-regression-test.patch
@ -1,153 +0,0 @@
 From c243daf8395bf8406f6697dde5ba62a25d188a1b Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Mon, 11 Oct 2021 13:01:20 -0700
 Subject: [PATCH] Add a regression test
 Reconfigure the server without catalog-zone configuration, and then
 put it back and reconfigure again, to confirm that there's no crash.
 (cherry picked from commit bb411af31dd78ceda7a16f7ecfab483fb3746af9)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c243daf8395bf8406f6697dde5ba62a25d188a1b
 ---
 .../ns2/{named.conf.in => named1.conf.in}     |  0
 bin/tests/system/catz/ns2/named2.conf.in      | 60 +++++++++++++++++++
 bin/tests/system/catz/setup.sh                |  2 +-
 bin/tests/system/catz/tests.sh                | 16 ++++-
 4 files changed, 74 insertions(+), 4 deletions(-)
 rename bin/tests/system/catz/ns2/{named.conf.in => named1.conf.in} (100%)
 create mode 100644 bin/tests/system/catz/ns2/named2.conf.in
 diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
 similarity index 100%
 rename from bin/tests/system/catz/ns2/named.conf.in
 rename to bin/tests/system/catz/ns2/named1.conf.in
 diff --git a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in
 new file mode 100644
 index 0000000000..fcd99ca0d4
 --- /dev/null
 +++ b/bin/tests/system/catz/ns2/named2.conf.in
@@ -0,0 +1,60 @@
 +/*
 + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 + *
 + * See the COPYRIGHT file distributed with this work for additional
 + * information regarding copyright ownership.
 + */
 +
 +include "../../common/rndc.key";
 +
 +controls {
 +	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 +};
 +
 +options {
 +	query-source address 10.53.0.2;
 +	notify-source 10.53.0.2;
 +	transfer-source 10.53.0.2;
 +	port @PORT@;
 +	pid-file "named.pid";
 +	listen-on { 10.53.0.2; };
 +	listen-on-v6 { fd92:7065:b8e:ffff::2; };
 +	notify no;
 +	recursion no;
 +	serial-query-rate 100;
 +	# removed catalog-zone option, otherwise this is
 +	# identical to named1.conf.in
 +};
 +
 +zone "catalog1.example" {
 +	type secondary;
 +	file "catalog1.example.db";
 +	primaries { 10.53.0.1; };
 +};
 +
 +zone "catalog2.example" {
 +	type secondary;
 +	file "catalog2.example.db";
 +	primaries { 10.53.0.3; };
 +};
 +
 +zone "catalog3.example" {
 +	type secondary;
 +	file "catalog3.example.db";
 +	primaries { 10.53.0.1; };
 +};
 +
 +zone "catalog4.example" {
 +	type secondary;
 +	file "catalog4.example.db";
 +	primaries { 10.53.0.1; };
 +};
 +
 +key tsig_key. {
 +	secret "LSAnCU+Z";
 +	algorithm hmac-md5;
 +};
 diff --git a/bin/tests/system/catz/setup.sh b/bin/tests/system/catz/setup.sh
 index 960cffe9a7..e23ea4f058 100644
 --- a/bin/tests/system/catz/setup.sh
 +++ b/bin/tests/system/catz/setup.sh
@@ -15,7 +15,7 @@ SYSTEMTESTTOP=..
 $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
 -copy_setports ns2/named.conf.in ns2/named.conf
 +copy_setports ns2/named1.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 cp -f ns1/catalog.example.db.in ns1/catalog1.example.db
 diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh
 index c443b739ff..cd2084e59a 100644
 --- a/bin/tests/system/catz/tests.sh
 +++ b/bin/tests/system/catz/tests.sh
@@ -1179,7 +1179,7 @@ status=$((status+ret))
 n=$((n+1))
 echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)"
 ret=0
 -sed -e "s/^#T1//g" <  ns2/named.conf.in > ns2/named.conf.tmp
 +sed -e "s/^#T1//g" <  ns2/named1.conf.in > ns2/named.conf.tmp
 copy_setports ns2/named.conf.tmp ns2/named.conf
 rndccmd 10.53.0.2 reconfig || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
@@ -1210,7 +1210,7 @@ status=$((status+ret))
 n=$((n+1))
 echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)"
 ret=0
 -sed -e "s/^#T2//" < ns2/named.conf.in > ns2/named.conf.tmp
 +sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp
 copy_setports ns2/named.conf.tmp ns2/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > /dev/null 2>&1 && ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
@@ -1219,7 +1219,7 @@ status=$((status+ret))
 n=$((n+1))
 echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)"
 ret=0
 -copy_setports ns2/named.conf.in ns2/named.conf
 +copy_setports ns2/named1.conf.in ns2/named.conf
 rndccmd 10.53.0.2 reconfig || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
@@ -1730,5 +1730,15 @@ wait_for_no_soa @10.53.0.2 dom16.example. dig.out.test$n || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 +n=$((n+1))
 +echo_i "checking that reconfig can delete and restore catalog zone configuration ($n)"
 +ret=0
 +copy_setports ns2/named2.conf.in ns2/named.conf
 +rndccmd 10.53.0.2 reconfig || ret=1
 +copy_setports ns2/named1.conf.in ns2/named.conf
 +rndccmd 10.53.0.2 reconfig || ret=1
 +if [ $ret -ne 0 ]; then echo_i "failed"; fi
 +status=$((status+ret))
 +
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
 -- 
 2.23.0
--- a/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch
+++ b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch
@ -1,119 +0,0 @@
 From 4b362a82ebf511d0915585bbe55bdb9b989f439a Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Mon, 11 Oct 2021 18:13:39 +0000
 Subject: [PATCH] Fix catalog zone reconfiguration crash
 The following scenario triggers a "named" crash:
 1. Configure a catalog zone.
 2. Start "named".
 3. Comment out the "catalog-zone" clause.
 4. Run `rndc reconfig`.
 5. Uncomment the "catalog-zone" clause.
 6. Run `rndc reconfig` again.
 Implement the required cleanup of the in-memory catalog zone during
 the first `rndc reconfig`, so that the second `rndc reconfig` could
 find it in an expected state.
 (cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b362a82ebf511d0915585bbe55bdb9b989f439a
 ---
 bin/named/server.c          |  2 ++
 lib/dns/include/dns/zone.h  | 20 ++++++++++++++++++++
 lib/dns/win32/libdns.def.in |  2 ++
 lib/dns/zone.c              | 18 ++++++++++++++++++
 4 files changed, 42 insertions(+)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index 860ccae8a1..9c0f12f63f 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -6523,6 +6523,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	if (zone_is_catz) {
 		dns_zone_catz_enable(zone, view->catzs);
 +	} else if (dns_zone_catz_is_enabled(zone)) {
 +		dns_zone_catz_disable(zone);
 	}
 	/*
 diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
 index 08e2263c5b..33ab5c60fd 100644
 --- a/lib/dns/include/dns/zone.h
 +++ b/lib/dns/include/dns/zone.h
@@ -2605,6 +2605,26 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
  * \li	prior to calling, zone->catzs is NULL or is equal to 'catzs'
  */
 +void
 +dns_zone_catz_disable(dns_zone_t *zone);
 +/*%<
 + * Disable zone as catalog zone, if it is one.
 + *
 + * Requires:
 + *
 + * \li	'zone' is a valid zone object
 + */
 +
 +bool
 +dns_zone_catz_is_enabled(dns_zone_t *zone);
 +/*%<
 + * Return a boolean indicating whether the zone is enabled as catalog zone.
 + *
 + * Requires:
 + *
 + * \li	'zone' is a valid zone object
 + */
 +
 void
 dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db);
 /*%<
 diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
 index 31f511103f..1e0f7cf64a 100644
 --- a/lib/dns/win32/libdns.def.in
 +++ b/lib/dns/win32/libdns.def.in
@@ -1173,8 +1173,10 @@ dns_xfrin_shutdown
 dns_zone_addnsec3chain
 dns_zone_asyncload
 dns_zone_attach
 +dns_zone_catz_disable
 dns_zone_catz_enable
 dns_zone_catz_enable_db
 +dns_zone_catz_is_enabled
 dns_zone_cdscheck
 dns_zone_checknames
 dns_zone_clearforwardacl
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index 65a3aacab7..bc33e6ede8 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -1942,6 +1942,24 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
 	UNLOCK_ZONE(zone);
 }
 +void
 +dns_zone_catz_disable(dns_zone_t *zone) {
 +	REQUIRE(DNS_ZONE_VALID(zone));
 +
 +	LOCK_ZONE(zone);
 +	if (zone->catzs != NULL) {
 +		dns_catz_catzs_detach(&zone->catzs);
 +	}
 +	UNLOCK_ZONE(zone);
 +}
 +
 +bool
 +dns_zone_catz_is_enabled(dns_zone_t *zone) {
 +	REQUIRE(DNS_ZONE_VALID(zone));
 +
 +	return (zone->catzs != NULL);
 +}
 +
 /*
  * If a zone is a catalog zone, attach it to update notification in database.
  */
 -- 
 2.27.0
--- a/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch
+++ b/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch
@ -1,162 +0,0 @@
 From 75c484e36d6d28da820bfcf530a28b4f785049a6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 1 Dec 2021 17:41:20 +0100
 Subject: [PATCH] Improve the logging on failed TCP accept
 Previously, when TCP accept failed, we have logged a message with
 ISC_LOG_ERROR level.  One common case, how this could happen is that the
 client hits TCP client quota and is put on hold and when resumed, the
 client has already given up and closed the TCP connection.  In such
 case, the named would log:
    TCP connection failed: socket is not connected
 This message was quite confusing because it actually doesn't say that
 it's related to the accepting the TCP connection and also it logs
 everything on the ISC_LOG_ERROR level.
 Change the log message to "Accepting TCP connection failed" and for
 specific error states lower the severity of the log message to
 ISC_LOG_INFO.
 (cherry picked from commit 20ac73eb222e60395399b467b0a72015a4dd8845)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/75c484e36d6d28da820bfcf530a28b4f785049a6
 ---
 lib/isc/netmgr/netmgr-int.h |  3 +++
 lib/isc/netmgr/netmgr.c     | 27 +++++++++++++++++++++++++++
 lib/isc/netmgr/tcp.c        | 20 ++------------------
 lib/isc/netmgr/tcpdns.c     | 22 ++--------------------
 4 files changed, 34 insertions(+), 38 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
 index f7b54f9..b4299d5 100644
 --- a/lib/isc/netmgr/netmgr-int.h
 +++ b/lib/isc/netmgr/netmgr-int.h
@@ -1576,4 +1576,7 @@ isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async);
 void
 isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
 +void
 +isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
 +
 #define STREAM_CLIENTS_PER_CONN 23
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 3283eb6e4f..54042a9123 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -1967,6 +1967,33 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) {
 	}
 }
 +void
 +isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
 +	int level;
 +
 +	switch (result) {
 +	case ISC_R_SUCCESS:
 +	case ISC_R_NOCONN:
 +		return;
 +	case ISC_R_QUOTA:
 +	case ISC_R_SOFTQUOTA:
 +		if (!can_log_quota) {
 +			return;
 +		}
 +		level = ISC_LOG_INFO;
 +		break;
 +	case ISC_R_NOTCONNECTED:
 +		level = ISC_LOG_INFO;
 +		break;
 +	default:
 +		level = ISC_LOG_ERROR;
 +	}
 +
 +	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
 +		      level, "Accepting TCP connection failed: %s",
 +		      isc_result_totext(result));
 +}
 +
 static void
 isc__nmsocket_readtimeout_cb(uv_timer_t *timer) {
 	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
 diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
 index 5cca9f5214..1b5e80d3a7 100644
 --- a/lib/isc/netmgr/tcp.c
 +++ b/lib/isc/netmgr/tcp.c
@@ -631,15 +631,7 @@ tcp_connection_cb(uv_stream_t *server, int status) {
 	result = accept_connection(ssock, quota);
 done:
 -	if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
 -		if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
 -		    can_log_tcp_quota()) {
 -			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
 -				      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
 -				      "TCP connection failed: %s",
 -				      isc_result_totext(result));
 -		}
 -	}
 +	isc__nm_accept_connection_log(result, can_log_tcp_quota());
 }
 void
@@ -934,15 +926,7 @@ isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
 	REQUIRE(sock->tid == isc_nm_tid());
 	result = accept_connection(sock, ievent->quota);
 -	if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
 -		if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
 -		    can_log_tcp_quota()) {
 -			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
 -				      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
 -				      "TCP connection failed: %s",
 -				      isc_result_totext(result));
 -		}
 -	}
 +	isc__nm_accept_connection_log(result, can_log_tcp_quota());
 }
 static isc_result_t
 diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
 index 188790c8b4..b76dcbc66c 100644
 --- a/lib/isc/netmgr/tcpdns.c
 +++ b/lib/isc/netmgr/tcpdns.c
@@ -600,16 +600,7 @@ tcpdns_connection_cb(uv_stream_t *server, int status) {
 	result = accept_connection(ssock, quota);
 done:
 -	if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
 -		if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
 -		    can_log_tcpdns_quota())
 -		{
 -			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
 -				      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
 -				      "TCP connection failed: %s",
 -				      isc_result_totext(result));
 -		}
 -	}
 +	isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
 }
 void
@@ -905,16 +896,7 @@ isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0) {
 	REQUIRE(ievent->sock->tid == isc_nm_tid());
 	result = accept_connection(ievent->sock, ievent->quota);
 -	if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
 -		if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
 -		    can_log_tcpdns_quota())
 -		{
 -			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
 -				      ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
 -				      "TCP connection failed: %s",
 -				      isc_result_totext(result));
 -		}
 -	}
 +	isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
 }
 static isc_result_t
 -- 
 2.27.0
--- a/backport-0004-Stop-leaking-mutex-in-nmworker-and-cond-in-nm-socket.patch
+++ b/backport-0004-Stop-leaking-mutex-in-nmworker-and-cond-in-nm-socket.patch
@ -1,46 +0,0 @@
 From d5cdcf924a6b94cd501e33b0963dd787a72af1f8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
 Date: Mon, 6 Dec 2021 11:10:17 +0100
 Subject: [PATCH] Stop leaking mutex in nmworker and cond in nm socket
 On FreeBSD, the pthread primitives are not solely allocated on stack,
 but part of the object lives on the heap.  Missing pthread_*_destroy
 causes the heap memory to grow and in case of fast lived object it's
 possible to run out-of-memory.
 Properly destroy the leaking mutex (worker->lock) and
 the leaking condition (sock->cond).
 (cherry picked from commit 57d0fabaddf0e7ac297a046b084df8fb22d54d51)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d5cdcf924a6b94cd501e33b0963dd787a72af1f8
 ---
 lib/isc/netmgr/netmgr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 54042a9123..e81ad4673e 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -425,6 +425,7 @@ nm_destroy(isc_nm_t **mgr0) {
 			isc_mempool_put(mgr->evpool, ievent);
 		}
 		isc_condition_destroy(&worker->cond_prio);
 +		isc_mutex_destroy(&worker->lock);
 		r = uv_loop_close(&worker->loop);
 		INSIST(r == 0);
@@ -1267,8 +1268,9 @@ nmsocket_cleanup(isc_nmsocket_t *sock, bool dofree FLARG) {
 	isc_mem_free(sock->mgr->mctx, sock->ah_frees);
 	isc_mem_free(sock->mgr->mctx, sock->ah_handles);
 -	isc_mutex_destroy(&sock->lock);
 	isc_condition_destroy(&sock->scond);
 +	isc_condition_destroy(&sock->cond);
 +	isc_mutex_destroy(&sock->lock);
 #ifdef NETMGR_TRACE
 	LOCK(&sock->mgr->lock);
 	ISC_LIST_UNLINK(sock->mgr->active_sockets, sock, active_link);
 -- 
 2.23.0
--- a/backport-0005-Address-memory-leak-when-processing-dnssec-policy-cl.patch
+++ b/backport-0005-Address-memory-leak-when-processing-dnssec-policy-cl.patch
@ -1,32 +0,0 @@
 From 8dd1288dca7d6c15e8d27a746ff0e218c8981345 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Thu, 23 Dec 2021 17:42:39 +1100
 Subject: [PATCH] Address memory leak when processing dnssec-policy clauses
 A kasp structure was not detached when looking to see if there
 was an existing kasp structure with the same name, causing memory
 to be leaked.  Fixed by calling dns_kasp_detach() to release the
 reference.
 (cherry picked from commit 694440e6140bbf410b4abe3b1539491d63a43a33)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8dd1288dca7d6c15e8d27a746ff0e218c8981345
 ---
 lib/isccfg/kaspconf.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
 index 8a119fb612..15433d9f90 100644
 --- a/lib/isccfg/kaspconf.c
 +++ b/lib/isccfg/kaspconf.c
@@ -272,6 +272,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 	result = dns_kasplist_find(kasplist, kaspname, &kasp);
 	if (result == ISC_R_SUCCESS) {
 +		dns_kasp_detach(&kasp);
 		return (ISC_R_EXISTS);
 	}
 	if (result != ISC_R_NOTFOUND) {
 -- 
 2.23.0
--- a/backport-0005-Report-duplicate-dnssec-policy-names.patch
+++ b/backport-0005-Report-duplicate-dnssec-policy-names.patch
@ -1,54 +0,0 @@
 From 0e0cd6bf17704300cf3a1f69563219ce263da913 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Thu, 23 Dec 2021 17:54:53 +1100
 Subject: [PATCH] Report duplicate dnssec-policy names
 Duplicate dnssec-policy names were detected as an error condition
 but were not logged.
 (cherry picked from commit b8845454c8c67c5c5650e597936f6303708bdd7d)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/0e0cd6bf17704300cf3a1f69563219ce263da913
 ---
 bin/tests/system/checkconf/bad-kasp-duplicate.conf | 13 +++++++++++++
 lib/isccfg/kaspconf.c                              |  4 ++++
 2 files changed, 17 insertions(+)
 create mode 100644 bin/tests/system/checkconf/bad-kasp-duplicate.conf
 diff --git a/bin/tests/system/checkconf/bad-kasp-duplicate.conf b/bin/tests/system/checkconf/bad-kasp-duplicate.conf
 new file mode 100644
 index 0000000000..8ecc670e0b
 --- /dev/null
 +++ b/bin/tests/system/checkconf/bad-kasp-duplicate.conf
@@ -0,0 +1,13 @@
 +/*
 + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 + *
 + * See the COPYRIGHT file distributed with this work for additional
 + * information regarding copyright ownership.
 + */
 +
 +dnssec-policy a { };
 +dnssec-policy a { };
 diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
 index 15433d9f90..f6f1bc3a10 100644
 --- a/lib/isccfg/kaspconf.c
 +++ b/lib/isccfg/kaspconf.c
@@ -272,6 +272,10 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 	result = dns_kasplist_find(kasplist, kaspname, &kasp);
 	if (result == ISC_R_SUCCESS) {
 +		cfg_obj_log(
 +			config, logctx, ISC_LOG_ERROR,
 +			"dnssec-policy: duplicately named policy found '%s'",
 +			kaspname);
 		dns_kasp_detach(&kasp);
 		return (ISC_R_EXISTS);
 	}
 -- 
 2.23.0
--- a/backport-0006-Prevent-a-shutdown-race-in-catz_create_chg_task.patch
+++ b/backport-0006-Prevent-a-shutdown-race-in-catz_create_chg_task.patch
@ -1,65 +0,0 @@
 From 21b00934403697a6ac98422b38a517d0833c946f Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Tue, 4 Jan 2022 12:08:43 -0800
 Subject: [PATCH] Prevent a shutdown race in catz_create_chg_task()
 If a catz event is scheduled while the task manager was being
 shut down, task-exclusive mode is unavailable. This needs to be
 handled as an error rather than triggering an assertion.
 (cherry picked from commit 973ac1d8912d8d885e9a002ffee4acbaf23e9c81)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/21b00934403697a6ac98422b38a517d0833c946f
 ---
 bin/named/server.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index 9c0f12f63f..cad992f873 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -2921,11 +2921,16 @@ static isc_result_t
 catz_create_chg_task(dns_catz_entry_t *entry, dns_catz_zone_t *origin,
 		     dns_view_t *view, isc_taskmgr_t *taskmgr, void *udata,
 		     isc_eventtype_t type) {
 -	catz_chgzone_event_t *event;
 -	isc_task_t *task;
 +	catz_chgzone_event_t *event = NULL;
 +	isc_task_t *task = NULL;
 	isc_result_t result;
 	isc_taskaction_t action = NULL;
 +	result = isc_taskmgr_excltask(taskmgr, &task);
 +	if (result != ISC_R_SUCCESS) {
 +		return (result);
 +	}
 +
 	switch (type) {
 	case DNS_EVENT_CATZADDZONE:
 	case DNS_EVENT_CATZMODZONE:
@@ -2936,6 +2941,7 @@ catz_create_chg_task(dns_catz_entry_t *entry, dns_catz_zone_t *origin,
 		break;
 	default:
 		REQUIRE(0);
 +		ISC_UNREACHABLE();
 	}
 	event = (catz_chgzone_event_t *)isc_event_allocate(
@@ -2946,13 +2952,11 @@ catz_create_chg_task(dns_catz_entry_t *entry, dns_catz_zone_t *origin,
 	event->origin = NULL;
 	event->view = NULL;
 	event->mod = (type == DNS_EVENT_CATZMODZONE);
 +
 	dns_catz_entry_attach(entry, &event->entry);
 	dns_catz_zone_attach(origin, &event->origin);
 	dns_view_attach(view, &event->view);
 -	task = NULL;
 -	result = isc_taskmgr_excltask(taskmgr, &task);
 -	REQUIRE(result == ISC_R_SUCCESS);
 	isc_task_send(task, ISC_EVENT_PTR(&event));
 	isc_task_detach(&task);
 -- 
 2.23.0
--- a/backport-0007-Fix-bug-introduced-by-763-related-to-offline-keys.patch
+++ b/backport-0007-Fix-bug-introduced-by-763-related-to-offline-keys.patch
@ -1,129 +0,0 @@
 From bdb91e3825c194a0750ecf79f8acfd81de8c001d Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Tue, 7 Dec 2021 13:59:42 +0100
 Subject: [PATCH] Fix bug introduced by #763 related to offline keys
 In some cases we want to keep expired signatures. For example, if the
 KSK is offline, we don't want to fall back to signing with the ZSK.
 We could remove the signatures, but in any case we end up with a broken
 zone.
 The change made for GL #763 prevented the behavior to sign the DNSKEY
 RRset with the ZSK if the KSK was offline (and signatures were expired).
 The change causes the definition of "having both keys": if one key is
 offline, we still consider having both keys, so we don't fallback
 signing with the ZSK if KSK is offline.
 That change also works the other way, if the ZSK is offline, we don't
 fallback signing with the KSK.
 This commit fixes that, so we only fallback signing zone RRsets with
 the KSK, not signing key RRsets with the ZSK.
 (cherry picked from commit beeefe35c4a05bb69e9730190039fdf3e9fea1ba)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/bdb91e3825c194a0750ecf79f8acfd81de8c001d
 ---
 lib/dns/update.c |  6 +++---
 lib/dns/zone.c   | 24 +++++++++++++++---------
 2 files changed, 18 insertions(+), 12 deletions(-)
 diff --git a/lib/dns/update.c b/lib/dns/update.c
 index 71ef7dde46..2a766dc6ba 100644
 --- a/lib/dns/update.c
 +++ b/lib/dns/update.c
@@ -1158,8 +1158,8 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 				}
 				/* Don't consider inactive keys, however
 -				 * the key may be temporary offline, so do
 -				 * consider keys which private key files are
 +				 * the KSK may be temporary offline, so do
 +				 * consider KSKs which private key files are
 				 * unavailable.
 				 */
 				if (dst_key_inactive(keys[j])) {
@@ -1171,7 +1171,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 				}
 				if (KSK(keys[j])) {
 					have_ksk = true;
 -				} else {
 +				} else if (dst_key_isprivate(keys[j])) {
 					have_nonksk = true;
 				}
 				both = have_ksk && have_nonksk;
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index 27373b34fe..f8eb0aae82 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -3483,7 +3483,8 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
 		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
 		INSIST(result == ISC_R_SUCCESS);
 -		/* RFC 3110, section 4: Performance Considerations:
 +		/*
 +		 * RFC 3110, section 4: Performance Considerations:
 		 *
 		 * A public exponent of 3 minimizes the effort needed to verify
 		 * a signature.  Use of 3 as the public exponent is weak for
@@ -7060,8 +7061,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
 					continue;
 				}
 -				/* Don't consider inactive keys, however
 -				 * the key may be temporary offline, so do
 +				/*
 +				 * Don't consider inactive keys, however
 +				 * the KSK may be temporary offline, so do
 				 * consider keys which private key files are
 				 * unavailable.
 				 */
@@ -7074,7 +7076,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, dns_zone_t *zone,
 				}
 				if (KSK(keys[j])) {
 					have_ksk = true;
 -				} else {
 +				} else if (dst_key_isprivate(keys[j])) {
 					have_nonksk = true;
 				}
 				both = have_ksk && have_nonksk;
@@ -9705,9 +9707,10 @@ zone_sign(dns_zone_t *zone) {
 						       ALG(zone_keys[j]))) {
 						continue;
 					}
 -					/* Don't consider inactive keys, however
 +					/*
 +					 * Don't consider inactive keys, however
 					 * the key may be temporary offline, so
 -					 * do consider keys which private key
 +					 * do consider KSKs which private key
 					 * files are unavailable.
 					 */
 					if (dst_key_inactive(zone_keys[j])) {
@@ -9718,7 +9721,8 @@ zone_sign(dns_zone_t *zone) {
 					}
 					if (KSK(zone_keys[j])) {
 						have_ksk = true;
 -					} else {
 +					} else if (dst_key_isprivate(
 +							   zone_keys[j])) {
 						have_nonksk = true;
 					}
 					both = have_ksk && have_nonksk;
@@ -14744,8 +14748,10 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 		timeout = 30;
 	}
 -	/* Save request parameters so we can reuse them later on
 -	   for resolving missing glue A/AAAA records. */
 +	/*
 +	 * Save request parameters so we can reuse them later on
 +	 * for resolving missing glue A/AAAA records.
 +	 */
 	cb_args = isc_mem_get(zone->mctx, sizeof(*cb_args));
 	cb_args->stub = stub;
 	cb_args->tsig_key = key;
 -- 
 2.23.0
--- a/backport-0007-Only-warn-if-we-could-not-delete-signature.patch
+++ b/backport-0007-Only-warn-if-we-could-not-delete-signature.patch
@ -1,58 +0,0 @@
 From 8e31f6981a4e080bc02158a74f4f99f70144cf45 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Fri, 3 Dec 2021 16:18:13 +0100
 Subject: [PATCH] Only warn if we could not delete signature
 BIND can log this warning:
    zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
      missing or inactive and has no replacement: retaining signatures.
 This log can happen when BIND tries to remove signatures because the
 are about to expire or to be resigned. These RRsets may be signed with
 the KSK if the ZSK files has been removed from disk. When we have
 created a new ZSK we can replace the signatures creeated by the KSK
 with signatures from the new ZSK.
 It complains about the KSK being missing or inactive, but actually it
 takes the key id from the RRSIG.
 The warning is logged if BIND detects the private ZSK file is missing.
 The warning is logged even if we were able to delete the signature.
 With the change from this commit it only logs this warning if it is not
 okay to delete the signature.
 (cherry picked from commit 2d2858841a8a749792f50ff077d03cf50f730981)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8e31f6981a4e080bc02158a74f4f99f70144cf45
 ---
 lib/dns/zone.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index 8bfc5e8bc9..27373b34fe 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -6858,7 +6858,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				}
 				deleted = true;
 			}
 -			if (warn) {
 +			if (warn && !deleted) {
 				/*
 				 * At this point, we've got an RRSIG,
 				 * which is signed by an inactive key.
@@ -6868,7 +6868,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				 * offline will prevent us spinning waiting
 				 * for the private part.
 				 */
 -				if (incremental && !deleted) {
 +				if (incremental) {
 					result = offline(db, ver, zonediff,
 							 name, rdataset.ttl,
 							 &rdata);
 -- 
 2.23.0
--- a/backport-0007-Replace-RSASHA1-in-autosign-test-with-default-alg.patch
+++ b/backport-0007-Replace-RSASHA1-in-autosign-test-with-default-alg.patch
@ -1,498 +0,0 @@
 From 99316385d35dc4a212988be7c69aadd20bc31fa1 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Wed, 5 Jan 2022 11:39:03 +0100
 Subject: [PATCH] Replace RSASHA1 in autosign test with default alg
 Change RSASHA1 to $DEFAULT_ALGORITHM to be FIPS compliant.
 There is one RSASHA1 occurence left, to test that dynamically adding an
 NSEC3PARAM record to an NSEC-only zone fails.
 (cherry picked from commit 6e9fed2d24bc6bd475132285971ad1a86c0f9dc6)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/99316385d35dc4a212988be7c69aadd20bc31fa1
 ---
 bin/tests/system/autosign/ns3/keygen.sh | 132 ++++++++++++------------
 bin/tests/system/autosign/tests.sh      |  35 ++++---
 2 files changed, 85 insertions(+), 82 deletions(-)
 diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
 index 633e08360a..1755a499fe 100644
 --- a/bin/tests/system/autosign/ns3/keygen.sh
 +++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -30,8 +30,8 @@ setup () {
 setup secure.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -39,8 +39,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup secure.nsec3.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -48,8 +48,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.nsec3.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -72,8 +72,8 @@ done
 #
 setup optout.nsec3.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -81,8 +81,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.example
 cat $infile dsset-*.${zone}$TP > $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -90,9 +90,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup autonsec3.example
 cat $infile > $zonefile
 -ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 +ksk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../autoksk.key
 -zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../autozsk.key
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
@@ -101,8 +101,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup secure.optout.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -110,8 +110,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.optout.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -119,8 +119,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.optout.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -128,8 +128,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.example
 cat $infile dsset-*.${zone}$TP > $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -171,8 +171,8 @@ do
     echo "label${count} IN TXT label${count}" >> $zonefile
     count=`expr $count + 1`
 done
 -$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
 mv $zonefile.signed $zonefile
@@ -189,8 +189,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out
 # keys via nsupdate
 #
 setup secure-to-insecure.example
 -$KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
 -$KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -q -fk $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -q $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
 #
@@ -198,9 +198,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out || dumpit s.out
 # removal of keys on schedule.
 #
 setup secure-to-insecure2.example
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../del1.key
 -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../del2.key
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
@@ -209,8 +209,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
 #
 setup prepub.example
 infile="secure-to-insecure2.example.db.in"
 -$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
 #
@@ -219,35 +219,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out
 # no default key TTL; DNSKEY should get SOA TTL
 setup ttl1.example
 -$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # default key TTL should be used
 -setup ttl2.example 
 -$KEYGEN -a RSASHA1 -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 +setup ttl2.example
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # mismatched key TTLs, should use shortest
 setup ttl3.example
 -$KEYGEN -a RSASHA1 -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 # existing DNSKEY RRset, should retain TTL
 setup ttl4.example
 -$KEYGEN -a RSASHA1 -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
 cat ${infile} K${zone}.+*.key > $zonefile
 -$KEYGEN -a RSASHA1 -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
 #
 # A zone with a DNSKEY RRset that is published before it's activated
 #
 setup delay.example
 -ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 +ksk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../delayksk.key
 -zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../delayzsk.key
 #
@@ -255,8 +255,8 @@ echo $zsk > ../delayzsk.key
 # is missing.
 #
 setup noksk.example
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 echo $ksk > ../noksk-ksk.key
 rm -f ${ksk}.private
@@ -266,8 +266,8 @@ rm -f ${ksk}.private
 # is missing.
 #
 setup nozsk.example
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 echo $ksk > ../nozsk-ksk.key
 echo $zsk > ../nozsk-zsk.key
@@ -278,8 +278,8 @@ rm -f ${zsk}.private
 # is inactive.
 #
 setup inaczsk.example
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out` || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 echo $ksk > ../inaczsk-ksk.key
 echo $zsk > ../inaczsk-zsk.key
@@ -290,16 +290,16 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
 #
 setup reconf.example
 cp secure.example.db.in $zonefile
 -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 #
 # A zone which generates CDS and CDNSEY RRsets automatically
 #
 setup sync.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 echo ns3/$ksk > ../sync.key
@@ -308,8 +308,8 @@ echo ns3/$ksk > ../sync.key
 #
 setup kskonly.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -317,8 +317,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inacksk2.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -a RSASHA1 -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -326,8 +326,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inaczsk2.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -a RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -335,9 +335,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inacksk3.example
 cp $infile $zonefile
 -$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
 -ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -345,9 +345,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inaczsk3.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 -$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
@@ -356,9 +356,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup delzsk.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 -zsk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
 +ksk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 +zsk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.out
 echo $zsk > ../delzsk.key
 #
@@ -366,6 +366,6 @@ echo $zsk > ../delzsk.key
 #
 setup dname-at-apex-nsec3.example
 cp $infile $zonefile
 -ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 -$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
 index 33692cd5f5..b5069ce6fe 100755
 --- a/bin/tests/system/autosign/tests.sh
 +++ b/bin/tests/system/autosign/tests.sh
@@ -203,9 +203,9 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
        $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}'`
 -grep "DNSKEY 7 2 " dig.out.ns3.test$n > /dev/null || ret=1
 +grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1
 -pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 +pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
 count=`awk 'BEGIN { count = 0 }
@@ -221,7 +221,8 @@ test $count -eq 3 || ret=1
 awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }'
 id=`awk "${awk}" dig.out.ns3.test$n`
 -$SETTIME -D now+5 ns3/Kinacksk3.example.+007+${id} > settime.out.test$n || ret=1
 +keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
 +$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 n=`expr $n + 1`
@@ -238,8 +239,8 @@ ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
        $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
 -grep "CNAME 7 3 " dig.out.ns3.test$n > /dev/null || ret=1
 -grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
 +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1
 +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
 count=`awk 'BEGIN { count = 0 }
 	    $4 == "RRSIG" && $5 == "CNAME" { count++ }
 	    END {print count}' dig.out.ns3.test$n`
@@ -249,7 +250,9 @@ count=`awk 'BEGIN { count = 0 }
        END {print count}' dig.out.ns3.test$n`
 test $count -eq 3 || ret=1
 id=`awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n`
 -$SETTIME -D now+5 ns3/Kinaczsk3.example.+007+${id} > settime.out.test$n || ret=1
 +
 +keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}")
 +$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1
 ($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -399,7 +402,7 @@ status=`expr $status + $ret`
 echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)"
 ret=0
 -loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
 +loglines=`grep "Key nozsk.example/$DEFAULT_ALGORITHM/$missing .* retaining signatures" ns3/named.run | wc -l`
 [ "$loglines" -eq 0 ] || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -407,7 +410,7 @@ status=`expr $status + $ret`
 echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)"
 ret=0
 -loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
 +loglines=`grep "Key inaczsk.example/$DEFAULT_ALGORITHM/$inactive .* retaining signatures" ns3/named.run | wc -l`
 [ "$loglines" -eq 0 ] || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -1065,7 +1068,7 @@ send
 END
 [ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
 # Create DNSSEC keys in the zone directory.
 -$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 jitter.nsec3.example > /dev/null
 # Trigger zone signing.
 ($RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 # Wait until zone has been signed.
@@ -1089,7 +1092,7 @@ ret=0
 oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
 oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
 -$KEYGEN -a rsasha1 -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
 +$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
 ($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1
 newserial=$oldserial
@@ -1473,12 +1476,12 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n
 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
        $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' `
 -pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 +pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
        $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' `
 -pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${kskid} "
 +pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} "
 grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1
 n=`expr $n + 1`
@@ -1488,7 +1491,7 @@ status=`expr $status + $ret`
 echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n
 -grep "SOA 7 2" dig.out.ns3.test$n > /dev/null || ret=1
 +grep "SOA ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -1505,7 +1508,7 @@ $DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n
 zskid=`awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n |
        $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' `
 -pattern="DNSKEY 7 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 +pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} "
 grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1
 count=`awk 'BEGIN { count = 0 }
@@ -1532,7 +1535,7 @@ ret=0
 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n
 kskid=`awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n |
        $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' `
 -grep "CNAME 7 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
 +grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
 count=`awk 'BEGIN { count = 0 }
        $4 == "RRSIG" && $5 == "CNAME" { count++ }
        END {print count}' dig.out.ns3.test$n`
@@ -1606,7 +1609,7 @@ status=`expr $status + $ret`
 echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)"
 ret=0
 $DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
 -grep "RRSIG NSEC3 7 3 600" dig.out.ns3.test$n > /dev/null || ret=1
 +grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 -- 
 2.23.0
--- a/backport-0007-Update-autosign-test.patch
+++ b/backport-0007-Update-autosign-test.patch
@ -1,233 +0,0 @@
 From 17ae663084bdab626314da73b30aa53fc76ebe16 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Tue, 7 Dec 2021 14:11:06 +0100
 Subject: [PATCH] Update autosign test
 Update the autosign system test with new expected behavior.
 The 'nozsk.example' zone should have its expired zone signatures
 deleted and replaced with signatures generated with the KSK.
 The 'inaczsk.example' zone should have its expired zone signatures
 deleted and replaced with signatures generated with the KSK.
 In both scenarios, signatures are deleted, not retained, so the
 "retaining signatures" warning should not be logged.
 Furthermore, thsi commit fixex a test bug where the 'awk' command
 always returned 0.
 Finally, this commit adds a test case for an offline KSK, for the zone
 'noksk.example'. In this case the expired signatures should be retained
 (despite the zone being bogus, but resigning the DNSKEY RRset with the
 ZSK won't help here).
 (cherry picked from commit fbd559ad0d389948c594a35b72d7fb6d16794702)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/17ae663084bdab626314da73b30aa53fc76ebe16
 ---
 bin/tests/system/autosign/clean.sh            |  3 +-
 bin/tests/system/autosign/ns3/keygen.sh       | 25 ++++++++++---
 bin/tests/system/autosign/ns3/named.conf.in   |  7 ++++
 .../system/autosign/ns3/noksk.example.db.in   | 24 ++++++++++++
 bin/tests/system/autosign/tests.sh            | 37 +++++++++++++------
 5 files changed, 78 insertions(+), 18 deletions(-)
 create mode 100644 bin/tests/system/autosign/ns3/noksk.example.db.in
 diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
 index 7a1101d6dd..20efc69499 100644
 --- a/bin/tests/system/autosign/clean.sh
 +++ b/bin/tests/system/autosign/clean.sh
@@ -22,7 +22,7 @@ rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
 rm -f dig.out.*
 rm -f digcomp.out.test*
 rm -f digcomp.out.test*
 -rm -f missingzsk.key inactivezsk.key
 +rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key
 rm -f nopriv.key vanishing.key del1.key del2.key
 rm -f ns*/managed-keys.bind*
 rm -f ns*/named.lock
@@ -43,6 +43,7 @@ rm -f ns3/jitter.nsec3.example.db
 rm -f ns3/kg.out ns3/s.out ns3/st.out
 rm -f ns3/kskonly.example.db
 rm -f ns3/named.ns3.prev
 +rm -f ns3/noksk.example.db
 rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
 rm -f ns3/nsec.example.db
 rm -f ns3/nsec3-to-nsec.example.db
 diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
 index 4c85d0c87c..633e08360a 100644
 --- a/bin/tests/system/autosign/ns3/keygen.sh
 +++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -250,15 +250,27 @@ echo $ksk > ../delayksk.key
 zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../delayzsk.key
 +#
 +# A zone with signatures that are already expired, and the private KSK
 +# is missing.
 +#
 +setup noksk.example
 +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 +$SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 +echo $ksk > ../noksk-ksk.key
 +rm -f ${ksk}.private
 +
 #
 # A zone with signatures that are already expired, and the private ZSK
 # is missing.
 #
 setup nozsk.example
 -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
 -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone`
 +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 -echo $zsk > ../missingzsk.key
 +echo $ksk > ../nozsk-ksk.key
 +echo $zsk > ../nozsk-zsk.key
 rm -f ${zsk}.private
 #
@@ -266,10 +278,11 @@ rm -f ${zsk}.private
 # is inactive.
 #
 setup inaczsk.example
 -$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
 -zsk=`$KEYGEN -q -a RSASHA1 -3 $zone`
 +ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 +zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out || dumpit s.out
 -echo $zsk > ../inactivezsk.key
 +echo $ksk > ../inaczsk-ksk.key
 +echo $zsk > ../inaczsk-zsk.key
 $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
 #
 diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
 index 7c8f74f19a..8aa64b2165 100644
 --- a/bin/tests/system/autosign/ns3/named.conf.in
 +++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -249,6 +249,13 @@ zone "inaczsk.example" {
 	auto-dnssec maintain;
 };
 +zone "noksk.example" {
 +	type primary;
 +	file "noksk.example.db";
 +	allow-update { any; };
 +	auto-dnssec maintain;
 +};
 +
 zone "sync.example" {
 	type primary;
 	file "sync.example.db";
 diff --git a/bin/tests/system/autosign/ns3/noksk.example.db.in b/bin/tests/system/autosign/ns3/noksk.example.db.in
 new file mode 100644
 index 0000000000..90dcba9daf
 --- /dev/null
 +++ b/bin/tests/system/autosign/ns3/noksk.example.db.in
@@ -0,0 +1,24 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0. If a copy of the MPL was not distributed with this
 +; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 300	; 5 minutes
 +@			IN SOA	mname1. . (
 +				1          ; serial
 +				20         ; refresh (20 seconds)
 +				20         ; retry (20 seconds)
 +				1814400    ; expire (3 weeks)
 +				3600       ; minimum (1 hour)
 +				)
 +			NS	ns
 +ns			A	10.53.0.3
 +
 +a			A	10.0.0.1
 +b			A	10.0.0.2
 +d			A	10.0.0.4
 +x			CNAME	a
 diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
 index 79c5999d94..33692cd5f5 100755
 --- a/bin/tests/system/autosign/tests.sh
 +++ b/bin/tests/system/autosign/tests.sh
@@ -157,7 +157,7 @@ do
 		grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1
 	done
 	for z in bar. example. inacksk2.example. inacksk3.example \
 -		 inaczsk2.example. inaczsk3.example
 +		 inaczsk2.example. inaczsk3.example noksk.example nozsk.example
 	do
 		$DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1
 		grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1
@@ -364,36 +364,51 @@ END
 echo_i "waiting for change to take effect"
 sleep 3
 -echo_i "checking that expired RRSIGs from missing key are not deleted ($n)"
 +missing=$(keyfile_to_key_id "$(cat noksk-ksk.key)")
 +echo_i "checking that expired RRSIGs from missing KSK $missing are not deleted ($n)"
 ret=0
 -missing=$(keyfile_to_key_id "$(cat missingzsk.key)")
 +$JOURNALPRINT ns3/noksk.example.db.jnl | \
 +   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {error=1}} END {exit error}' id=$missing || ret=1
 +n=`expr $n + 1`
 +if [ $ret != 0 ]; then echo_i "failed"; fi
 +status=`expr $status + $ret`
 +
 +missing=$(keyfile_to_key_id "$(cat nozsk-zsk.key)")
 +ksk=$(keyfile_to_key_id "$(cat nozsk-ksk.key)")
 +echo_i "checking that expired RRSIGs from missing ZSK $missing are replaced ($n)"
 +ret=0
 +$JOURNALPRINT ns3/nozsk.example.db.jnl | \
 +   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$missing || ret=1
 $JOURNALPRINT ns3/nozsk.example.db.jnl | \
 -   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$missing || ret=1
 +   awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 -echo_i "checking that expired RRSIGs from inactive key are not deleted ($n)"
 +inactive=$(keyfile_to_key_id "$(cat inaczsk-zsk.key)")
 +ksk=$(keyfile_to_key_id "$(cat inaczsk-ksk.key)")
 +echo_i "checking that expired RRSIGs from inactive ZSK $inactive are replaced ($n)"
 ret=0
 -inactive=$(keyfile_to_key_id "$(cat inactivezsk.key)")
 $JOURNALPRINT ns3/inaczsk.example.db.jnl | \
 -   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {exit 1}} END {exit 0}' id=$inactive || ret=1
 +   awk '{if ($1 == "del" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$inactive || ret=1
 +$JOURNALPRINT ns3/inaczsk.example.db.jnl | \
 +   awk '{if ($1 == "add" && $5 == "RRSIG" && $12 == id) {ok=1}} END {exit ok?0:1}' id=$ksk || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 -echo_i "checking that non-replaceable RRSIGs are logged only once (missing private key) ($n)"
 +echo_i "checking that replaced RRSIGs are not logged (missing ZSK private key) ($n)"
 ret=0
 loglines=`grep "Key nozsk.example/NSEC3RSASHA1/$missing .* retaining signatures" ns3/named.run | wc -l`
 -[ "$loglines" -eq 1 ] || ret=1
 +[ "$loglines" -eq 0 ] || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 -echo_i "checking that non-replaceable RRSIGs are logged only once (inactive private key) ($n)"
 +echo_i "checking that replaced RRSIGs are not logged (inactive ZSK private key) ($n)"
 ret=0
 loglines=`grep "Key inaczsk.example/NSEC3RSASHA1/$inactive .* retaining signatures" ns3/named.run | wc -l`
 -[ "$loglines" -eq 1 ] || ret=1
 +[ "$loglines" -eq 0 ] || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 -- 
 2.23.0
--- a/backport-0008-On-shutdown-return-ISC_R_SHUTTINGDOWN-from-isc_taskm.patch
+++ b/backport-0008-On-shutdown-return-ISC_R_SHUTTINGDOWN-from-isc_taskm.patch
@ -1,46 +0,0 @@
 From 9ec7d78d164991b668cd50371ffe8f9b7b4b5ac3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 5 Jan 2022 11:48:22 +0100
 Subject: [PATCH] On shutdown, return ISC_R_SHUTTINGDOWN from
 isc_taskmgr_excltask()
 The isc_taskmgr_excltask() would return ISC_R_NOTFOUND either when the
 exclusive task was not set (yet) or when the taskmgr is shutting down
 and the exclusive task has been already cleared.
 Distinguish between the two states and return ISC_R_SHUTTINGDOWN when
 the taskmgr is being shut down instead of ISC_R_NOTFOUND.
 (cherry picked from commit f9d90159b84831fd83d74594827fedf0f4e9e265)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/9ec7d78d164991b668cd50371ffe8f9b7b4b5ac3
 ---
 lib/isc/task.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/lib/isc/task.c b/lib/isc/task.c
 index 2c0d89c2b9..3e894f8dab 100644
 --- a/lib/isc/task.c
 +++ b/lib/isc/task.c
@@ -1130,7 +1130,7 @@ isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task) {
 isc_result_t
 isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp) {
 -	isc_result_t result = ISC_R_SUCCESS;
 +	isc_result_t result;
 	REQUIRE(VALID_MANAGER(mgr));
 	REQUIRE(taskp != NULL && *taskp == NULL);
@@ -1138,6 +1138,9 @@ isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp) {
 	LOCK(&mgr->excl_lock);
 	if (mgr->excl != NULL) {
 		isc_task_attach(mgr->excl, taskp);
 +		result = ISC_R_SUCCESS;
 +	} else if (atomic_load_relaxed(&mgr->exiting)) {
 +		result = ISC_R_SHUTTINGDOWN;
 	} else {
 		result = ISC_R_NOTFOUND;
 	}
 -- 
 2.23.0
--- a/backport-0009-Remove-taskmgr-excl_lock-fix-the-locking-for-taskmgr.patch
+++ b/backport-0009-Remove-taskmgr-excl_lock-fix-the-locking-for-taskmgr.patch
@ -1,179 +0,0 @@
 From 5be356760dd6855944234980f2fc0f13130267fb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 5 Jan 2022 13:06:37 +0100
 Subject: [PATCH] Remove taskmgr->excl_lock, fix the locking for
 taskmgr->exiting
 While doing code review, it was found that the taskmgr->exiting is set
 under taskmgr->lock, but accessed under taskmgr->excl_lock in the
 isc_task_beginexclusive().
 Additionally, before the change that moved running the tasks to the
 netmgr, the task_ready() subrouting of isc_task_detach() would lock
 mgr->lock, requiring the mgr->excl to be protected mgr->excl_lock
 to prevent deadlock in the code.  After !4918 has been merged, this is
 no longer true, and we can remove taskmgr->excl_lock and use
 taskmgr->lock in its stead.
 Solve both issues by removing the taskmgr->excl_lock and exclusively use
 taskmgr->lock to protect both taskmgr->excl and taskmgr->exiting which
 now doesn't need to be atomic_bool, because it's always accessed from
 within the locked section.
 (cherry picked from commit e705f213cac8a79e1fa8c20ce20f2e7a28daf3f9)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/5be356760dd6855944234980f2fc0f13130267fb
 ---
 lib/isc/task.c | 54 ++++++++++++++++----------------------------------
 1 file changed, 17 insertions(+), 37 deletions(-)
 diff --git a/lib/isc/task.c b/lib/isc/task.c
 index 3e894f8dab..caf2c06c47 100644
 --- a/lib/isc/task.c
 +++ b/lib/isc/task.c
@@ -140,14 +140,7 @@ struct isc_taskmgr {
 	LIST(isc_task_t) tasks;
 	atomic_uint_fast32_t mode;
 	atomic_bool exclusive_req;
 -	atomic_bool exiting;
 -
 -	/*
 -	 * Multiple threads can read/write 'excl' at the same time, so we need
 -	 * to protect the access.  We can't use 'lock' since isc_task_detach()
 -	 * will try to acquire it.
 -	 */
 -	isc_mutex_t excl_lock;
 +	bool exiting;
 	isc_task_t *excl;
 };
@@ -254,13 +247,11 @@ isc_task_create_bound(isc_taskmgr_t *manager, unsigned int quantum,
 	INIT_LINK(task, link);
 	task->magic = TASK_MAGIC;
 -	exiting = false;
 	LOCK(&manager->lock);
 -	if (!atomic_load_relaxed(&manager->exiting)) {
 +	exiting = manager->exiting;
 +	if (!exiting) {
 		APPEND(manager->tasks, task, link);
 		atomic_fetch_add(&manager->tasks_count, 1);
 -	} else {
 -		exiting = true;
 	}
 	UNLOCK(&manager->lock);
@@ -956,7 +947,6 @@ manager_free(isc_taskmgr_t *manager) {
 	isc_nm_detach(&manager->netmgr);
 	isc_mutex_destroy(&manager->lock);
 -	isc_mutex_destroy(&manager->excl_lock);
 	manager->magic = 0;
 	isc_mem_putanddetach(&manager->mctx, manager, sizeof(*manager));
 }
@@ -1000,7 +990,6 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int default_quantum, isc_nm_t *nm,
 	*manager = (isc_taskmgr_t){ .magic = TASK_MANAGER_MAGIC };
 	isc_mutex_init(&manager->lock);
 -	isc_mutex_init(&manager->excl_lock);
 	if (default_quantum == 0) {
 		default_quantum = DEFAULT_DEFAULT_QUANTUM;
@@ -1012,7 +1001,6 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int default_quantum, isc_nm_t *nm,
 	}
 	INIT_LIST(manager->tasks);
 -	atomic_init(&manager->exiting, false);
 	atomic_init(&manager->mode, isc_taskmgrmode_normal);
 	atomic_init(&manager->exclusive_req, false);
 	atomic_init(&manager->tasks_count, 0);
@@ -1041,15 +1029,6 @@ isc__taskmgr_shutdown(isc_taskmgr_t *manager) {
 	 * that the startup thread is sleeping on.
 	 */
 -	/*
 -	 * Detach the exclusive task before acquiring the manager lock
 -	 */
 -	LOCK(&manager->excl_lock);
 -	if (manager->excl != NULL) {
 -		isc_task_detach((isc_task_t **)&manager->excl);
 -	}
 -	UNLOCK(&manager->excl_lock);
 -
 	/*
 	 * Unlike elsewhere, we're going to hold this lock a long time.
 	 * We need to do so, because otherwise the list of tasks could
@@ -1058,14 +1037,16 @@ isc__taskmgr_shutdown(isc_taskmgr_t *manager) {
 	 * This is also the only function where we will hold both the
 	 * task manager lock and a task lock at the same time.
 	 */
 -
 	LOCK(&manager->lock);
 +	if (manager->excl != NULL) {
 +		isc_task_detach((isc_task_t **)&manager->excl);
 +	}
 	/*
 	 * Make sure we only get called once.
 	 */
 -	INSIST(atomic_compare_exchange_strong(&manager->exiting,
 -					      &(bool){ false }, true));
 +	INSIST(manager->exiting == false);
 +	manager->exiting = true;
 	/*
 	 * Post shutdown event(s) to every task (if they haven't already been
@@ -1120,12 +1101,12 @@ isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task) {
 	REQUIRE(task->threadid == 0);
 	UNLOCK(&task->lock);
 -	LOCK(&mgr->excl_lock);
 +	LOCK(&mgr->lock);
 	if (mgr->excl != NULL) {
 		isc_task_detach(&mgr->excl);
 	}
 	isc_task_attach(task, &mgr->excl);
 -	UNLOCK(&mgr->excl_lock);
 +	UNLOCK(&mgr->lock);
 }
 isc_result_t
@@ -1135,16 +1116,16 @@ isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp) {
 	REQUIRE(VALID_MANAGER(mgr));
 	REQUIRE(taskp != NULL && *taskp == NULL);
 -	LOCK(&mgr->excl_lock);
 +	LOCK(&mgr->lock);
 	if (mgr->excl != NULL) {
 		isc_task_attach(mgr->excl, taskp);
 		result = ISC_R_SUCCESS;
 -	} else if (atomic_load_relaxed(&mgr->exiting)) {
 +	} else if (mgr->exiting) {
 		result = ISC_R_SHUTTINGDOWN;
 	} else {
 		result = ISC_R_NOTFOUND;
 	}
 -	UNLOCK(&mgr->excl_lock);
 +	UNLOCK(&mgr->lock);
 	return (result);
 }
@@ -1159,11 +1140,10 @@ isc_task_beginexclusive(isc_task_t *task) {
 	REQUIRE(task->state == task_state_running);
 -	LOCK(&manager->excl_lock);
 -	REQUIRE(task == task->manager->excl ||
 -		(atomic_load_relaxed(&task->manager->exiting) &&
 -		 task->manager->excl == NULL));
 -	UNLOCK(&manager->excl_lock);
 +	LOCK(&manager->lock);
 +	REQUIRE(task == manager->excl ||
 +		(manager->exiting && manager->excl == NULL));
 +	UNLOCK(&manager->lock);
 	if (!atomic_compare_exchange_strong(&manager->exclusive_req,
 					    &(bool){ false }, true))
 -- 
 2.23.0
--- a/backport-0010-add-UV_ENOTSUP-to-isc___nm_uverr2result.patch
+++ b/backport-0010-add-UV_ENOTSUP-to-isc___nm_uverr2result.patch
@ -1,30 +0,0 @@
 From 464b09a8043e61fb713bd090aac63bf869985248 Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Wed, 12 Jan 2022 10:43:18 -0800
 Subject: [PATCH] add UV_ENOTSUP to isc___nm_uverr2result()
 This error code is now mapped to ISC_R_FAMILYNOSUPPORT.
 (cherry picked from commit be0bc24c7f7b22d6e42bc73e3c0c978ca3ae3af3)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/464b09a8043e61fb713bd090aac63bf869985248
 ---
 lib/isc/netmgr/uverr2result.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/lib/isc/netmgr/uverr2result.c b/lib/isc/netmgr/uverr2result.c
 index 2a1de20954..5ce953d729 100644
 --- a/lib/isc/netmgr/uverr2result.c
 +++ b/lib/isc/netmgr/uverr2result.c
@@ -89,6 +89,8 @@ isc___nm_uverr2result(int uverr, bool dolog, const char *file,
 		return (ISC_R_EOF);
 	case UV_EMSGSIZE:
 		return (ISC_R_MAXSIZE);
 +	case UV_ENOTSUP:
 +		return (ISC_R_FAMILYNOSUPPORT);
 	default:
 		if (dolog) {
 			UNEXPECTED_ERROR(
 -- 
 2.23.0
--- a/backport-0011-rndc-add-an-extra-task-reference.patch
+++ b/backport-0011-rndc-add-an-extra-task-reference.patch
@ -1,56 +0,0 @@
 From 075722f8a2ff30396b0b920d4665c1c75dc5f1ba Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Wed, 19 Jan 2022 11:05:00 -0800
 Subject: [PATCH] rndc: add an extra task reference
 adding an extra task before launching the rndc app prevents
 a use-after-free when task events fire after the app has been
 shut down by a signal.
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/075722f8a2ff30396b0b920d4665c1c75dc5f1ba
 ---
 bin/rndc/rndc.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
 diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
 index 1e74b9b033..6ce9d252f4 100644
 --- a/bin/rndc/rndc.c
 +++ b/bin/rndc/rndc.c
@@ -292,8 +292,6 @@ static void
 rndc_senddone(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
 -	UNUSED(task);
 -
 	if (sevent->result != ISC_R_SUCCESS) {
 		fatal("send failed: %s", isc_result_totext(sevent->result));
 	}
@@ -302,7 +300,7 @@ rndc_senddone(isc_task_t *task, isc_event_t *event) {
 	    atomic_load_acquire(&recvs) == 0)
 	{
 		isc_socket_detach(&sock);
 -		isc_task_shutdown(task);
 +		isc_task_detach(&task);
 		isc_app_shutdown();
 	}
 }
@@ -378,7 +376,7 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
 	if (atomic_load_acquire(&sends) == 0 &&
 	    atomic_load_acquire(&recvs) == 0) {
 		isc_socket_detach(&sock);
 -		isc_task_shutdown(task);
 +		isc_task_detach(&task);
 		isc_app_shutdown();
 	}
 }
@@ -1058,6 +1056,7 @@ main(int argc, char **argv) {
 		get_addresses(servername, (in_port_t)remoteport);
 	}
 +	isc_task_attach(task, &(isc_task_t *){ NULL });
 	DO("post event", isc_app_onrun(rndc_mctx, task, rndc_start, NULL));
 	result = isc_app_run();
 -- 
 2.23.0
--- a/backport-0012-Add-a-system-test-for-view-reverting-after-a-failed-.patch
+++ b/backport-0012-Add-a-system-test-for-view-reverting-after-a-failed-.patch
@ -1,83 +0,0 @@
 From 094e416fff2c2c2d0f0d83d4201860e52e65d0ac Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Wed, 29 Dec 2021 09:07:03 +0000
 Subject: [PATCH] Add a system test for view reverting after a failed
 reconfiguration
 Test the view reverting code by introducing a faulty dlz configuration
 in named.conf and using `rndc reconfig` to check if named handles the
 situation correctly.
 We use "dlz" because the dlz processing code is located in an ideal
 place in the view configuration function for the test to cover the
 view reverting code.
 This test is specifically added to the catz system test to additionally
 cover the catz reconfiguration during the mentioned failed
 reconfiguration attempt.
 (cherry picked from commit 62337d433f233506d340acdedb7d46bdc0dd662f)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/094e416fff2c2c2d0f0d83d4201860e52e65d0ac
 ---
 bin/tests/system/catz/ns2/named1.conf.in |  8 ++++++++
 bin/tests/system/catz/tests.sh           | 24 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
 index 7c5f8c2835..8519802bb0 100644
 --- a/bin/tests/system/catz/ns2/named1.conf.in
 +++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -46,6 +46,14 @@ options {
 	};
 };
 +# A faulty dlz configuration to check if named and catz survive a certain class
 +# of failed configuration attempts (see GL#3060).
 +# We use "dlz" because the dlz processing code is located in an ideal place in
 +# the view configuration function for the test to cover the view reverting code.
 +#T3dlz "bad-dlz" {
 +#T3	database "dlopen bad-dlz.so example.org";
 +#T3};
 +
 zone "catalog1.example" {
 	type secondary;
 	file "catalog1.example.db";
 diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh
 index f217103d8f..2f50740374 100644
 --- a/bin/tests/system/catz/tests.sh
 +++ b/bin/tests/system/catz/tests.sh
@@ -370,6 +370,30 @@ wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 +n=$((n+1))
 +echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)"
 +ret=0
 +sed -e "s/^#T3//" < ns2/named1.conf.in > ns2/named.conf.tmp
 +copy_setports ns2/named.conf.tmp ns2/named.conf
 +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1
 +if [ $ret -ne 0 ]; then echo_i "failed"; fi
 +status=$((status+ret))
 +
 +n=$((n+1))
 +echo_i "checking again that dom3.example. is served by secondary ($n)"
 +ret=0
 +wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1
 +if [ $ret -ne 0 ]; then echo_i "failed"; fi
 +status=$((status+ret))
 +
 +n=$((n+1))
 +echo_i "reconfiguring secondary - reverting the bad configuration ($n)"
 +ret=0
 +copy_setports ns2/named1.conf.in ns2/named.conf
 +rndccmd 10.53.0.2 reconfig || ret=1
 +if [ $ret -ne 0 ]; then echo_i "failed"; fi
 +status=$((status+ret))
 +
 n=$((n+1))
 echo_i "removing all records from catalog1 zone ($n)"
 ret=0
 -- 
 2.23.0
--- a/backport-0012-Fix-a-memory-leak-in-dns_dlzcreate.patch
+++ b/backport-0012-Fix-a-memory-leak-in-dns_dlzcreate.patch
@ -1,33 +0,0 @@
 From 254cabb558cc6152ae892d2a71e65f7cedbd1a38 Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Tue, 4 Jan 2022 18:49:20 +0000
 Subject: [PATCH] Fix a memory leak in dns_dlzcreate()
 dns_dlzcreate() fails to free the memory allocated for dlzname
 when an error occurs.
 Free dlzname's memory (acquired earlier with isc_mem_strdup())
 by calling isc_mem_free() before returning an error code.
 (cherry picked from commit 4a6c66288ff831a3450e6472605d3ef8d668eac7)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/254cabb558cc6152ae892d2a71e65f7cedbd1a38
 ---
 lib/dns/dlz.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c
 index cc0b17e5d2..20e3f545bf 100644
 --- a/lib/dns/dlz.c
 +++ b/lib/dns/dlz.c
@@ -230,6 +230,7 @@ dns_dlzcreate(isc_mem_t *mctx, const char *dlzname, const char *drivername,
 	/* impinfo->methods->create failed. */
 	RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
 +	isc_mem_free(mctx, db->dlzname);
 	isc_mem_put(mctx, db, sizeof(dns_dlzdb_t));
 	return (result);
 }
 -- 
 2.23.0
--- a/backport-0012-Fix-invalid-control-port-number-in-the-catz-system-t.patch
+++ b/backport-0012-Fix-invalid-control-port-number-in-the-catz-system-t.patch
@ -1,51 +0,0 @@
 From b5735ec37a93d2a660ede2f430d08e7abeaf500b Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Tue, 4 Jan 2022 17:22:32 +0000
 Subject: [PATCH] Fix invalid control port number in the catz system test
 When failure is expected, the `rndc` command in the catz system test
 is being called directly instead of using a function, i.e.:
    $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig \
        > /dev/null 2>&1 && ret=1
 ... instead of:
    rndccmd 10.53.0.2 reconfig && ret=1
 This is done to suppress messages like "lt-rndc: 'reconfig' failed:
 failure" appearing in the message log of the test, because failure
 is actually expected, and the appearance of that message can be
 confusing.
 The port value used in this case is not correct, making the
 `rndc reload` command to fail.  This error was not detected earlier
 only because the failure of the command is actually expected, but
 the failure happens for a "wrong" reason, and the test still passes.
 Fix the error by using the existing variable instead of the fixed
 number.
 (cherry picked from commit 5f9d4b5db41f074699647cfc3033c6ebba61b72e)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/b5735ec37a93d2a660ede2f430d08e7abeaf500b
 ---
 bin/tests/system/catz/tests.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh
 index 2f50740374..97b7e314b4 100644
 --- a/bin/tests/system/catz/tests.sh
 +++ b/bin/tests/system/catz/tests.sh
@@ -1238,7 +1238,7 @@ echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-exi
 ret=0
 sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp
 copy_setports ns2/named.conf.tmp ns2/named.conf
 -$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > /dev/null 2>&1 && ret=1
 +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 -- 
 2.23.0
--- a/backport-0012-Improve-the-view-configuration-error-handling-and-re.patch
+++ b/backport-0012-Improve-the-view-configuration-error-handling-and-re.patch
@ -1,325 +0,0 @@
 From f555f1d2eb4cf0d0cf2f6aa1203d369aecb7339e Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Tue, 28 Dec 2021 11:51:01 +0000
 Subject: [PATCH] Improve the view configuration error handling and reverting
 logic
 If a view configuration error occurs during a named reconfiguration
 procedure, BIND can end up having twin views (old and new), with some
 zones and internal structures attached to the old one, and others
 attached to the new one, which essentially creates chaos.
 Implement some additional view reverting mechanisms to avoid the
 situation described above:
 1. Revert rpz configuration.
 2. Revert catz configuration.
 3. Revert zones to view attachments.
 (cherry picked from commit 3697560f048792430640e7f848cdae8547c70d90)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/f555f1d2eb4cf0d0cf2f6aa1203d369aecb7339e
 ---
 bin/named/server.c | 153 +++++++++++++++++++++++++++++++++++++--------
 1 file changed, 126 insertions(+), 27 deletions(-)
 diff --git a/bin/named/server.c b/bin/named/server.c
 index d8993e06b4..721464db8e 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
@@ -437,6 +437,10 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
 	       bool modify);
 +static void
 +configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig,
 +			     dns_view_t *view);
 +
 static isc_result_t
 configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		   isc_mem_t *mctx, cfg_aclconfctx_t *actx);
@@ -2439,7 +2443,7 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
 }
 static isc_result_t
 -configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
 +configure_rpz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t **maps,
 	      const cfg_obj_t *rpz_obj, bool *old_rpz_okp) {
 	bool dnsrps_enabled;
 	const cfg_listelt_t *zone_element;
@@ -2453,7 +2457,7 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
 	uint32_t minupdateinterval_default;
 	dns_rpz_zones_t *zones;
 	const dns_rpz_zones_t *old;
 -	dns_view_t *pview;
 +	bool pview_must_detach = false;
 	const dns_rpz_zone_t *old_zone;
 	isc_result_t result;
 	int i;
@@ -2592,14 +2596,19 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
 		zones->p.nsip_wait_recurse = false;
 	}
 -	pview = NULL;
 -	result = dns_viewlist_find(&named_g_server->viewlist, view->name,
 -				   view->rdclass, &pview);
 -	if (result == ISC_R_SUCCESS) {
 +	if (pview != NULL) {
 		old = pview->rpzs;
 	} else {
 -		old = NULL;
 +		result = dns_viewlist_find(&named_g_server->viewlist,
 +					   view->name, view->rdclass, &pview);
 +		if (result == ISC_R_SUCCESS) {
 +			pview_must_detach = true;
 +			old = pview->rpzs;
 +		} else {
 +			old = NULL;
 +		}
 	}
 +
 	if (old == NULL) {
 		*old_rpz_okp = false;
 	} else {
@@ -2621,7 +2630,7 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
 			add_soa_default, ttl_default, minupdateinterval_default,
 			old_zone, old_rpz_okp);
 		if (result != ISC_R_SUCCESS) {
 -			if (pview != NULL) {
 +			if (pview_must_detach) {
 				dns_view_detach(&pview);
 			}
 			return (result);
@@ -2658,7 +2667,7 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
 			    view->rpzs->rpz_ver);
 	}
 -	if (pview != NULL) {
 +	if (pview_must_detach) {
 		dns_view_detach(&pview);
 	}
@@ -2987,15 +2996,14 @@ catz_modzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view,
 }
 static isc_result_t
 -configure_catz_zone(dns_view_t *view, const cfg_obj_t *config,
 -		    const cfg_listelt_t *element) {
 +configure_catz_zone(dns_view_t *view, dns_view_t *pview,
 +		    const cfg_obj_t *config, const cfg_listelt_t *element) {
 	const cfg_obj_t *catz_obj, *obj;
 	dns_catz_zone_t *zone = NULL;
 	const char *str;
 	isc_result_t result;
 	dns_name_t origin;
 	dns_catz_options_t *opts;
 -	dns_view_t *pview = NULL;
 	dns_name_init(&origin, NULL);
 	catz_obj = cfg_listelt_value(element);
@@ -3026,9 +3034,7 @@ configure_catz_zone(dns_view_t *view, const cfg_obj_t *config,
 	if (result == ISC_R_EXISTS) {
 		isc_ht_iter_t *it = NULL;
 -		result = dns_viewlist_find(&named_g_server->viewlist,
 -					   view->name, view->rdclass, &pview);
 -		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 +		RUNTIME_CHECK(pview != NULL);
 		/*
 		 * xxxwpk todo: reconfigure the zone!!!!
@@ -3116,9 +3122,6 @@ configure_catz_zone(dns_view_t *view, const cfg_obj_t *config,
 	}
 cleanup:
 -	if (pview != NULL) {
 -		dns_view_detach(&pview);
 -	}
 	dns_name_free(&origin, view->mctx);
 	return (result);
@@ -3130,11 +3133,11 @@ static dns_catz_zonemodmethods_t ns_catz_zonemodmethods = {
 };
 static isc_result_t
 -configure_catz(dns_view_t *view, const cfg_obj_t *config,
 +configure_catz(dns_view_t *view, dns_view_t *pview, const cfg_obj_t *config,
 	       const cfg_obj_t *catz_obj) {
 	const cfg_listelt_t *zone_element;
 	const dns_catz_zones_t *old = NULL;
 -	dns_view_t *pview = NULL;
 +	bool pview_must_detach = false;
 	isc_result_t result;
 	/* xxxwpk TODO do it cleaner, once, somewhere */
@@ -3149,10 +3152,15 @@ configure_catz(dns_view_t *view, const cfg_obj_t *config,
 				 view->mctx, named_g_taskmgr,
 				 named_g_timermgr));
 -	result = dns_viewlist_find(&named_g_server->viewlist, view->name,
 -				   view->rdclass, &pview);
 -	if (result == ISC_R_SUCCESS) {
 +	if (pview != NULL) {
 		old = pview->catzs;
 +	} else {
 +		result = dns_viewlist_find(&named_g_server->viewlist,
 +					   view->name, view->rdclass, &pview);
 +		if (result == ISC_R_SUCCESS) {
 +			pview_must_detach = true;
 +			old = pview->catzs;
 +		}
 	}
 	if (old != NULL) {
@@ -3162,7 +3170,7 @@ configure_catz(dns_view_t *view, const cfg_obj_t *config,
 	}
 	while (zone_element != NULL) {
 -		CHECK(configure_catz_zone(view, config, zone_element));
 +		CHECK(configure_catz_zone(view, pview, config, zone_element));
 		zone_element = cfg_list_next(zone_element);
 	}
@@ -3173,7 +3181,7 @@ configure_catz(dns_view_t *view, const cfg_obj_t *config,
 	result = ISC_R_SUCCESS;
 cleanup:
 -	if (pview != NULL) {
 +	if (pview_must_detach) {
 		dns_view_detach(&pview);
 	}
@@ -3974,6 +3982,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	isc_mem_t *cmctx = NULL, *hmctx = NULL;
 	dns_dispatch_t *dispatch4 = NULL;
 	dns_dispatch_t *dispatch6 = NULL;
 +	bool rpz_configured = false;
 +	bool catz_configured = false;
 +	bool zones_configured = false;
 	bool reused_cache = false;
 	bool shared_cache = false;
 	int i = 0, j = 0, k = 0;
@@ -4045,14 +4056,16 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	if (view->rdclass == dns_rdataclass_in && need_hints &&
 	    named_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS)
 	{
 -		CHECK(configure_rpz(view, maps, obj, &old_rpz_ok));
 +		CHECK(configure_rpz(view, NULL, maps, obj, &old_rpz_ok));
 +		rpz_configured = true;
 	}
 	obj = NULL;
 	if (view->rdclass == dns_rdataclass_in && need_hints &&
 	    named_config_get(maps, "catalog-zones", &obj) == ISC_R_SUCCESS)
 	{
 -		CHECK(configure_catz(view, config, obj));
 +		CHECK(configure_catz(view, NULL, config, obj));
 +		catz_configured = true;
 	}
 	/*
@@ -4076,6 +4089,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 				     viewlist, kasplist, actx, false,
 				     old_rpz_ok, false));
 	}
 +	zones_configured = true;
 	/*
 	 * Check that a master or slave zone was found for each
@@ -5815,6 +5829,91 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	result = ISC_R_SUCCESS;
 cleanup:
 +	/*
 +	 * Revert to the old view if there was an error.
 +	 */
 +	if (result != ISC_R_SUCCESS) {
 +		isc_result_t result2;
 +
 +		result2 = dns_viewlist_find(&named_g_server->viewlist,
 +					    view->name, view->rdclass, &pview);
 +		if (result2 == ISC_R_SUCCESS) {
 +			dns_view_thaw(pview);
 +
 +			obj = NULL;
 +			if (rpz_configured &&
 +			    pview->rdclass == dns_rdataclass_in && need_hints &&
 +			    named_config_get(maps, "response-policy", &obj) ==
 +				    ISC_R_SUCCESS)
 +			{
 +				/*
 +				 * We are swapping the places of the `view` and
 +				 * `pview` in the function's parameters list
 +				 * because we are reverting the same operation
 +				 * done previously in the "correct" order.
 +				 */
 +				result2 = configure_rpz(pview, view, maps, obj,
 +							&old_rpz_ok);
 +				if (result2 != ISC_R_SUCCESS) {
 +					isc_log_write(named_g_lctx,
 +						      NAMED_LOGCATEGORY_GENERAL,
 +						      NAMED_LOGMODULE_SERVER,
 +						      ISC_LOG_ERROR,
 +						      "rpz configuration "
 +						      "revert failed for view "
 +						      "'%s'",
 +						      pview->name);
 +				}
 +			}
 +
 +			obj = NULL;
 +			if (catz_configured &&
 +			    pview->rdclass == dns_rdataclass_in && need_hints &&
 +			    named_config_get(maps, "catalog-zones", &obj) ==
 +				    ISC_R_SUCCESS)
 +			{
 +				if (pview->catzs != NULL) {
 +					dns_catz_catzs_detach(&pview->catzs);
 +				}
 +				/*
 +				 * We are swapping the places of the `view` and
 +				 * `pview` in the function's parameters list
 +				 * because we are reverting the same operation
 +				 * done previously in the "correct" order.
 +				 */
 +				result2 = configure_catz(pview, view, config,
 +							 obj);
 +				if (result2 != ISC_R_SUCCESS) {
 +					isc_log_write(named_g_lctx,
 +						      NAMED_LOGCATEGORY_GENERAL,
 +						      NAMED_LOGMODULE_SERVER,
 +						      ISC_LOG_ERROR,
 +						      "catz configuration "
 +						      "revert failed for view "
 +						      "'%s'",
 +						      pview->name);
 +				}
 +			}
 +
 +			dns_view_freeze(pview);
 +		}
 +
 +		if (pview != NULL) {
 +			dns_view_detach(&pview);
 +		}
 +
 +		if (zones_configured) {
 +			for (element = cfg_list_first(zonelist);
 +			     element != NULL; element = cfg_list_next(element))
 +			{
 +				const cfg_obj_t *zconfig =
 +					cfg_listelt_value(element);
 +				configure_zone_setviewcommit(result, zconfig,
 +							     view);
 +			}
 +		}
 +	}
 +
 	if (ntatable != NULL) {
 		dns_ntatable_detach(&ntatable);
 	}
 -- 
 2.23.0
--- a/backport-0012-Improve-the-zones-view-reverting-logic-when-a-zone-i.patch
+++ b/backport-0012-Improve-the-zones-view-reverting-logic-when-a-zone-i.patch
@ -1,39 +0,0 @@
 From a663216c0e63bcbf90dc5142f9914bb02edac144 Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Tue, 28 Dec 2021 12:08:48 +0000
 Subject: [PATCH] Improve the zones' view reverting logic when a zone is a
 catalog zone
 When a zone is being configured with a new view, the catalog zones
 structure will also be linked to that view. Later on, in case of some
 error, should the zone be reverted to the previous view, the link
 between the catalog zones structure and the view won't be reverted.
 Change the dns_zone_setviewrevert() function so it calls
 dns_zone_catz_enable() during a zone revert, which will reset the
 link between `catzs` and view.
 (cherry picked from commit 2fd967136ad014f6d7456c1e19e185803f7d99ac)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/a663216c0e63bcbf90dc5142f9914bb02edac144
 ---
 lib/dns/zone.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index 9205271574..74ecace4a5 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -1674,6 +1674,9 @@ dns_zone_setviewrevert(dns_zone_t *zone) {
 		dns_zone_setview_helper(zone, zone->prev_view);
 		dns_view_weakdetach(&zone->prev_view);
 	}
 +	if (zone->catzs != NULL) {
 +		zone_catz_enable(zone, zone->catzs);
 +	}
 	if (inline_secure(zone)) {
 		dns_zone_setviewrevert(zone->raw);
 	}
 -- 
 2.23.0
--- a/backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch
+++ b/backport-0012-Separate-the-locked-parts-of-dns_zone_catz_enable-di.patch
@ -1,85 +0,0 @@
 From 885e44650b547cff88095d01769e303474582612 Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Wed, 5 Jan 2022 09:38:36 +0000
 Subject: [PATCH] Separate the locked parts of dns_zone_catz_enable/disable
 functions
 Separate the locked parts of dns_zone_catz_enable() and
 dns_zone_catz_disable() functions into static functions.  This will
 let us perform those tasks from the other parts of the module while
 the zone is locked, avoiding one pair of additional unlocking and
 locking operations.
 (cherry picked from commit 6b937ed5f67a13cf6ad6249380073a6e647d7897)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/885e44650b547cff88095d01769e303474582612
 ---
 lib/dns/zone.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index 2faf12519e..9205271574 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -871,6 +871,10 @@ static inline void
 zone_attachdb(dns_zone_t *zone, dns_db_t *db);
 static inline void
 zone_detachdb(dns_zone_t *zone);
 +static void
 +zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
 +static void
 +zone_catz_disable(dns_zone_t *zone);
 static isc_result_t
 default_journal(dns_zone_t *zone);
 static void
@@ -1930,28 +1934,42 @@ dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
 					     zone->rpzs->zones[zone->rpz_num]);
 }
 -void
 -dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
 +static void
 +zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(catzs != NULL);
 -	LOCK_ZONE(zone);
 	INSIST(zone->catzs == NULL || zone->catzs == catzs);
 	dns_catz_catzs_set_view(catzs, zone->view);
 	if (zone->catzs == NULL) {
 		dns_catz_catzs_attach(catzs, &zone->catzs);
 	}
 -	UNLOCK_ZONE(zone);
 }
 void
 -dns_zone_catz_disable(dns_zone_t *zone) {
 +dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	LOCK_ZONE(zone);
 +	zone_catz_enable(zone, catzs);
 +	UNLOCK_ZONE(zone);
 +}
 +
 +static void
 +zone_catz_disable(dns_zone_t *zone) {
 +	REQUIRE(DNS_ZONE_VALID(zone));
 +
 	if (zone->catzs != NULL) {
 		dns_catz_catzs_detach(&zone->catzs);
 	}
 +}
 +
 +void
 +dns_zone_catz_disable(dns_zone_t *zone) {
 +	REQUIRE(DNS_ZONE_VALID(zone));
 +
 +	LOCK_ZONE(zone);
 +	zone_catz_disable(zone);
 	UNLOCK_ZONE(zone);
 }
 -- 
 2.27.0
--- a/backport-0013-Add-log-message-when-hard-quota-is-reached-in-TCP-ac.patch
+++ b/backport-0013-Add-log-message-when-hard-quota-is-reached-in-TCP-ac.patch
@ -1,48 +0,0 @@
 From 00e8bfcdfcb004c7585125b4dddd1de8dcf142ae Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 1 Feb 2022 18:36:12 +0100
 Subject: [PATCH] Add log message when hard quota is reached in TCP accept
 When isc_quota_attach_cb() API returns ISC_R_QUOTA (meaning hard quota
 was reached) the accept_connection() would return without logging a
 message about quota reached.
 Change the connection callback to log the quota reached message.
 (cherry picked from commit 2ae84702ad0482cbbd5da4113b47d63b23ffe386)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/00e8bfcdfcb004c7585125b4dddd1de8dcf142ae
 ---
 lib/isc/netmgr/tcp.c    | 2 +-
 lib/isc/netmgr/tcpdns.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
 index 05ef8d8cd5..133d6d9e61 100644
 --- a/lib/isc/netmgr/tcp.c
 +++ b/lib/isc/netmgr/tcp.c
@@ -627,7 +627,7 @@ tcp_connection_cb(uv_stream_t *server, int status) {
 		if (result == ISC_R_QUOTA) {
 			isc__nm_incstats(ssock->mgr,
 					 ssock->statsindex[STATID_ACCEPTFAIL]);
 -			return;
 +			goto done;
 		}
 	}
 diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
 index a1f500b352..38c8c692e1 100644
 --- a/lib/isc/netmgr/tcpdns.c
 +++ b/lib/isc/netmgr/tcpdns.c
@@ -596,7 +596,7 @@ tcpdns_connection_cb(uv_stream_t *server, int status) {
 		if (result == ISC_R_QUOTA) {
 			isc__nm_incstats(ssock->mgr,
 					 ssock->statsindex[STATID_ACCEPTFAIL]);
 -			return;
 +			goto done;
 		}
 	}
 -- 
 2.23.0
--- a/backport-0014-Add-TCP-TCPDNS-and-TLSDNS-write-timer.patch
+++ b/backport-0014-Add-TCP-TCPDNS-and-TLSDNS-write-timer.patch
@ -1,452 +0,0 @@
 From 6a88131d034ed58d3f0774721caa1e222fc7c245 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 9 Feb 2022 11:21:04 +0100
 Subject: [PATCH] Add TCP, TCPDNS and TLSDNS write timer
 When the outgoing TCP write buffers are full because the other party is
 not reading the data, the uv_write() could wait indefinitely on the
 uv_loop and never calling the callback.  Add a new write timer that uses
 the `tcp-idle-timeout` value to interrupt the TCP connection when we are
 not able to send data for defined period of time.
 (cherry picked from commit 408b3621696e39ac6dfe58be75fad168a37b31ff)
 Conflict: UV_RUNTIME_CHECK to RUNTIME_CHECK
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/6a88131d034ed58d3f0774721caa1e222fc7c245
 ---
 lib/isc/netmgr/netmgr-int.h | 24 ++++++++++++++--
 lib/isc/netmgr/netmgr.c     | 18 +++++++++++-
 lib/isc/netmgr/tcp.c        | 51 +++++++++++++++++++++++++++++++--
 lib/isc/netmgr/tcpdns.c     | 56 ++++++++++++++++++++++++++++++-------
 lib/isc/netmgr/udp.c        | 32 +++++++++++++++++++--
 5 files changed, 162 insertions(+), 19 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
 index 6c6cf13..f22ecbc 100644
 --- a/lib/isc/netmgr/netmgr-int.h
 +++ b/lib/isc/netmgr/netmgr-int.h
@@ -753,6 +753,13 @@ struct isc_nmsocket {
 	uint64_t read_timeout;
 	uint64_t connect_timeout;
 +	/*%
 +	 * TCP write timeout timer.
 +	 */
 +	uv_timer_t write_timer;
 +	uint64_t write_timeout;
 +	int64_t writes;
 +
 	/*% outer socket is for 'wrapped' sockets - e.g. tcpdns in tcp */
 	isc_nmsocket_t *outer;
@@ -1574,9 +1581,22 @@ void
 isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async);
 void
 -isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
 +isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
 +/*
 + * Timeout callbacks
 + */
 void
 -isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
 +isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
 +void
 +isc__nmsocket_readtimeout_cb(uv_timer_t *timer);
 +void
 +isc__nmsocket_writetimeout_cb(uv_timer_t *timer);
 +/*%<
 + *
 + * Maximum number of simultaneous handles in flight supported for a single
 + * connected TCPDNS socket. This value was chosen arbitrarily, and may be
 + * changed in the future.
 + */
 #define STREAM_CLIENTS_PER_CONN 23
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index f7acd0c..bbc66cd 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -2000,7 +2000,21 @@ isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
 		      isc_result_totext(result));
 }
 -static void
 +void
 +isc__nmsocket_writetimeout_cb(uv_timer_t *timer) {
 +	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
 +
 +	int r = uv_timer_stop(&sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_stop, r);
 +
 +	/* The shutdown will be handled in the respective close functions */
 +	r = uv_tcp_close_reset(&sock->uv_handle.tcp, NULL);
 +	UV_RUNTIME_CHECK(uv_tcp_close_reset, r);
 +
 +	isc__nmsocket_shutdown(sock);
 +}
 +
 +void
 isc__nmsocket_readtimeout_cb(uv_timer_t *timer) {
 	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
@@ -2333,6 +2347,8 @@ isc_nmhandle_keepalive(isc_nmhandle_t *handle, bool value) {
 		atomic_store(&sock->keepalive, value);
 		sock->read_timeout = value ? atomic_load(&sock->mgr->keepalive)
 					   : atomic_load(&sock->mgr->idle);
 +		sock->write_timeout = value ? atomic_load(&sock->mgr->keepalive)
 +					    : atomic_load(&sock->mgr->idle);
 		break;
 	default:
 		/*
 diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
 index 7339f77..e7605de 100644
 --- a/lib/isc/netmgr/tcp.c
 +++ b/lib/isc/netmgr/tcp.c
@@ -142,6 +142,10 @@ tcp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	r = uv_timer_init(&worker->loop, &sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +
 	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
 	if (r != 0) {
 		isc__nm_closesocket(sock->fd);
@@ -531,6 +535,10 @@ isc__nm_async_tcplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	r = uv_timer_init(&worker->loop, &sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +
 	LOCK(&sock->parent->lock);
 	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
@@ -971,6 +979,10 @@ accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock);
 +	r = uv_timer_init(&worker->loop, &csock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +	uv_handle_set_data((uv_handle_t *)&csock->write_timer, csock);
 +
 	r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream);
 	if (r != 0) {
 		result = isc__nm_uverr2result(r);
@@ -1064,6 +1076,13 @@ isc__nm_tcp_send(isc_nmhandle_t *handle, const isc_region_t *region,
 	uvreq->cb.send = cb;
 	uvreq->cbarg = cbarg;
 +	if (sock->write_timeout == 0) {
 +		sock->write_timeout =
 +			(atomic_load(&sock->keepalive)
 +				 ? atomic_load(&sock->mgr->keepalive)
 +				 : atomic_load(&sock->mgr->idle));
 +	}
 +
 	ievent = isc__nm_get_netievent_tcpsend(sock->mgr, sock, uvreq);
 	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
 				     (isc__netievent_t *)ievent);
@@ -1074,11 +1093,17 @@ isc__nm_tcp_send(isc_nmhandle_t *handle, const isc_region_t *region,
 static void
 tcp_send_cb(uv_write_t *req, int status) {
 	isc__nm_uvreq_t *uvreq = (isc__nm_uvreq_t *)req->data;
 +
 	REQUIRE(VALID_UVREQ(uvreq));
 	REQUIRE(VALID_NMHANDLE(uvreq->handle));
 	isc_nmsocket_t *sock = uvreq->sock;
 +	if (--sock->writes == 0) {
 +		int r = uv_timer_stop(&sock->write_timer);
 +		UV_RUNTIME_CHECK(uv_timer_stop, r);
 +	}
 +
 	if (status < 0) {
 		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
 		failed_send_cb(sock, uvreq, isc__nm_uverr2result(status));
@@ -1122,6 +1147,11 @@ tcp_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 		return (ISC_R_CANCELED);
 	}
 +	r = uv_timer_start(&sock->write_timer, isc__nmsocket_writetimeout_cb,
 +			   sock->write_timeout, 0);
 +	UV_RUNTIME_CHECK(uv_timer_start, r);
 +	RUNTIME_CHECK(sock->writes++ >= 0);
 +
 	r = uv_write(&req->uv_req.write, &sock->uv_handle.stream, &req->uvbuf,
 		     1, tcp_send_cb);
 	if (r < 0) {
@@ -1185,7 +1215,7 @@ tcp_close_cb(uv_handle_t *handle) {
 }
 static void
 -timer_close_cb(uv_handle_t *handle) {
 +read_timer_close_cb(uv_handle_t *handle) {
 	isc_nmsocket_t *sock = uv_handle_get_data(handle);
 	uv_handle_set_data(handle, NULL);
@@ -1198,6 +1228,17 @@ timer_close_cb(uv_handle_t *handle) {
 	}
 }
 +static void
 +write_timer_close_cb(uv_handle_t *timer) {
 +	isc_nmsocket_t *sock = uv_handle_get_data(timer);
 +	uv_handle_set_data(timer, NULL);
 +
 +	REQUIRE(VALID_NMSOCK(sock));
 +
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 +}
 +
 static void
 stop_tcp_child(isc_nmsocket_t *sock) {
 	REQUIRE(sock->type == isc_nm_tcpsocket);
@@ -1250,6 +1291,8 @@ stop_tcp_parent(isc_nmsocket_t *sock) {
 static void
 tcp_close_direct(isc_nmsocket_t *sock) {
 +	int r;
 +
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
 	REQUIRE(atomic_load(&sock->closing));
@@ -1271,8 +1314,10 @@ tcp_close_direct(isc_nmsocket_t *sock) {
 	isc__nmsocket_timer_stop(sock);
 	isc__nm_stop_reading(sock);
 -	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	uv_close((uv_handle_t *)&sock->read_timer, timer_close_cb);
 +	r = uv_timer_stop(&sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_stop, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +	uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb);
 }
 void
 diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
 index 7aaaee9..a822aa2 100644
 --- a/lib/isc/netmgr/tcpdns.c
 +++ b/lib/isc/netmgr/tcpdns.c
@@ -35,13 +35,6 @@
 #include "netmgr-int.h"
 #include "uv-compat.h"
 -/*%<
 - *
 - * Maximum number of simultaneous handles in flight supported for a single
 - * connected TCPDNS socket. This value was chosen arbitrarily, and may be
 - * changed in the future.
 - */
 -
 static atomic_uint_fast32_t last_tcpdnsquota_log = ATOMIC_VAR_INIT(0);
 static bool
@@ -107,6 +100,10 @@ tcpdns_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	r = uv_timer_init(&worker->loop, &sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +
 	if (isc__nm_closing(sock)) {
 		result = ISC_R_CANCELED;
 		goto error;
@@ -500,6 +497,10 @@ isc__nm_async_tcpdnslisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	r = uv_timer_init(&worker->loop, &sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +
 	LOCK(&sock->parent->lock);
 	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
@@ -945,6 +946,10 @@ accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock);
 +	r = uv_timer_init(&worker->loop, &csock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +	uv_handle_set_data((uv_handle_t *)&csock->write_timer, csock);
 +
 	r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream);
 	if (r != 0) {
 		result = isc__nm_uverr2result(r);
@@ -1059,6 +1064,13 @@ isc__nm_tcpdns_send(isc_nmhandle_t *handle, isc_region_t *region,
 	uvreq->cb.send = cb;
 	uvreq->cbarg = cbarg;
 +	if (sock->write_timeout == 0) {
 +		sock->write_timeout =
 +			(atomic_load(&sock->keepalive)
 +				 ? atomic_load(&sock->mgr->keepalive)
 +				 : atomic_load(&sock->mgr->idle));
 +	}
 +
 	ievent = isc__nm_get_netievent_tcpdnssend(sock->mgr, sock, uvreq);
 	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
 				     (isc__netievent_t *)ievent);
@@ -1076,6 +1088,11 @@ tcpdns_send_cb(uv_write_t *req, int status) {
 	sock = uvreq->sock;
 +	if (--sock->writes == 0) {
 +		int r = uv_timer_stop(&sock->write_timer);
 +		UV_RUNTIME_CHECK(uv_timer_stop, r);
 +	}
 +
 	if (status < 0) {
 		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
 		isc__nm_failed_send_cb(sock, uvreq,
@@ -1140,6 +1157,11 @@ isc__nm_async_tcpdnssend(isc__networker_t *worker, isc__netievent_t *ev0) {
 		goto fail;
 	}
 +	r = uv_timer_start(&sock->write_timer, isc__nmsocket_writetimeout_cb,
 +			   sock->write_timeout, 0);
 +	UV_RUNTIME_CHECK(uv_timer_start, r);
 +	RUNTIME_CHECK(sock->writes++ >= 0);
 +
 	r = uv_write(&uvreq->uv_req.write, &sock->uv_handle.stream, bufs, nbufs,
 		     tcpdns_send_cb);
 	if (r < 0) {
@@ -1212,7 +1234,7 @@ tcpdns_close_cb(uv_handle_t *handle) {
 }
 static void
 -timer_close_cb(uv_handle_t *timer) {
 +read_timer_close_cb(uv_handle_t *timer) {
 	isc_nmsocket_t *sock = uv_handle_get_data(timer);
 	uv_handle_set_data(timer, NULL);
@@ -1227,6 +1249,17 @@ timer_close_cb(uv_handle_t *timer) {
 	}
 }
 +static void
 +write_timer_close_cb(uv_handle_t *timer) {
 +	isc_nmsocket_t *sock = uv_handle_get_data(timer);
 +	uv_handle_set_data(timer, NULL);
 +
 +	REQUIRE(VALID_NMSOCK(sock));
 +
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 +}
 +
 static void
 stop_tcpdns_child(isc_nmsocket_t *sock) {
 	REQUIRE(sock->type == isc_nm_tcpdnssocket);
@@ -1279,6 +1312,7 @@ stop_tcpdns_parent(isc_nmsocket_t *sock) {
 static void
 tcpdns_close_direct(isc_nmsocket_t *sock) {
 +	int r;
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
 	REQUIRE(atomic_load(&sock->closing));
@@ -1294,8 +1328,10 @@ tcpdns_close_direct(isc_nmsocket_t *sock) {
 	isc__nmsocket_timer_stop(sock);
 	isc__nm_stop_reading(sock);
 -	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	uv_close((uv_handle_t *)&sock->read_timer, timer_close_cb);
 +	r = uv_timer_stop(&sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_stop, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +	uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb);
 }
 void
 diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
 index d33dc4c..d3fffe0 100644
 --- a/lib/isc/netmgr/udp.c
 +++ b/lib/isc/netmgr/udp.c
@@ -46,7 +46,10 @@ static void
 udp_close_cb(uv_handle_t *handle);
 static void
 -timer_close_cb(uv_handle_t *handle);
 +read_timer_close_cb(uv_handle_t *handle);
 +
 +static void
 +write_timer_close_cb(uv_handle_t *handle);
 static void
 udp_close_direct(isc_nmsocket_t *sock);
@@ -230,6 +233,10 @@ isc__nm_async_udplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	r = uv_timer_init(&worker->loop, &sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +
 	LOCK(&sock->parent->lock);
 	r = uv_udp_open(&sock->uv_handle.udp, sock->fd);
@@ -628,6 +635,10 @@ udp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	r = uv_timer_init(&worker->loop, &sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +
 	r = uv_udp_open(&sock->uv_handle.udp, sock->fd);
 	if (r != 0) {
 		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]);
@@ -972,7 +983,7 @@ udp_close_cb(uv_handle_t *handle) {
 }
 static void
 -timer_close_cb(uv_handle_t *handle) {
 +read_timer_close_cb(uv_handle_t *handle) {
 	isc_nmsocket_t *sock = uv_handle_get_data(handle);
 	uv_handle_set_data(handle, NULL);
@@ -983,6 +994,17 @@ timer_close_cb(uv_handle_t *handle) {
 	}
 }
 +static void
 +write_timer_close_cb(uv_handle_t *timer) {
 +	isc_nmsocket_t *sock = uv_handle_get_data(timer);
 +	uv_handle_set_data(timer, NULL);
 +
 +	REQUIRE(VALID_NMSOCK(sock));
 +
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 +}
 +
 static void
 stop_udp_child(isc_nmsocket_t *sock) {
 	REQUIRE(sock->type == isc_nm_udpsocket);
@@ -1035,10 +1057,14 @@ stop_udp_parent(isc_nmsocket_t *sock) {
 static void
 udp_close_direct(isc_nmsocket_t *sock) {
 +	int r;
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
 -	uv_close((uv_handle_t *)&sock->read_timer, timer_close_cb);
 +	r = uv_timer_stop(&sock->write_timer);
 +	UV_RUNTIME_CHECK(uv_timer_stop, r);
 +	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 +	uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb);
 }
 void
 -- 
 2.27.0
--- a/backport-0014-Add-TCP-write-timeout-system-test.patch
+++ b/backport-0014-Add-TCP-write-timeout-system-test.patch
@ -1,102 +0,0 @@
 From 260b4c02cf3540e4a71b22f573958da24d89c7a2 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 9 Feb 2022 12:46:29 +0100
 Subject: [PATCH] Add TCP write timeout system test
 Extend the timeouts system test that bursts the queries for large TXT
 record and never read any responses back filling up the server TCP write
 buffer.  The test should work with the default wmem_max value on
 Linux (208k).
 (cherry picked from commit b735182ae0912759f5576557ade7660f4ea9c949)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/260b4c02cf3540e4a71b22f573958da24d89c7a2
 ---
 bin/tests/system/timeouts/setup.sh     |  5 ++++
 bin/tests/system/timeouts/tests-tcp.py | 36 +++++++++++++++++++++++---
 2 files changed, 38 insertions(+), 3 deletions(-)
 diff --git a/bin/tests/system/timeouts/setup.sh b/bin/tests/system/timeouts/setup.sh
 index 2e8fd6a6ba..c4019d2a27 100644
 --- a/bin/tests/system/timeouts/setup.sh
 +++ b/bin/tests/system/timeouts/setup.sh
@@ -20,6 +20,11 @@ copy_setports ns1/named.conf.in ns1/named.conf
 # tcp-initial-timeout interval
 #
 $PYTHON -c "
 +print('large IN TXT', end=' ')
 +for a in range(128):
 +    print('\"%s\"' % ('A' * 240), end=' ')
 +print('')
 +
 for a in range(150000):
     print('%s IN NS a' % (a))
     print('%s IN NS b' % (a))" > ns1/large.db
 diff --git a/bin/tests/system/timeouts/tests-tcp.py b/bin/tests/system/timeouts/tests-tcp.py
 index 2c5e99cc1c..e1f19608c8 100644
 --- a/bin/tests/system/timeouts/tests-tcp.py
 +++ b/bin/tests/system/timeouts/tests-tcp.py
@@ -51,7 +51,7 @@ def test_initial_timeout(port):
             try:
                 (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
                 (response, rtime) = dns.query.receive_tcp(sock, timeout())
 -            except ConnectionResetError as e:
 +            except ConnectionError as e:
                 raise EOFError from e
@@ -83,7 +83,7 @@ def test_idle_timeout(port):
             try:
                 (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
                 (response, rtime) = dns.query.receive_tcp(sock, timeout())
 -            except ConnectionResetError as e:
 +            except ConnectionError as e:
                 raise EOFError from e
@@ -152,7 +152,7 @@ def test_pipelining_timeout(port):
             try:
                 (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
                 (response, rtime) = dns.query.receive_tcp(sock, timeout())
 -            except ConnectionResetError as e:
 +            except ConnectionError as e:
                 raise EOFError from e
@@ -190,3 +190,33 @@ def test_long_axfr(port):
             if soa is not None:
                 break
         assert soa is not None
 +
 +
 +@pytest.mark.dnspython
 +@pytest.mark.dnspython2
 +def test_send_timeout(port):
 +    import dns.query
 +
 +    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
 +        sock.connect(("10.53.0.1", port))
 +
 +        # Send and receive single large RDATA over TCP
 +        msg = create_msg("large.example.", "TXT")
 +        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
 +        (response, rtime) = dns.query.receive_tcp(sock, timeout())
 +
 +        # Send and receive 28 large (~32k) DNS queries that should
 +        # fill the default maximum 208k TCP send buffer
 +        for n in range(28):
 +            (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
 +
 +        # configure idle interval is 5 seconds, sleep 6 to make sure we are
 +        # above the interval
 +        time.sleep(6)
 +
 +        with pytest.raises(EOFError):
 +            try:
 +                (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
 +                (response, rtime) = dns.query.receive_tcp(sock, timeout())
 +            except ConnectionError as e:
 +                raise EOFError from e
 -- 
 2.23.0
--- a/backport-0014-Add-isc_nmhandle_setwritetimeout-function.patch
+++ b/backport-0014-Add-isc_nmhandle_setwritetimeout-function.patch
@ -1,64 +0,0 @@
 From 1d0f2eb2c495a079101b6f6fd66ff22d95a4ab04 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 9 Feb 2022 19:48:13 +0100
 Subject: [PATCH] Add isc_nmhandle_setwritetimeout() function
 In some situations (unit test and forthcoming XFR timeouts MR), we need
 to modify the write timeout independently of the read timeout.  Add a
 isc_nmhandle_setwritetimeout() function that could be called before
 isc_nm_send() to specify a custom write timeout interval.
 (cherry picked from commit a89d9e0fa68b8d915c6a1c416543dd157d8b0b5a)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1d0f2eb2c495a079101b6f6fd66ff22d95a4ab04
 ---
 lib/isc/include/isc/netmgr.h | 3 +++
 lib/isc/netmgr/netmgr.c      | 8 ++++++++
 lib/isc/win32/libisc.def.in  | 1 +
 3 files changed, 12 insertions(+)
 diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h
 index f8477b0018..39dba1d376 100644
 --- a/lib/isc/include/isc/netmgr.h
 +++ b/lib/isc/include/isc/netmgr.h
@@ -489,3 +489,6 @@ isc__nm_force_tid(int tid);
  * Force the thread ID to 'tid'. This is STRICTLY for use in unit
  * tests and should not be used in any production code.
  */
 +
 +void
 +isc_nmhandle_setwritetimeout(isc_nmhandle_t *handle, uint64_t write_timeout);
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 6bc8c64337..31917be101 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -639,6 +639,14 @@ isc_nm_maxudp(isc_nm_t *mgr, uint32_t maxudp) {
 	atomic_store(&mgr->maxudp, maxudp);
 }
 +void
 +isc_nmhandle_setwritetimeout(isc_nmhandle_t *handle, uint64_t write_timeout) {
 +	REQUIRE(VALID_NMHANDLE(handle));
 +	REQUIRE(VALID_NMSOCK(handle->sock));
 +
 +	handle->sock->write_timeout = write_timeout;
 +}
 +
 void
 isc_nm_settimeouts(isc_nm_t *mgr, uint32_t init, uint32_t idle,
 		   uint32_t keepalive, uint32_t advertised) {
 diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in
 index de65c63b7d..79e7b64a58 100644
 --- a/lib/isc/win32/libisc.def.in
 +++ b/lib/isc/win32/libisc.def.in
@@ -457,6 +457,7 @@ isc_nmhandle_localaddr
 isc_nmhandle_peeraddr
 isc_nmhandle_setdata
 isc_nmhandle_settimeout
 +isc_nmhandle_setwritetimeout
 isc_nm_attach
 isc_nm_cancelread
 isc_nm_detach
 -- 
 2.23.0
--- a/backport-0014-Rename-sock-timer-to-sock-read_timer.patch
+++ b/backport-0014-Rename-sock-timer-to-sock-read_timer.patch
@ -1,279 +0,0 @@
 From eb2463115fcf033b7756c1eeb036696e0595acbd Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 9 Feb 2022 10:59:08 +0100
 Subject: [PATCH] Rename sock->timer to sock->read_timer
 Before adding the write timer, we have to remove the generic sock->timer
 to sock->read_timer.  We don't touch the function names to limit the
 impact of the refactoring.
 (cherry picked from commit 45a73c113f2982b7171632d75d4bbb51d4e6bb53)
 Conflict: UV_RUNTIME_CHECK to RUNTIME_CHECK
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/eb2463115fcf033b7756c1eeb036696e0595acbd
 ---
 lib/isc/netmgr/netmgr-int.h |  2 +-
 lib/isc/netmgr/netmgr.c     | 13 +++++++------
 lib/isc/netmgr/tcp.c        | 23 ++++++++++++-----------
 lib/isc/netmgr/tcpdns.c     | 20 +++++++++++---------
 lib/isc/netmgr/udp.c        | 10 +++++-----
 5 files changed, 36 insertions(+), 32 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
 index b4299d5..6c6cf13 100644
 --- a/lib/isc/netmgr/netmgr-int.h
 +++ b/lib/isc/netmgr/netmgr-int.h
@@ -749,7 +749,7 @@ struct isc_nmsocket {
 	/*%
 	 * TCP read/connect timeout timers.
 	 */
 -	uv_timer_t timer;
 +	uv_timer_t read_timer;
 	uint64_t read_timeout;
 	uint64_t connect_timeout;
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 2867d25..f7acd0c 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -1913,7 +1913,7 @@ isc__nm_failed_connect_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
 	REQUIRE(req->cb.connect != NULL);
 	isc__nmsocket_timer_stop(sock);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	INSIST(atomic_compare_exchange_strong(&sock->connecting,
 					      &(bool){ true }, false));
@@ -2036,7 +2036,7 @@ isc__nmsocket_timer_restart(isc_nmsocket_t *sock) {
 			return;
 		}
 -		r = uv_timer_start(&sock->timer,
 +		r = uv_timer_start(&sock->read_timer,
 				   isc__nmsocket_connecttimeout_cb,
 				   sock->connect_timeout + 10, 0);
@@ -2045,7 +2045,8 @@ isc__nmsocket_timer_restart(isc_nmsocket_t *sock) {
 			return;
 		}
 -		r = uv_timer_start(&sock->timer, isc__nmsocket_readtimeout_cb,
 +		r = uv_timer_start(&sock->read_timer,
 +				   isc__nmsocket_readtimeout_cb,
 				   sock->read_timeout, 0);
 	}
@@ -2056,7 +2057,7 @@ bool
 isc__nmsocket_timer_running(isc_nmsocket_t *sock) {
 	REQUIRE(VALID_NMSOCK(sock));
 -	return (uv_is_active((uv_handle_t *)&sock->timer));
 +	return (uv_is_active((uv_handle_t *)&sock->read_timer));
 }
 void
@@ -2076,7 +2077,7 @@ isc__nmsocket_timer_stop(isc_nmsocket_t *sock) {
 	/* uv_timer_stop() is idempotent, no need to check if running */
 -	int r = uv_timer_stop(&sock->timer);
 +	int r = uv_timer_stop(&sock->read_timer);
 	RUNTIME_CHECK(r == 0);
 }
@@ -2299,7 +2300,7 @@ isc_nmhandle_cleartimeout(isc_nmhandle_t *handle) {
 	default:
 		handle->sock->read_timeout = 0;
 -		if (uv_is_active((uv_handle_t *)&handle->sock->timer)) {
 +		if (uv_is_active((uv_handle_t *)&handle->sock->read_timer)) {
 			isc__nmsocket_timer_stop(handle->sock);
 		}
 	}
 diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
 index 1ac7808..7339f77 100644
 --- a/lib/isc/netmgr/tcp.c
 +++ b/lib/isc/netmgr/tcp.c
@@ -138,8 +138,9 @@ tcp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data(&sock->uv_handle.handle, sock);
 -	r = uv_timer_init(&worker->loop, &sock->timer);
 +	r = uv_timer_init(&worker->loop, &sock->read_timer);
 	RUNTIME_CHECK(r == 0);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
 	if (r != 0) {
@@ -168,7 +169,8 @@ tcp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	}
 	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CONNECT]);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, &req->uv_req.connect);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer,
 +			   &req->uv_req.connect);
 	isc__nmsocket_timer_start(sock);
 	atomic_store(&sock->connected, true);
@@ -229,7 +231,7 @@ tcp_connect_cb(uv_connect_t *uvreq, int status) {
 	REQUIRE(sock->tid == isc_nm_tid());
 	isc__nmsocket_timer_stop(sock);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	if (!atomic_load(&sock->connecting)) {
 		return;
@@ -524,10 +526,10 @@ isc__nm_async_tcplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	/* This keeps the socket alive after everything else is gone */
 	isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL });
 -	r = uv_timer_init(&worker->loop, &sock->timer);
 +	r = uv_timer_init(&worker->loop, &sock->read_timer);
 	RUNTIME_CHECK(r == 0);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	LOCK(&sock->parent->lock);
@@ -965,9 +967,9 @@ accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data(&csock->uv_handle.handle, csock);
 -	r = uv_timer_init(&worker->loop, &csock->timer);
 +	r = uv_timer_init(&worker->loop, &csock->read_timer);
 	RUNTIME_CHECK(r == 0);
 -	uv_handle_set_data((uv_handle_t *)&csock->timer, csock);
 +	uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock);
 	r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream);
 	if (r != 0) {
@@ -1269,8 +1271,8 @@ tcp_close_direct(isc_nmsocket_t *sock) {
 	isc__nmsocket_timer_stop(sock);
 	isc__nm_stop_reading(sock);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 -	uv_close((uv_handle_t *)&sock->timer, timer_close_cb);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	uv_close((uv_handle_t *)&sock->read_timer, timer_close_cb);
 }
 void
@@ -1388,7 +1390,7 @@ isc__nm_async_tcpcancel(isc__networker_t *worker, isc__netievent_t *ev0) {
 	REQUIRE(sock->tid == isc_nm_tid());
 	UNUSED(worker);
 -	uv_timer_stop(&sock->timer);
 +	uv_timer_stop(&sock->read_timer);
 	isc__nm_tcp_failed_read_cb(sock, ISC_R_EOF);
 }
 diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
 index 7f66da0..7aaaee9 100644
 --- a/lib/isc/netmgr/tcpdns.c
 +++ b/lib/isc/netmgr/tcpdns.c
@@ -103,8 +103,9 @@ tcpdns_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data(&sock->uv_handle.handle, sock);
 -	r = uv_timer_init(&worker->loop, &sock->timer);
 +	r = uv_timer_init(&worker->loop, &sock->read_timer);
 	RUNTIME_CHECK(r == 0);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	if (isc__nm_closing(sock)) {
 		result = ISC_R_CANCELED;
@@ -142,7 +143,8 @@ tcpdns_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	}
 	isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CONNECT]);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, &req->uv_req.connect);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer,
 +			   &req->uv_req.connect);
 	isc__nmsocket_timer_start(sock);
 	atomic_store(&sock->connected, true);
@@ -203,7 +205,7 @@ tcpdns_connect_cb(uv_connect_t *uvreq, int status) {
 	REQUIRE(sock->tid == isc_nm_tid());
 	isc__nmsocket_timer_stop(sock);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	if (!atomic_load(&sock->connecting)) {
 		return;
@@ -494,9 +496,9 @@ isc__nm_async_tcpdnslisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	/* This keeps the socket alive after everything else is gone */
 	isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL });
 -	r = uv_timer_init(&worker->loop, &sock->timer);
 +	r = uv_timer_init(&worker->loop, &sock->read_timer);
 	RUNTIME_CHECK(r == 0);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	LOCK(&sock->parent->lock);
@@ -939,9 +941,9 @@ accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data(&csock->uv_handle.handle, csock);
 -	r = uv_timer_init(&worker->loop, &csock->timer);
 +	r = uv_timer_init(&worker->loop, &csock->read_timer);
 	RUNTIME_CHECK(r == 0);
 -	uv_handle_set_data((uv_handle_t *)&csock->timer, csock);
 +	uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock);
 	r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream);
 	if (r != 0) {
@@ -1292,8 +1294,8 @@ tcpdns_close_direct(isc_nmsocket_t *sock) {
 	isc__nmsocket_timer_stop(sock);
 	isc__nm_stop_reading(sock);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 -	uv_close((uv_handle_t *)&sock->timer, timer_close_cb);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	uv_close((uv_handle_t *)&sock->read_timer, timer_close_cb);
 }
 void
 diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
 index a91c425..d33dc4c 100644
 --- a/lib/isc/netmgr/udp.c
 +++ b/lib/isc/netmgr/udp.c
@@ -226,9 +226,9 @@ isc__nm_async_udplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	/* This keeps the socket alive after everything else is gone */
 	isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL });
 -	r = uv_timer_init(&worker->loop, &sock->timer);
 +	r = uv_timer_init(&worker->loop, &sock->read_timer);
 	RUNTIME_CHECK(r == 0);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	LOCK(&sock->parent->lock);
@@ -624,9 +624,9 @@ udp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data(&sock->uv_handle.handle, sock);
 -	r = uv_timer_init(&worker->loop, &sock->timer);
 +	r = uv_timer_init(&worker->loop, &sock->read_timer);
 	RUNTIME_CHECK(r == 0);
 -	uv_handle_set_data((uv_handle_t *)&sock->timer, sock);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 	r = uv_udp_open(&sock->uv_handle.udp, sock->fd);
 	if (r != 0) {
@@ -1038,7 +1038,7 @@ udp_close_direct(isc_nmsocket_t *sock) {
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
 -	uv_close((uv_handle_t *)&sock->timer, timer_close_cb);
 +	uv_close((uv_handle_t *)&sock->read_timer, timer_close_cb);
 }
 void
 -- 
 2.27.0
--- a/backport-0014-Update-writetimeout-to-be-T_IDLE-in-netmgr_test.c.patch
+++ b/backport-0014-Update-writetimeout-to-be-T_IDLE-in-netmgr_test.c.patch
@ -1,40 +0,0 @@
 From 3f24bd2bce5134a5eaac4136e1d363c567c46a94 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Thu, 10 Feb 2022 08:42:22 +0100
 Subject: [PATCH] Update writetimeout to be T_IDLE in netmgr_test.c
 Use the isc_nmhandle_setwritetimeout() function in the netmgr unit test
 to allow more time for writing and reading the responses because some of
 the intervals that are used in the unit tests are really small leaving a
 little room for any delays.
 (cherry picked from commit ee359d6ffa701e5f9781ec75622af22736506bdd)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/3f24bd2bce5134a5eaac4136e1d363c567c46a94
 ---
 lib/isc/tests/netmgr_test.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/lib/isc/tests/netmgr_test.c b/lib/isc/tests/netmgr_test.c
 index 41113ab7c8..50890e0ab5 100644
 --- a/lib/isc/tests/netmgr_test.c
 +++ b/lib/isc/tests/netmgr_test.c
@@ -418,6 +418,7 @@ connect_send(isc_nmhandle_t *handle) {
 	isc_nmhandle_t *sendhandle = NULL;
 	isc_refcount_increment0(&active_csends);
 	isc_nmhandle_attach(handle, &sendhandle);
 +	isc_nmhandle_setwritetimeout(handle, T_IDLE);
 	if (atomic_fetch_sub(&nsends, 1) > 1) {
 		isc_nm_send(sendhandle, (isc_region_t *)&send_msg,
 			    connect_send_cb, NULL);
@@ -529,6 +530,7 @@ listen_read_cb(isc_nmhandle_t *handle, isc_result_t eresult,
 			isc_nmhandle_t *sendhandle = NULL;
 			isc_nmhandle_attach(handle, &sendhandle);
 			isc_refcount_increment0(&active_ssends);
 +			isc_nmhandle_setwritetimeout(sendhandle, T_IDLE);
 			isc_nm_send(sendhandle, (isc_region_t *)&send_msg,
 				    listen_send_cb, cbarg);
 		}
 -- 
 2.23.0
--- a/backport-0015-Fix-more-ns_statscounter_recursclients-underflows.patch
+++ b/backport-0015-Fix-more-ns_statscounter_recursclients-underflows.patch
@ -1,185 +0,0 @@
 From 60e82835ecc0791b2de5131eeb7c636b000577f2 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
 Date: Wed, 23 Feb 2022 14:39:11 +0100
 Subject: [PATCH] Fix more ns_statscounter_recursclients underflows
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Commit aab691d51266f552a7923db32686fb9398b1d255 did not fix all possible
 scenarios in which the ns_statscounter_recursclients counter underflows.
 The solution implemented therein can be ineffective e.g. when CNAME
 chaining happens with prefetching enabled.
 Here is an example recursive resolution scenario in which the
 ns_statscounter_recursclients counter can underflow with the current
 logic in effect:
 1. Query processing starts, the answer is not found in the cache, so
    recursion is started.  The NS_CLIENTATTR_RECURSING attribute is set.
    ns_statscounter_recursclients is incremented (Δ = +1).
 2. Recursion completes, returning a CNAME.  client->recursionquota is
    non-NULL, so the NS_CLIENTATTR_RECURSING attribute remains set.
    ns_statscounter_recursclients is decremented (Δ = 0).
 3. Query processing restarts.
 4. The current QNAME (the target of the CNAME from step 2) is found in
    the cache, with a TTL low enough to trigger a prefetch.
 5. query_prefetch() attaches to client->recursionquota.
    ns_statscounter_recursclients is not incremented because
    query_prefetch() does not do that (Δ = 0).
 6. Query processing restarts.
 7. The current QNAME (the target of the CNAME from step 4) is not found
    in the cache, so recursion is started.  client->recursionquota is
    already attached to (since step 5) and the NS_CLIENTATTR_RECURSING
    attribute is set (since step 1), so ns_statscounter_recursclients is
    not incremented (Δ = 0).
 8. The prefetch from step 5 completes.  client->recursionquota is
    detached from in prefetch_done().  ns_statscounter_recursclients is
    not decremented because prefetch_done() does not do that (Δ = 0).
 9. Recursion for the current QNAME completes.  client->recursionquota
    is already detached from, i.e. set to NULL (since step 8), and the
    NS_CLIENTATTR_RECURSING attribute is set (since step 1), so
    ns_statscounter_recursclients is decremented (Δ = -1).
 Another possible scenario is that after step 7, recursion for the target
 of the CNAME from step 4 completes before the prefetch for the CNAME
 itself.  fetch_callback() then notices that client->recursionquota is
 non-NULL and decrements ns_statscounter_recursclients, even though
 client->recursionquota was attached to by query_prefetch() and therefore
 not accompanied by an incrementation of ns_statscounter_recursclients.
 The net result is also an underflow.
 Instead of trying to properly handle all possible orderings of events
 set into motion by normal recursion and prefetch-triggered recursion,
 adjust ns_statscounter_recursclients whenever the recursive clients
 quota is successfully attached to or detached from.  Remove the
 NS_CLIENTATTR_RECURSING attribute altogether as its only purpose is made
 obsolete by this change.
 (cherry picked from commit f7482b68b9623cad01f21fc8816d84a29183f2d1)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/60e82835ecc0791b2de5131eeb7c636b000577f2
 ---
 lib/ns/include/ns/client.h |  3 +--
 lib/ns/query.c             | 46 +++++++++++++++-----------------------
 2 files changed, 19 insertions(+), 30 deletions(-)
 diff --git a/lib/ns/include/ns/client.h b/lib/ns/include/ns/client.h
 index 1fd08633d3..91e8ccf8dc 100644
 --- a/lib/ns/include/ns/client.h
 +++ b/lib/ns/include/ns/client.h
@@ -270,8 +270,7 @@ struct ns_client {
 #define NS_CLIENTATTR_WANTPAD	   0x08000 /*%< pad reply */
 #define NS_CLIENTATTR_USEKEEPALIVE 0x10000 /*%< use TCP keepalive */
 -#define NS_CLIENTATTR_NOSETFC	0x20000 /*%< don't set servfail cache */
 -#define NS_CLIENTATTR_RECURSING 0x40000 /*%< client is recursing */
 +#define NS_CLIENTATTR_NOSETFC 0x20000 /*%< don't set servfail cache */
 /*
  * Flag to use with the SERVFAIL cache to indicate
 diff --git a/lib/ns/query.c b/lib/ns/query.c
 index 335d877d48..176c552b41 100644
 --- a/lib/ns/query.c
 +++ b/lib/ns/query.c
@@ -2486,6 +2486,8 @@ prefetch_done(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (client->recursionquota != NULL) {
 		isc_quota_detach(&client->recursionquota);
 +		ns_stats_decrement(client->sctx->nsstats,
 +				   ns_statscounter_recursclients);
 	}
 	free_devent(client, &event, &devent);
@@ -2513,10 +2515,15 @@ query_prefetch(ns_client_t *client, dns_name_t *qname,
 	if (client->recursionquota == NULL) {
 		result = isc_quota_attach(&client->sctx->recursionquota,
 					  &client->recursionquota);
 -		if (result == ISC_R_SOFTQUOTA) {
 +		switch (result) {
 +		case ISC_R_SUCCESS:
 +			ns_stats_increment(client->sctx->nsstats,
 +					   ns_statscounter_recursclients);
 +			break;
 +		case ISC_R_SOFTQUOTA:
 			isc_quota_detach(&client->recursionquota);
 -		}
 -		if (result != ISC_R_SUCCESS) {
 +			/* FALLTHROUGH */
 +		default:
 			return;
 		}
 	}
@@ -2726,10 +2733,15 @@ query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) {
 	if (client->recursionquota == NULL) {
 		result = isc_quota_attach(&client->sctx->recursionquota,
 					  &client->recursionquota);
 -		if (result == ISC_R_SOFTQUOTA) {
 +		switch (result) {
 +		case ISC_R_SUCCESS:
 +			ns_stats_increment(client->sctx->nsstats,
 +					   ns_statscounter_recursclients);
 +			break;
 +		case ISC_R_SOFTQUOTA:
 			isc_quota_detach(&client->recursionquota);
 -		}
 -		if (result != ISC_R_SUCCESS) {
 +			/* FALLTHROUGH */
 +		default:
 			return;
 		}
 	}
@@ -6094,15 +6106,6 @@ fetch_callback(isc_task_t *task, isc_event_t *event) {
 		isc_quota_detach(&client->recursionquota);
 		ns_stats_decrement(client->sctx->nsstats,
 				   ns_statscounter_recursclients);
 -	} else if (client->attributes & NS_CLIENTATTR_RECURSING) {
 -		client->attributes &= ~NS_CLIENTATTR_RECURSING;
 -		/*
 -		 * Detached from recursionquota via prefetch_done(),
 -		 * but need to decrement recursive client stats here anyway,
 -		 * since it was incremented in ns_query_recurse().
 -		 */
 -		ns_stats_decrement(client->sctx->nsstats,
 -				   ns_statscounter_recursclients);
 	}
 	LOCK(&client->manager->reclock);
@@ -6268,7 +6271,6 @@ ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 		if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
 			ns_stats_increment(client->sctx->nsstats,
 					   ns_statscounter_recursclients);
 -			client->attributes |= NS_CLIENTATTR_RECURSING;
 		}
 		if (result == ISC_R_SOFTQUOTA) {
@@ -6323,18 +6325,6 @@ ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
 		dns_message_clonebuffer(client->message);
 		ns_client_recursing(client);
 -	} else if ((client->attributes & NS_CLIENTATTR_RECURSING) == 0) {
 -		client->attributes |= NS_CLIENTATTR_RECURSING;
 -		/*
 -		 * query_prefetch() attached first to client->recursionquota,
 -		 * but we must check if NS_CLIENTATTR_RECURSING attribute is
 -		 * on, if not then turn it on and increment recursing clients
 -		 * stats counter only once. The attribute is also checked in
 -		 * fetch_callback() to know if a matching decrement to this
 -		 * counter should be applied.
 -		 */
 -		ns_stats_increment(client->sctx->nsstats,
 -				   ns_statscounter_recursclients);
 	}
 	/*
 -- 
 2.23.0
--- a/backport-0016-Properly-free-up-enqueued-netievents-in-nm_destroy.patch
+++ b/backport-0016-Properly-free-up-enqueued-netievents-in-nm_destroy.patch
@ -1,40 +0,0 @@
 From af2bddc242ae963c89e2f06e5a2587479ceced99 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 23 Feb 2022 22:04:05 +0100
 Subject: [PATCH] Properly free up enqueued netievents in nm_destroy()
 When the isc_netmgr is being destroyed, the normal and priority queues
 should be dequeued and netievents properly freed.  This wasn't the case.
 (cherry picked from commit 88418c33729804cc86a9492e3e30f1123f56ddcd)
 Conflict: isc_mem_put to isc_mempool_put
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/af2bddc242ae963c89e2f06e5a2587479ceced99
 ---
 lib/isc/netmgr/netmgr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index ff5fd0f..6c24d41 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -418,14 +418,14 @@ nm_destroy(isc_nm_t **mgr0) {
 		/* Empty the async event queues */
 		while ((ievent = DEQUEUE_PRIORITY_NETIEVENT(worker)) != NULL) {
 -			isc_mempool_put(mgr->evpool, ievent);
 +			isc__nm_put_netievent(mgr, ievent);
 		}
 		INSIST(DEQUEUE_PRIVILEGED_NETIEVENT(worker) == NULL);
 		INSIST(DEQUEUE_TASK_NETIEVENT(worker) == NULL);
 -		while ((ievent = DEQUEUE_PRIORITY_NETIEVENT(worker)) != NULL) {
 -			isc_mempool_put(mgr->evpool, ievent);
 +		while ((ievent = DEQUEUE_NORMAL_NETIEVENT(worker)) != NULL) {
 +			isc__nm_put_netievent(mgr, ievent);
 		}
 		isc_condition_destroy(&worker->cond_prio);
 		isc_mutex_destroy(&worker->lock);
 -- 
 2.27.0
--- a/backport-0017-Delay-isc__nm_uvreq_t-deallocation-to-connection-cal.patch
+++ b/backport-0017-Delay-isc__nm_uvreq_t-deallocation-to-connection-cal.patch
@ -1,139 +0,0 @@
 From 7b8e265a407db4adc14939acc6a3bbacda86bed1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 22 Feb 2022 18:12:18 +0100
 Subject: [PATCH] Delay isc__nm_uvreq_t deallocation to connection callback
 When the TCP, TCPDNS or TLSDNS connection times out, the isc__nm_uvreq_t
 would be pushed into sock->inactivereqs before the uv_tcp_connect()
 callback finishes.  Because the isc__nmsocket_t keeps the list of
 inactive isc__nm_uvreq_t, this would cause use-after-free only when the
 sock->inactivereqs is full (which could never happen because the failure
 happens in connection timeout callback) or when the sock->inactivereqs
 mechanism is completely removed (f.e. when running under Address or
 Thread Sanitizer).
 Delay isc__nm_uvreq_t deallocation to the connection callback and only
 signal the connection callback should be called by shutting down the
 libuv socket from the connection timeout callback.
 (cherry picked from commit 326862791689ea7029f381b4afd05c37abbd1fe7)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/7b8e265a407db4adc14939acc6a3bbacda86bed1
 ---
 lib/isc/netmgr/netmgr-int.h |  1 +
 lib/isc/netmgr/netmgr.c     | 19 ++++++++-----------
 lib/isc/netmgr/tcp.c        |  9 +++++----
 lib/isc/netmgr/tcpdns.c     | 11 ++++++-----
 4 files changed, 20 insertions(+), 20 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
 index 23b197179a..30f4734171 100644
 --- a/lib/isc/netmgr/netmgr-int.h
 +++ b/lib/isc/netmgr/netmgr-int.h
@@ -833,6 +833,7 @@ struct isc_nmsocket {
 	atomic_bool connected;
 	bool accepting;
 	bool reading;
 +	atomic_bool timedout;
 	isc_refcount_t references;
 	/*%
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 4bd45e7235..a8e3290f52 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -1509,6 +1509,7 @@ isc___nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type,
 	atomic_init(&sock->connecting, false);
 	atomic_init(&sock->keepalive, false);
 	atomic_init(&sock->connected, false);
 +	atomic_init(&sock->timedout, false);
 	atomic_init(&sock->active_child_connections, 0);
@@ -1936,18 +1937,14 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) {
 	isc__nmsocket_timer_stop(sock);
 -	/* Call the connect callback directly */
 -
 -	req->cb.connect(req->handle, ISC_R_TIMEDOUT, req->cbarg);
 +	/*
 +	 * Mark the connection as timed out and shutdown the socket.
 +	 */
 -	/* Timer is not running, cleanup and shutdown everything */
 -	if (!isc__nmsocket_timer_running(sock)) {
 -		INSIST(atomic_compare_exchange_strong(&sock->connecting,
 -						      &(bool){ true }, false));
 -		isc__nm_uvreq_put(&req, sock);
 -		isc__nmsocket_clearcb(sock);
 -		isc__nmsocket_shutdown(sock);
 -	}
 +	INSIST(atomic_compare_exchange_strong(&sock->timedout, &(bool){ false },
 +					      true));
 +	isc__nmsocket_clearcb(sock);
 +	isc__nmsocket_shutdown(sock);
 }
 void
 diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
 index e562ef2d69..64914c29e3 100644
 --- a/lib/isc/netmgr/tcp.c
 +++ b/lib/isc/netmgr/tcp.c
@@ -239,15 +239,16 @@ tcp_connect_cb(uv_connect_t *uvreq, int status) {
 	isc__nmsocket_timer_stop(sock);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	if (!atomic_load(&sock->connecting)) {
 -		return;
 -	}
 -
 	req = uv_handle_get_data((uv_handle_t *)uvreq);
 	REQUIRE(VALID_UVREQ(req));
 	REQUIRE(VALID_NMHANDLE(req->handle));
 +	if (atomic_load(&sock->timedout)) {
 +		result = ISC_R_TIMEDOUT;
 +		goto error;
 +	}
 +
 	if (!atomic_load(&sock->connecting)) {
 		/*
 		 * The connect was cancelled from timeout; just clean up
 diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
 index 61a8e6b710..8fa2a43c5f 100644
 --- a/lib/isc/netmgr/tcpdns.c
 +++ b/lib/isc/netmgr/tcpdns.c
@@ -206,22 +206,23 @@ tcpdns_connect_cb(uv_connect_t *uvreq, int status) {
 	isc__nmsocket_timer_stop(sock);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	if (!atomic_load(&sock->connecting)) {
 -		return;
 -	}
 -
 	req = uv_handle_get_data((uv_handle_t *)uvreq);
 	REQUIRE(VALID_UVREQ(req));
 	REQUIRE(VALID_NMHANDLE(req->handle));
 +	if (atomic_load(&sock->timedout)) {
 +		result = ISC_R_TIMEDOUT;
 +		goto error;
 +	}
 +
 	if (isc__nmsocket_closing(sock)) {
 		/* Socket was closed midflight by isc__nm_tcpdns_shutdown() */
 		result = ISC_R_CANCELED;
 		goto error;
 	} else if (status == UV_ETIMEDOUT) {
 		/* Timeout status code here indicates hard error */
 -		result = ISC_R_CANCELED;
 +		result = ISC_R_TIMEDOUT;
 		goto error;
 	} else if (status != 0) {
 		result = isc__nm_uverr2result(status);
 -- 
 2.23.0
--- a/backport-0018-Handle-TCP-sockets-in-isc__nmsocket_reset.patch
+++ b/backport-0018-Handle-TCP-sockets-in-isc__nmsocket_reset.patch
@ -1,84 +0,0 @@
 From ac5952aee8a6dbe38717b637d8476a625d25d91a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Mon, 28 Feb 2022 10:25:06 +0100
 Subject: [PATCH] Handle TCP sockets in isc__nmsocket_reset()
 The isc__nmsocket_reset() was missing a case for raw TCP sockets (used
 by RNDC and DoH) which would case a assertion failure when write timeout
 would be triggered.
 TCP sockets are now also properly handled in isc__nmsocket_reset().
 (cherry picked from commit b220fb32bdb3c70f80b95d3611807deceab2bd55)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/ac5952aee8a6dbe38717b637d8476a625d25d91a
 ---
 lib/isc/netmgr/netmgr.c | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 4829af52f9..b82ae64382 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -218,6 +218,9 @@ isc__nm_work_cb(uv_work_t *req);
 static void
 isc__nm_after_work_cb(uv_work_t *req, int status);
 +void
 +isc__nmsocket_reset(isc_nmsocket_t *sock);
 +
 /*%<
  * Issue a 'handle closed' callback on the socket.
  */
@@ -1942,11 +1945,7 @@ isc__nmsocket_writetimeout_cb(uv_timer_t *timer) {
 	int r = uv_timer_stop(&sock->write_timer);
 	UV_RUNTIME_CHECK(uv_timer_stop, r);
 -	/* The shutdown will be handled in the respective close functions */
 -	r = uv_tcp_close_reset(&sock->uv_handle.tcp, NULL);
 -	UV_RUNTIME_CHECK(uv_tcp_close_reset, r);
 -
 -	isc__nmsocket_shutdown(sock);
 +	isc__nmsocket_reset(sock);
 }
 void
@@ -2674,6 +2673,35 @@ isc__nm_async_detach(isc__networker_t *worker, isc__netievent_t *ev0) {
 	nmhandle_detach_cb(&ievent->handle FLARG_PASS);
 }
 +void
 +isc__nmsocket_reset(isc_nmsocket_t *sock) {
 +	REQUIRE(VALID_NMSOCK(sock));
 +
 +	switch (sock->type) {
 +	case isc_nm_tcpsocket:
 +	case isc_nm_tcpdnssocket:
 +		/*
 +		 * This can be called from the TCP write timeout.
 +		 */
 +		REQUIRE(sock->parent == NULL);
 +		break;
 +	default:
 +		INSIST(0);
 +		ISC_UNREACHABLE();
 +		break;
 +	}
 +
 +	if (!uv_is_closing(&sock->uv_handle.handle)) {
 +		/*
 +		 * The real shutdown will be handled in the respective
 +		 * close functions.
 +		 */
 +		int r = uv_tcp_close_reset(&sock->uv_handle.tcp, NULL);
 +		UV_RUNTIME_CHECK(uv_tcp_close_reset, r);
 +	}
 +	isc__nmsocket_shutdown(sock);
 +}
 +
 void
 isc__nmsocket_shutdown(isc_nmsocket_t *sock) {
 	REQUIRE(VALID_NMSOCK(sock));
 -- 
 2.23.0
--- a/backport-0019-Use-unsigned-arithmetic-when-shifting-by-24.patch
+++ b/backport-0019-Use-unsigned-arithmetic-when-shifting-by-24.patch
@ -1,66 +0,0 @@
 From a247d282bf138eb2fd6474053ea4a648371eb9b0 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Mon, 28 Feb 2022 13:43:20 +1100
 Subject: [PATCH] Use unsigned arithmetic when shifting by 24
 By default C promotes short unsigned values to signed int which
 leads to undefined behaviour when the value is shifted by too much.
 Force unsigned arithmetic to be perform by explicitly casting to a
 unsigned type.
 (cherry picked from commit b8b99603f117825f409cb2d49bc90ef188749227)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/a247d282bf138eb2fd6474053ea4a648371eb9b0
 ---
 lib/dns/journal.c | 3 ++-
 lib/dns/rbtdb.c   | 5 +++--
 lib/dns/soa.c     | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)
 diff --git a/lib/dns/journal.c b/lib/dns/journal.c
 index 8e353f1c59..69beef7fbb 100644
 --- a/lib/dns/journal.c
 +++ b/lib/dns/journal.c
@@ -111,7 +111,8 @@ index_to_disk(dns_journal_t *);
 static inline uint32_t
 decode_uint32(unsigned char *p) {
 -	return ((p[0] << 24) + (p[1] << 16) + (p[2] << 8) + (p[3] << 0));
 +	return (((uint32_t)p[0] << 24) + ((uint32_t)p[1] << 16) +
 +		((uint32_t)p[2] << 8) + ((uint32_t)p[3] << 0));
 }
 static inline void
 diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
 index acb35d22e6..f99d8a6c12 100644
 --- a/lib/dns/rbtdb.c
 +++ b/lib/dns/rbtdb.c
@@ -8974,8 +8974,9 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 #if DNS_RDATASET_FIXED
 	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
 		unsigned int offset;
 -		offset = (raw[0] << 24) + (raw[1] << 16) + (raw[2] << 8) +
 -			 raw[3];
 +		offset = ((unsigned int)raw[0] << 24) +
 +			 ((unsigned int)raw[1] << 16) +
 +			 ((unsigned int)raw[2] << 8) + (unsigned int)raw[3];
 		raw = rdataset->private3;
 		raw += offset;
 	}
 diff --git a/lib/dns/soa.c b/lib/dns/soa.c
 index d02be34e86..82edfd437e 100644
 --- a/lib/dns/soa.c
 +++ b/lib/dns/soa.c
@@ -25,7 +25,8 @@
 static inline uint32_t
 decode_uint32(unsigned char *p) {
 -	return ((p[0] << 24) + (p[1] << 16) + (p[2] << 8) + (p[3] << 0));
 +	return (((uint32_t)p[0] << 24) + ((uint32_t)p[1] << 16) +
 +		((uint32_t)p[2] << 8) + ((uint32_t)p[3] << 0));
 }
 static inline void
 -- 
 2.23.0
--- a/backport-0020-Grow-the-lex-token-buffer-in-one-more-place.patch
+++ b/backport-0020-Grow-the-lex-token-buffer-in-one-more-place.patch
@ -1,48 +0,0 @@
 From 0b6af23d619e6969c481f51f7360e5a7299be8f5 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Mon, 28 Feb 2022 11:47:56 +1100
 Subject: [PATCH] Grow the lex token buffer in one more place
 when parsing key pairs, if the '=' character fell at max_token
 a protective INSIST preventing buffer overrun could be triggered.
 Attempt to grow the buffer immediately before the INSIST.
 Also removed an unnecessary INSIST on the opening double quote
 of key buffer pair.
 (cherry picked from commit 4c356d277002d3e2f60fe43aaa85a4d524d933f8)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/0b6af23d619e6969c481f51f7360e5a7299be8f5
 ---
 lib/isc/lex.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/lib/isc/lex.c b/lib/isc/lex.c
 index 9546553800..aa9b549f79 100644
 --- a/lib/isc/lex.c
 +++ b/lib/isc/lex.c
@@ -670,6 +670,13 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 		case lexstate_string:
 			if (!escaped && c == '=' &&
 			    (options & ISC_LEXOPT_VPAIR) != 0) {
 +				if (remaining == 0U) {
 +					result = grow_data(lex, &remaining,
 +							   &curr, &prev);
 +					if (result != ISC_R_SUCCESS) {
 +						goto done;
 +					}
 +				}
 				INSIST(remaining > 0U);
 				*curr++ = c;
 				*curr = '\0';
@@ -682,7 +689,6 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 			if (state == lexstate_vpairstart) {
 				if (c == '"' &&
 				    (options & ISC_LEXOPT_QVPAIR) != 0) {
 -					INSIST(remaining > 0U);
 					no_comments = true;
 					state = lexstate_qvpair;
 					break;
 -- 
 2.23.0
--- a/backport-0021-Add-test-configurations-with-invalid-dnssec-policy-c.patch
+++ b/backport-0021-Add-test-configurations-with-invalid-dnssec-policy-c.patch
@ -1,122 +0,0 @@
 From 38d930e5cb11d398a01f68f3c1658b4c22759583 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Tue, 15 Feb 2022 16:24:52 +1100
 Subject: [PATCH] Add test configurations with invalid dnssec-policy clauses
 bad-ksk-without-zsk.conf only has a ksk defined without a
 matching zsk for the same algorithm.
 bad-zsk-without-ksk.conf only has a zsk defined without a
 matching ksk for the same algorithm.
 bad-unpaired-keys.conf has two keys of different algorithms
 one ksk only and the other zsk only
 (cherry picked from commit f23e86b96b77bb9fd485a2c8f6d3cd8a02afd7bd)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/38d930e5cb11d398a01f68f3c1658b4c22759583
 ---
 .../system/checkconf/bad-ksk-without-zsk.conf | 24 +++++++++++++++++
 .../system/checkconf/bad-unpaired-keys.conf   | 27 +++++++++++++++++++
 .../system/checkconf/bad-zsk-without-ksk.conf | 24 +++++++++++++++++
 3 files changed, 75 insertions(+)
 create mode 100644 bin/tests/system/checkconf/bad-ksk-without-zsk.conf
 create mode 100644 bin/tests/system/checkconf/bad-unpaired-keys.conf
 create mode 100644 bin/tests/system/checkconf/bad-zsk-without-ksk.conf
 diff --git a/bin/tests/system/checkconf/bad-ksk-without-zsk.conf b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf
 new file mode 100644
 index 0000000000..66e1b7f0c8
 --- /dev/null
 +++ b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf
@@ -0,0 +1,24 @@
 +/*
 + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 + *
 + * SPDX-License-Identifier: MPL-2.0
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0.  If a copy of the MPL was not distributed with this
 + * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 + *
 + * See the COPYRIGHT file distributed with this work for additional
 + * information regarding copyright ownership.
 + */
 +
 +dnssec-policy ksk-without-zsk {
 +	keys {
 +		ksk lifetime 30d algorithm 13;
 +	};
 +};
 +
 +zone "example" {
 +	type primary;
 +	file "example.db";
 +	dnssec-policy ksk-without-zsk;
 +};
 diff --git a/bin/tests/system/checkconf/bad-unpaired-keys.conf b/bin/tests/system/checkconf/bad-unpaired-keys.conf
 new file mode 100644
 index 0000000000..63b6dc2c65
 --- /dev/null
 +++ b/bin/tests/system/checkconf/bad-unpaired-keys.conf
@@ -0,0 +1,27 @@
 +/*
 + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 + *
 + * SPDX-License-Identifier: MPL-2.0
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0.  If a copy of the MPL was not distributed with this
 + * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 + *
 + * See the COPYRIGHT file distributed with this work for additional
 + * information regarding copyright ownership.
 + */
 +
 +dnssec-policy unpaired-keys {
 +	keys {
 +		/* zsk without ksk */
 +		zsk lifetime 30d algorithm 13;
 +		/* ksk without zsk */
 +		ksk lifetime 30d algorithm 7;
 +	};
 +};
 +
 +zone "example" {
 +	type primary;
 +	file "example.db";
 +	dnssec-policy unpaired-keys;
 +};
 diff --git a/bin/tests/system/checkconf/bad-zsk-without-ksk.conf b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf
 new file mode 100644
 index 0000000000..31b031cdc8
 --- /dev/null
 +++ b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf
@@ -0,0 +1,24 @@
 +/*
 + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 + *
 + * SPDX-License-Identifier: MPL-2.0
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0.  If a copy of the MPL was not distributed with this
 + * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 + *
 + * See the COPYRIGHT file distributed with this work for additional
 + * information regarding copyright ownership.
 + */
 +
 +dnssec-policy zsk-without-ksk {
 +	keys {
 +		zsk lifetime 30d algorithm 13;
 +	};
 +};
 +
 +zone "example" {
 +	type primary;
 +	file "example.db";
 +	dnssec-policy zsk-without-ksk;
 +};
 -- 
 2.23.0
--- a/backport-0021-Check-dnssec-policy-key-roles-for-validity.patch
+++ b/backport-0021-Check-dnssec-policy-key-roles-for-validity.patch
@ -1,80 +0,0 @@
 From 2c7f02ca458dbf9ab9476b7290861a803a322ef3 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Tue, 15 Feb 2022 17:12:27 +1100
 Subject: [PATCH] Check dnssec-policy key roles for validity
 For each algorithm there must be a key performing the KSK and
 ZSK rolls.  After reading the keys from named.conf check that
 each algorithm present has both rolls.  CSK implicitly has both
 rolls.
 (cherry picked from commit 9bcf45f4cecdb2fe577c426aae23e5d105531472)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2c7f02ca458dbf9ab9476b7290861a803a322ef3
 ---
 lib/isccfg/kaspconf.c | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)
 diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
 index 6e831e1465..32f76849cd 100644
 --- a/lib/isccfg/kaspconf.c
 +++ b/lib/isccfg/kaspconf.c
@@ -262,7 +262,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 	const cfg_listelt_t *element = NULL;
 	const char *kaspname = NULL;
 	dns_kasp_t *kasp = NULL;
 -	int i = 0;
 +	size_t i = 0;
 	REQUIRE(kaspp != NULL && *kaspp == NULL);
@@ -323,6 +323,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 	(void)confget(maps, "keys", &keys);
 	if (keys != NULL) {
 +		char role[256] = { 0 };
 +		dns_kasp_key_t *kkey = NULL;
 +
 		for (element = cfg_list_first(keys); element != NULL;
 		     element = cfg_list_next(element))
 		{
@@ -333,6 +336,36 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 			}
 		}
 		INSIST(!(dns_kasp_keylist_empty(kasp)));
 +		dns_kasp_freeze(kasp);
 +		for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
 +		     kkey = ISC_LIST_NEXT(kkey, link))
 +		{
 +			uint32_t keyalg = dns_kasp_key_algorithm(kkey);
 +			INSIST(keyalg < ARRAY_SIZE(role));
 +
 +			if (dns_kasp_key_zsk(kkey)) {
 +				role[keyalg] |= DNS_KASP_KEY_ROLE_ZSK;
 +			}
 +
 +			if (dns_kasp_key_ksk(kkey)) {
 +				role[keyalg] |= DNS_KASP_KEY_ROLE_KSK;
 +			}
 +		}
 +		dns_kasp_thaw(kasp);
 +		for (i = 0; i < ARRAY_SIZE(role); i++) {
 +			if (role[i] != 0 && role[i] != (DNS_KASP_KEY_ROLE_ZSK |
 +							DNS_KASP_KEY_ROLE_KSK))
 +			{
 +				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
 +					    "dnssec-policy: algorithm %zu "
 +					    "requires both KSK and ZSK roles",
 +					    i);
 +				result = ISC_R_FAILURE;
 +			}
 +		}
 +		if (result != ISC_R_SUCCESS) {
 +			goto cleanup;
 +		}
 	} else if (strcmp(kaspname, "insecure") == 0) {
 		/* "dnssec-policy insecure": key list must be empty */
 		INSIST(strcmp(kaspname, "insecure") == 0);
 -- 
 2.23.0
--- a/backport-0022-Add-network-manager-based-timer-API.patch
+++ b/backport-0022-Add-network-manager-based-timer-API.patch
@ -1,189 +0,0 @@
 From 914a7e14e2af8260a1b0d797cc95e0552ccae53f Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 2 Feb 2022 10:50:27 +0100
 Subject: [PATCH] Add network manager based timer API
 This commits adds API that allows to create arbitrary timers associated
 with the network manager handles.
 (cherry picked from commit 3c7b04d0150ae6d6192747d90d52247bd598bd9a)
 Conflict: UV_RUNTIME_CHECK to RUNTIME_CHECK
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/914a7e14e2af8260a1b0d797cc95e0552ccae53f
 ---
 lib/isc/include/isc/netmgr.h | 24 ++++++++++
 lib/isc/netmgr/netmgr-int.h  |  8 ++++
 lib/isc/netmgr/netmgr.c      | 91 ++++++++++++++++++++++++++++++++++++
 lib/isc/win32/libisc.def.in  |  5 ++
 4 files changed, 128 insertions(+)
 diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h
 index 39dba1d376..7ec40e81b6 100644
 --- a/lib/isc/include/isc/netmgr.h
 +++ b/lib/isc/include/isc/netmgr.h
@@ -492,3 +492,27 @@ isc__nm_force_tid(int tid);
 void
 isc_nmhandle_setwritetimeout(isc_nmhandle_t *handle, uint64_t write_timeout);
 +
 +/*
 + * Timer related functions
 + */
 +
 +typedef struct isc_nm_timer isc_nm_timer_t;
 +
 +typedef void (*isc_nm_timer_cb)(void *, isc_result_t);
 +
 +void
 +isc_nm_timer_create(isc_nmhandle_t *, isc_nm_timer_cb, void *,
 +		    isc_nm_timer_t **);
 +
 +void
 +isc_nm_timer_attach(isc_nm_timer_t *, isc_nm_timer_t **);
 +
 +void
 +isc_nm_timer_detach(isc_nm_timer_t **);
 +
 +void
 +isc_nm_timer_start(isc_nm_timer_t *, uint64_t);
 +
 +void
 +isc_nm_timer_stop(isc_nm_timer_t *);
 diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
 index 3871d70939..23b197179a 100644
 --- a/lib/isc/netmgr/netmgr-int.h
 +++ b/lib/isc/netmgr/netmgr-int.h
@@ -350,6 +350,14 @@ struct isc__nm_uvreq {
 	ISC_LINK(isc__nm_uvreq_t) link;
 };
 +struct isc_nm_timer {
 +	isc_refcount_t references;
 +	uv_timer_t timer;
 +	isc_nmhandle_t *handle;
 +	isc_nm_timer_cb cb;
 +	void *cbarg;
 +};
 +
 void *
 isc__nm_get_netievent(isc_nm_t *mgr, isc__netievent_type type);
 /*%<
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 31917be101..fb9d77d3b4 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -3179,6 +3179,97 @@ isc_nm_work_offload(isc_nm_t *netmgr, isc_nm_workcb_t work_cb,
 	RUNTIME_CHECK(r == 0);
 }
 +void
 +isc_nm_timer_create(isc_nmhandle_t *handle, isc_nm_timer_cb cb, void *cbarg,
 +		    isc_nm_timer_t **timerp) {
 +	isc__networker_t *worker = NULL;
 +	isc_nmsocket_t *sock = NULL;
 +	isc_nm_timer_t *timer = NULL;
 +	int r;
 +
 +	REQUIRE(isc__nm_in_netthread());
 +	REQUIRE(VALID_NMHANDLE(handle));
 +	REQUIRE(VALID_NMSOCK(handle->sock));
 +
 +	sock = handle->sock;
 +	worker = &sock->mgr->workers[isc_nm_tid()];
 +
 +	timer = isc_mem_get(sock->mgr->mctx, sizeof(*timer));
 +	*timer = (isc_nm_timer_t){ .cb = cb, .cbarg = cbarg };
 +	isc_refcount_init(&timer->references, 1);
 +	isc_nmhandle_attach(handle, &timer->handle);
 +
 +	r = uv_timer_init(&worker->loop, &timer->timer);
 +	UV_RUNTIME_CHECK(uv_timer_init, r);
 +
 +	uv_handle_set_data((uv_handle_t *)&timer->timer, timer);
 +
 +	*timerp = timer;
 +}
 +
 +void
 +isc_nm_timer_attach(isc_nm_timer_t *timer, isc_nm_timer_t **timerp) {
 +	REQUIRE(timer != NULL);
 +	REQUIRE(timerp != NULL && *timerp == NULL);
 +
 +	isc_refcount_increment(&timer->references);
 +	*timerp = timer;
 +}
 +
 +static void
 +timer_destroy(uv_handle_t *uvhandle) {
 +	isc_nm_timer_t *timer = uv_handle_get_data(uvhandle);
 +	isc_nmhandle_t *handle = timer->handle;
 +	isc_mem_t *mctx = timer->handle->sock->mgr->mctx;
 +
 +	isc_mem_put(mctx, timer, sizeof(*timer));
 +
 +	isc_nmhandle_detach(&handle);
 +}
 +
 +void
 +isc_nm_timer_detach(isc_nm_timer_t **timerp) {
 +	isc_nm_timer_t *timer = NULL;
 +	isc_nmhandle_t *handle = NULL;
 +
 +	REQUIRE(timerp != NULL && *timerp != NULL);
 +
 +	timer = *timerp;
 +	*timerp = NULL;
 +
 +	handle = timer->handle;
 +
 +	REQUIRE(isc__nm_in_netthread());
 +	REQUIRE(VALID_NMHANDLE(handle));
 +	REQUIRE(VALID_NMSOCK(handle->sock));
 +
 +	if (isc_refcount_decrement(&timer->references) == 1) {
 +		uv_timer_stop(&timer->timer);
 +		uv_close((uv_handle_t *)&timer->timer, timer_destroy);
 +	}
 +}
 +
 +static void
 +timer_cb(uv_timer_t *uvtimer) {
 +	isc_nm_timer_t *timer = uv_handle_get_data((uv_handle_t *)uvtimer);
 +
 +	REQUIRE(timer->cb != NULL);
 +
 +	timer->cb(timer->cbarg, ISC_R_TIMEDOUT);
 +}
 +
 +void
 +isc_nm_timer_start(isc_nm_timer_t *timer, uint64_t timeout) {
 +	int r = uv_timer_start(&timer->timer, timer_cb, timeout, 0);
 +	UV_RUNTIME_CHECK(uv_timer_start, r);
 +}
 +
 +void
 +isc_nm_timer_stop(isc_nm_timer_t *timer) {
 +	int r = uv_timer_stop(&timer->timer);
 +	UV_RUNTIME_CHECK(uv_timer_stop, r);
 +}
 +
 #ifdef NETMGR_TRACE
 /*
  * Dump all active sockets in netmgr. We output to stderr
 diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in
 index 79e7b64a58..ab7ad73d20 100644
 --- a/lib/isc/win32/libisc.def.in
 +++ b/lib/isc/win32/libisc.def.in
@@ -480,6 +480,11 @@ isc_nm_tcpconnect
 isc_nm_tcpdnsconnect
 isc_nm_tcpdns_sequential
 isc_nm_tid
 +isc_nm_timer_create
 +isc_nm_timer_attach
 +isc_nm_timer_detach
 +isc_nm_timer_start
 +isc_nm_timer_stop
 isc_nm_udpconnect
 isc_nm_work_offload
 isc_nmsocket_close
 -- 
 2.27.0
--- a/backport-0022-Change-single-write-timer-to-per-send-timers.patch
+++ b/backport-0022-Change-single-write-timer-to-per-send-timers.patch
@ -1,494 +0,0 @@
 From d17d043499b0a6927738fa0a09daa71a53e90e11 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Thu, 10 Mar 2022 13:51:08 +0100
 Subject: [PATCH] Change single write timer to per-send timers
 Previously, there was a single per-socket write timer that would get
 restarted for every new write.  This turned out to be insufficient
 because the other side could keep reseting the timer, and never reading
 back the responses.
 Change the single write timer to per-send timer which would in turn
 reset the TCP connection on the first send timeout.
 (cherry picked from commit a761aa59e3d988b53e2f42f45bce53f2bea863ec)
 Conflict: UV_RUNTIME_CHECK to RUNTIME_CHECK
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d17d043499b0a6927738fa0a09daa71a53e90e11
 ---
 lib/isc/netmgr/netmgr-int.h | 22 +++++------
 lib/isc/netmgr/netmgr.c     | 26 +++++++++----
 lib/isc/netmgr/tcp.c        | 74 ++++++++-----------------------------
 lib/isc/netmgr/tcpdns.c     | 49 ++++++------------------
 lib/isc/netmgr/udp.c        | 29 +--------------
 5 files changed, 58 insertions(+), 142 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
 index e8b043f..e43bc9f 100644
 --- a/lib/isc/netmgr/netmgr-int.h
 +++ b/lib/isc/netmgr/netmgr-int.h
@@ -306,15 +306,15 @@ struct isc__nm_uvreq {
 	int magic;
 	isc_nmsocket_t *sock;
 	isc_nmhandle_t *handle;
 -	char tcplen[2];	      /* The TCP DNS message length */
 -	uv_buf_t uvbuf;	      /* translated isc_region_t, to be
 -			       * sent or received */
 -	isc_sockaddr_t local; /* local address */
 -	isc_sockaddr_t peer;  /* peer address */
 -	isc__nm_cb_t cb;      /* callback */
 -	void *cbarg;	      /* callback argument */
 -	uv_pipe_t ipc;	      /* used for sending socket
 -			       * uv_handles to other threads */
 +	char tcplen[2];	       /* The TCP DNS message length */
 +	uv_buf_t uvbuf;	       /* translated isc_region_t, to be
 +				* sent or received */
 +	isc_sockaddr_t local;  /* local address */
 +	isc_sockaddr_t peer;   /* peer address */
 +	isc__nm_cb_t cb;       /* callback */
 +	void *cbarg;	       /* callback argument */
 +	isc_nm_timer_t *timer; /* TCP write timer */
 +
 	union {
 		uv_handle_t handle;
 		uv_req_t req;
@@ -764,9 +764,7 @@ struct isc_nmsocket {
 	/*%
 	 * TCP write timeout timer.
 	 */
 -	uv_timer_t write_timer;
 	uint64_t write_timeout;
 -	int64_t writes;
 	/*% outer socket is for 'wrapped' sockets - e.g. tcpdns in tcp */
 	isc_nmsocket_t *outer;
@@ -1600,7 +1598,7 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
 void
 isc__nmsocket_readtimeout_cb(uv_timer_t *timer);
 void
 -isc__nmsocket_writetimeout_cb(uv_timer_t *timer);
 +isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult);
 /*%<
  *
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 9e44b76..0fe12f9 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -2009,11 +2009,15 @@ isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
 }
 void
 -isc__nmsocket_writetimeout_cb(uv_timer_t *timer) {
 -	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
 +isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult) {
 +	isc__nm_uvreq_t *req = data;
 +	isc_nmsocket_t *sock = NULL;
 -	int r = uv_timer_stop(&sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_stop, r);
 +	REQUIRE(eresult == ISC_R_TIMEDOUT);
 +	REQUIRE(VALID_UVREQ(req));
 +	REQUIRE(VALID_NMSOCK(req->sock));
 +
 +	sock = req->sock;
 	isc__nmsocket_reset(sock);
 }
@@ -2724,6 +2728,13 @@ isc__nm_async_detach(isc__networker_t *worker, isc__netievent_t *ev0) {
 	nmhandle_detach_cb(&ievent->handle FLARG_PASS);
 }
 +static void
 +reset_shutdown(uv_handle_t *handle) {
 +	isc_nmsocket_t *sock = uv_handle_get_data(handle);
 +
 +	isc__nmsocket_shutdown(sock);
 +}
 +
 void
 isc__nmsocket_reset(isc_nmsocket_t *sock) {
 	REQUIRE(VALID_NMSOCK(sock));
@@ -2747,10 +2758,10 @@ isc__nmsocket_reset(isc_nmsocket_t *sock) {
 		 * The real shutdown will be handled in the respective
 		 * close functions.
 		 */
 -		int r = uv_tcp_close_reset(&sock->uv_handle.tcp, NULL);
 +		int r = uv_tcp_close_reset(&sock->uv_handle.tcp,
 +					   reset_shutdown);
 		UV_RUNTIME_CHECK(uv_tcp_close_reset, r);
 	}
 -	isc__nmsocket_shutdown(sock);
 }
 void
@@ -3285,7 +3296,8 @@ isc_nm_timer_detach(isc_nm_timer_t **timerp) {
 	REQUIRE(VALID_NMSOCK(handle->sock));
 	if (isc_refcount_decrement(&timer->references) == 1) {
 -		uv_timer_stop(&timer->timer);
 +		int r = uv_timer_stop(&timer->timer);
 +		UV_RUNTIME_CHECK(uv_timer_stop, r);
 		uv_close((uv_handle_t *)&timer->timer, timer_destroy);
 	}
 }
 diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
 index 21327af..009e431 100644
 --- a/lib/isc/netmgr/tcp.c
 +++ b/lib/isc/netmgr/tcp.c
@@ -76,9 +76,6 @@ quota_accept_cb(isc_quota_t *quota, void *sock0);
 static void
 failed_accept_cb(isc_nmsocket_t *sock, isc_result_t eresult);
 -static void
 -failed_send_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
 -	       isc_result_t eresult);
 static void
 stop_tcp_parent(isc_nmsocket_t *sock);
 static void
@@ -142,10 +139,6 @@ tcp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	r = uv_timer_init(&worker->loop, &sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_init, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -
 	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
 	if (r != 0) {
 		isc__nm_closesocket(sock->fd);
@@ -536,10 +529,6 @@ isc__nm_async_tcplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	r = uv_timer_init(&worker->loop, &sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_init, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -
 	LOCK(&sock->parent->lock);
 	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
@@ -712,19 +701,6 @@ destroy:
 	}
 }
 -static void
 -failed_send_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req,
 -	       isc_result_t eresult) {
 -	REQUIRE(VALID_NMSOCK(sock));
 -	REQUIRE(VALID_UVREQ(req));
 -
 -	if (req->cb.send != NULL) {
 -		isc__nm_sendcb(sock, req, eresult, true);
 -	} else {
 -		isc__nm_uvreq_put(&req, sock);
 -	}
 -}
 -
 void
 isc__nm_tcp_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
 	REQUIRE(VALID_NMHANDLE(handle));
@@ -980,10 +956,6 @@ accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock);
 -	r = uv_timer_init(&worker->loop, &csock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_init, r);
 -	uv_handle_set_data((uv_handle_t *)&csock->write_timer, csock);
 -
 	r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream);
 	if (r != 0) {
 		result = isc__nm_uverr2result(r);
@@ -1094,20 +1066,20 @@ isc__nm_tcp_send(isc_nmhandle_t *handle, const isc_region_t *region,
 static void
 tcp_send_cb(uv_write_t *req, int status) {
 	isc__nm_uvreq_t *uvreq = (isc__nm_uvreq_t *)req->data;
 +	isc_nmsocket_t *sock = NULL;
 	REQUIRE(VALID_UVREQ(uvreq));
 -	REQUIRE(VALID_NMHANDLE(uvreq->handle));
 +	REQUIRE(VALID_NMSOCK(uvreq->sock));
 -	isc_nmsocket_t *sock = uvreq->sock;
 +	sock = uvreq->sock;
 -	if (--sock->writes == 0) {
 -		int r = uv_timer_stop(&sock->write_timer);
 -		UV_RUNTIME_CHECK(uv_timer_stop, r);
 -	}
 +	isc_nm_timer_stop(uvreq->timer);
 +	isc_nm_timer_detach(&uvreq->timer);
 	if (status < 0) {
 		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
 -		failed_send_cb(sock, uvreq, isc__nm_uverr2result(status));
 +		isc__nm_failed_send_cb(sock, uvreq,
 +				       isc__nm_uverr2result(status));
 		return;
 	}
@@ -1131,7 +1103,7 @@ isc__nm_async_tcpsend(isc__networker_t *worker, isc__netievent_t *ev0) {
 	result = tcp_send_direct(sock, uvreq);
 	if (result != ISC_R_SUCCESS) {
 		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
 -		failed_send_cb(sock, uvreq, result);
 +		isc__nm_failed_send_cb(sock, uvreq, result);
 	}
 }
@@ -1148,17 +1120,18 @@ tcp_send_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 		return (ISC_R_CANCELED);
 	}
 -	r = uv_timer_start(&sock->write_timer, isc__nmsocket_writetimeout_cb,
 -			   sock->write_timeout, 0);
 -	UV_RUNTIME_CHECK(uv_timer_start, r);
 -	RUNTIME_CHECK(sock->writes++ >= 0);
 -
 	r = uv_write(&req->uv_req.write, &sock->uv_handle.stream, &req->uvbuf,
 		     1, tcp_send_cb);
 	if (r < 0) {
 		return (isc__nm_uverr2result(r));
 	}
 +	isc_nm_timer_create(req->handle, isc__nmsocket_writetimeout_cb, req,
 +			    &req->timer);
 +	if (sock->write_timeout > 0) {
 +		isc_nm_timer_start(req->timer, sock->write_timeout);
 +	}
 +
 	return (ISC_R_SUCCESS);
 }
@@ -1229,17 +1202,6 @@ read_timer_close_cb(uv_handle_t *handle) {
 	}
 }
 -static void
 -write_timer_close_cb(uv_handle_t *timer) {
 -	isc_nmsocket_t *sock = uv_handle_get_data(timer);
 -	uv_handle_set_data(timer, NULL);
 -
 -	REQUIRE(VALID_NMSOCK(sock));
 -
 -	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 -}
 -
 static void
 stop_tcp_child(isc_nmsocket_t *sock) {
 	REQUIRE(sock->type == isc_nm_tcpsocket);
@@ -1292,8 +1254,6 @@ stop_tcp_parent(isc_nmsocket_t *sock) {
 static void
 tcp_close_direct(isc_nmsocket_t *sock) {
 -	int r;
 -
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
 	REQUIRE(atomic_load(&sock->closing));
@@ -1315,10 +1275,8 @@ tcp_close_direct(isc_nmsocket_t *sock) {
 	isc__nmsocket_timer_stop(sock);
 	isc__nm_stop_reading(sock);
 -	r = uv_timer_stop(&sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_stop, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -	uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 }
 void
 diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
 index 89d1554..4689f56 100644
 --- a/lib/isc/netmgr/tcpdns.c
 +++ b/lib/isc/netmgr/tcpdns.c
@@ -100,10 +100,6 @@ tcpdns_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	r = uv_timer_init(&worker->loop, &sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_init, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -
 	if (isc__nm_closing(sock)) {
 		result = ISC_R_CANCELED;
 		goto error;
@@ -498,10 +494,6 @@ isc__nm_async_tcpdnslisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	r = uv_timer_init(&worker->loop, &sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_init, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -
 	LOCK(&sock->parent->lock);
 	r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd);
@@ -947,10 +939,6 @@ accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock);
 -	r = uv_timer_init(&worker->loop, &csock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_init, r);
 -	uv_handle_set_data((uv_handle_t *)&csock->write_timer, csock);
 -
 	r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream);
 	if (r != 0) {
 		result = isc__nm_uverr2result(r);
@@ -1085,14 +1073,12 @@ tcpdns_send_cb(uv_write_t *req, int status) {
 	isc_nmsocket_t *sock = NULL;
 	REQUIRE(VALID_UVREQ(uvreq));
 -	REQUIRE(VALID_NMHANDLE(uvreq->handle));
 +	REQUIRE(VALID_NMSOCK(uvreq->sock));
 	sock = uvreq->sock;
 -	if (--sock->writes == 0) {
 -		int r = uv_timer_stop(&sock->write_timer);
 -		UV_RUNTIME_CHECK(uv_timer_stop, r);
 -	}
 +	isc_nm_timer_stop(uvreq->timer);
 +	isc_nm_timer_detach(&uvreq->timer);
 	if (status < 0) {
 		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
@@ -1158,11 +1144,6 @@ isc__nm_async_tcpdnssend(isc__networker_t *worker, isc__netievent_t *ev0) {
 		goto fail;
 	}
 -	r = uv_timer_start(&sock->write_timer, isc__nmsocket_writetimeout_cb,
 -			   sock->write_timeout, 0);
 -	UV_RUNTIME_CHECK(uv_timer_start, r);
 -	RUNTIME_CHECK(sock->writes++ >= 0);
 -
 	r = uv_write(&uvreq->uv_req.write, &sock->uv_handle.stream, bufs, nbufs,
 		     tcpdns_send_cb);
 	if (r < 0) {
@@ -1170,6 +1151,12 @@ isc__nm_async_tcpdnssend(isc__networker_t *worker, isc__netievent_t *ev0) {
 		goto fail;
 	}
 +	isc_nm_timer_create(uvreq->handle, isc__nmsocket_writetimeout_cb, uvreq,
 +			    &uvreq->timer);
 +	if (sock->write_timeout > 0) {
 +		isc_nm_timer_start(uvreq->timer, sock->write_timeout);
 +	}
 +
 	return;
 fail:
@@ -1250,17 +1237,6 @@ read_timer_close_cb(uv_handle_t *timer) {
 	}
 }
 -static void
 -write_timer_close_cb(uv_handle_t *timer) {
 -	isc_nmsocket_t *sock = uv_handle_get_data(timer);
 -	uv_handle_set_data(timer, NULL);
 -
 -	REQUIRE(VALID_NMSOCK(sock));
 -
 -	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 -}
 -
 static void
 stop_tcpdns_child(isc_nmsocket_t *sock) {
 	REQUIRE(sock->type == isc_nm_tcpdnssocket);
@@ -1313,7 +1289,6 @@ stop_tcpdns_parent(isc_nmsocket_t *sock) {
 static void
 tcpdns_close_direct(isc_nmsocket_t *sock) {
 -	int r;
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
 	REQUIRE(atomic_load(&sock->closing));
@@ -1329,10 +1304,8 @@ tcpdns_close_direct(isc_nmsocket_t *sock) {
 	isc__nmsocket_timer_stop(sock);
 	isc__nm_stop_reading(sock);
 -	r = uv_timer_stop(&sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_stop, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -	uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 }
 void
 diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
 index d3fffe0..305ac29 100644
 --- a/lib/isc/netmgr/udp.c
 +++ b/lib/isc/netmgr/udp.c
@@ -48,9 +48,6 @@ udp_close_cb(uv_handle_t *handle);
 static void
 read_timer_close_cb(uv_handle_t *handle);
 -static void
 -write_timer_close_cb(uv_handle_t *handle);
 -
 static void
 udp_close_direct(isc_nmsocket_t *sock);
@@ -233,10 +230,6 @@ isc__nm_async_udplisten(isc__networker_t *worker, isc__netievent_t *ev0) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	r = uv_timer_init(&worker->loop, &sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_init, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -
 	LOCK(&sock->parent->lock);
 	r = uv_udp_open(&sock->uv_handle.udp, sock->fd);
@@ -635,10 +628,6 @@ udp_connect_direct(isc_nmsocket_t *sock, isc__nm_uvreq_t *req) {
 	RUNTIME_CHECK(r == 0);
 	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	r = uv_timer_init(&worker->loop, &sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_init, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -
 	r = uv_udp_open(&sock->uv_handle.udp, sock->fd);
 	if (r != 0) {
 		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]);
@@ -994,17 +983,6 @@ read_timer_close_cb(uv_handle_t *handle) {
 	}
 }
 -static void
 -write_timer_close_cb(uv_handle_t *timer) {
 -	isc_nmsocket_t *sock = uv_handle_get_data(timer);
 -	uv_handle_set_data(timer, NULL);
 -
 -	REQUIRE(VALID_NMSOCK(sock));
 -
 -	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 -	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 -}
 -
 static void
 stop_udp_child(isc_nmsocket_t *sock) {
 	REQUIRE(sock->type == isc_nm_udpsocket);
@@ -1057,14 +1035,11 @@ stop_udp_parent(isc_nmsocket_t *sock) {
 static void
 udp_close_direct(isc_nmsocket_t *sock) {
 -	int r;
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
 -	r = uv_timer_stop(&sock->write_timer);
 -	UV_RUNTIME_CHECK(uv_timer_stop, r);
 -	uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock);
 -	uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb);
 +	uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock);
 +	uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb);
 }
 void
 -- 
 2.27.0
--- a/backport-0022-On-shutdown-reset-the-established-TCP-connections.patch
+++ b/backport-0022-On-shutdown-reset-the-established-TCP-connections.patch
@ -1,84 +0,0 @@
 From 7a386256b6e80520637583268b9e9fef5fe0f743 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Thu, 10 Mar 2022 13:58:58 +0100
 Subject: [PATCH] On shutdown, reset the established TCP connections
 Previously, the established TCP connections (both client and server)
 would be gracefully closed waiting for the write timeout.
 Don't wait for TCP connections to gracefully shutdown, but directly
 reset them for faster shutdown.
 (cherry picked from commit 6ddac2d56de980717aaba7fc0ad73af0f3890399)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/7a386256b6e80520637583268b9e9fef5fe0f743
 ---
 lib/isc/netmgr/netmgr.c | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 41e4bce616..24947a562a 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -2686,6 +2686,7 @@ reset_shutdown(uv_handle_t *handle) {
 	isc_nmsocket_t *sock = uv_handle_get_data(handle);
 	isc__nmsocket_shutdown(sock);
 +	isc__nmsocket_detach(&sock);
 }
 void
@@ -2706,14 +2707,19 @@ isc__nmsocket_reset(isc_nmsocket_t *sock) {
 		break;
 	}
 -	if (!uv_is_closing(&sock->uv_handle.handle)) {
 +	if (!uv_is_closing(&sock->uv_handle.handle) &&
 +	    uv_is_active(&sock->uv_handle.handle))
 +	{
 		/*
 		 * The real shutdown will be handled in the respective
 		 * close functions.
 		 */
 +		isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL });
 		int r = uv_tcp_close_reset(&sock->uv_handle.tcp,
 					   reset_shutdown);
 		UV_RUNTIME_CHECK(uv_tcp_close_reset, r);
 +	} else {
 +		isc__nmsocket_shutdown(sock);
 	}
 }
@@ -2751,13 +2757,26 @@ shutdown_walk_cb(uv_handle_t *handle, void *arg) {
 	switch (handle->type) {
 	case UV_UDP:
 +		isc__nmsocket_shutdown(sock);
 +		return;
 	case UV_TCP:
 -		break;
 +		switch (sock->type) {
 +		case isc_nm_tcpsocket:
 +		case isc_nm_tcpdnssocket:
 +			if (sock->parent == NULL) {
 +				/* Reset the TCP connections on shutdown */
 +				isc__nmsocket_reset(sock);
 +				return;
 +			}
 +			/* FALLTHROUGH */
 +		default:
 +			isc__nmsocket_shutdown(sock);
 +		}
 +
 +		return;
 	default:
 		return;
 	}
 -
 -	isc__nmsocket_shutdown(sock);
 }
 void
 -- 
 2.23.0
--- a/backport-0023-Log-not-authoritative-for-update-zone-more-clearly.patch
+++ b/backport-0023-Log-not-authoritative-for-update-zone-more-clearly.patch
@ -1,84 +0,0 @@
 From a5d65815bc9812f7b55664d564f9592765c88e6d Mon Sep 17 00:00:00 2001
 From: Tony Finch <fanf@isc.org>
 Date: Tue, 15 Mar 2022 17:57:43 +0000
 Subject: [PATCH] Log "not authoritative for update zone" more clearly
 Ensure the update zone name is mentioned in the NOTAUTH error message
 in the server log, so that it is easier to track down problematic
 update clients. There are two cases: either the update zone is
 unrelated to any of the server's zones (previously no zone was
 mentioned); or the update zone is a subdomain of one or more of the
 server's zones (previously the name of the irrelevant parent zone was
 misleadingly logged).
 Closes #3209
 (cherry picked from commit 84c4eb02e7a4599acfb5d2abc0e62e7d64fd1bd6)
 Conflict: delete CHANGES
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/a5d65815bc9812f7b55664d564f9592765c88e6d
 ---
 bin/tests/system/nsupdate/tests.sh | 26 ++++++++++++++++++++++++++
 lib/ns/update.c                    | 10 +++++++++-
 3 files changed, 40 insertions(+), 1 deletion(-)
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
 index b3cb85aada..e4f96eb126 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
@@ -83,6 +83,32 @@ digcomp knowngood.ns1.before dig.out.ns1 || ret=1
 digcomp knowngood.ns1.before dig.out.ns2 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 +ret=0
 +echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log"
 +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
 +server 10.53.0.1 ${PORT}
 +zone unconfigured.test
 +update add unconfigured.test 600 IN A 10.53.0.1
 +send
 +END
 +grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
 +grep ' unconfigured.test: not authoritative' ns1/named.run \
 +     > /dev/null 2>&1 || ret=1
 +[ $ret = 0 ] || { echo_i "failed"; status=1; }
 +
 +ret=0
 +echo_i "ensure a subdomain is mentioned in its NOTAUTH log"
 +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
 +server 10.53.0.1 ${PORT}
 +zone sub.sub.example.nil
 +update add sub.sub.sub.example.nil 600 IN A 10.53.0.1
 +send
 +END
 +grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
 +grep ' sub.sub.example.nil: not authoritative' ns1/named.run \
 +     > /dev/null 2>&1 || ret=1
 +[ $ret = 0 ] || { echo_i "failed"; status=1; }
 +
 ret=0
 echo_i "updating zone"
 # nsupdate will print a ">" prompt to stdout as it gets each input line.
 diff --git a/lib/ns/update.c b/lib/ns/update.c
 index 9ab13e3301..067ff990bd 100644
 --- a/lib/ns/update.c
 +++ b/lib/ns/update.c
@@ -1631,7 +1631,15 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
 	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone);
 	if (result != ISC_R_SUCCESS) {
 -		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
 +		/*
 +		 * If we found a zone that is a parent of the update zonename,
 +		 * detach it so it isn't mentioned in log - it is irrelevant.
 +		 */
 +		if (zone != NULL) {
 +			dns_zone_detach(&zone);
 +		}
 +		FAILN(DNS_R_NOTAUTH, zonename,
 +		      "not authoritative for update zone");
 	}
 	/*
 -- 
 2.27.0
--- a/backport-0024-Prevent-arithmetic-overflow-of-i-in-master.c-generat.patch
+++ b/backport-0024-Prevent-arithmetic-overflow-of-i-in-master.c-generat.patch
@ -1,43 +0,0 @@
 From c284112becef6b6605ae4f18363afac3b0e173fd Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 4 Mar 2022 09:37:39 +1100
 Subject: [PATCH] Prevent arithmetic overflow of 'i' in master.c:generate
 the value of 'i' in generate could overflow when adding 'step' to
 it in the 'for' loop.  Use an unsigned int for 'i' which will give
 an additional bit and prevent the overflow.  The inputs are both
 less than 2^31 and and the result will be less than 2^32-1.
 (cherry picked from commit 5abdee9004f118b2c1301229418f93de7626e66f)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c284112becef6b6605ae4f18363afac3b0e173fd
 ---
 lib/dns/master.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/lib/dns/master.c b/lib/dns/master.c
 index 75f59396a7..e1ba723104 100644
 --- a/lib/dns/master.c
 +++ b/lib/dns/master.c
@@ -800,7 +800,8 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 	isc_buffer_t target;
 	isc_result_t result;
 	isc_textregion_t r;
 -	int i, n, start, stop, step = 0;
 +	int n, start, stop, step = 0;
 +	unsigned int i;
 	dns_incctx_t *ictx;
 	char dummy[2];
@@ -855,7 +856,7 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 		goto insist_cleanup;
 	}
 -	for (i = start; i <= stop; i += step) {
 +	for (i = start; i <= (unsigned int)stop; i += step) {
 		result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS);
 		if (result != ISC_R_SUCCESS) {
 			goto error_cleanup;
 -- 
 2.23.0
--- a/backport-0024-add-a-system-test-for-GENERATE-with-an-integer-overf.patch
+++ b/backport-0024-add-a-system-test-for-GENERATE-with-an-integer-overf.patch
@ -1,68 +0,0 @@
 From 975a3da84e3eb1f3825e486ebda384b73163ee65 Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Fri, 4 Mar 2022 15:19:52 -0800
 Subject: [PATCH] add a system test for $GENERATE with an integer overflow
 the line "$GENERATE 19-28/2147483645 $ CNAME x" should generate
 a single CNAME with the owner "19.example.com", but prior to the
 overflow bug it generated several CNAMEs, half of them with large
 negative values.
 we now test for the bugfix by using "named-checkzone -D" and
 grepping for a single CNAME in the output.
 (cherry picked from commit bd814b79d4a87faf80e306d705a6a9cc0ae08c11)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/975a3da84e3eb1f3825e486ebda384b73163ee65
 ---
 bin/tests/system/checkzone/tests.sh             | 10 ++++++++++
 .../system/checkzone/zones/generate-overflow.db | 17 +++++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 bin/tests/system/checkzone/zones/generate-overflow.db
 diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
 index 1e772f9d72..ab2a54db84 100644
 --- a/bin/tests/system/checkzone/tests.sh
 +++ b/bin/tests/system/checkzone/tests.sh
@@ -184,5 +184,15 @@ n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 +n=$((n+1))
 +ret=0
 +echo_i "checking integer overflow is prevented in \$GENERATE ($n)"
 +$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1
 +lines=$(grep -c CNAME test.out.$n)
 +echo $lines
 +[ "$lines" -eq 1 ] || ret=1
 +if [ $ret != 0 ]; then echo_i "failed"; fi
 +status=$((status+ret))
 +
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
 diff --git a/bin/tests/system/checkzone/zones/generate-overflow.db b/bin/tests/system/checkzone/zones/generate-overflow.db
 new file mode 100644
 index 0000000000..c16b517481
 --- /dev/null
 +++ b/bin/tests/system/checkzone/zones/generate-overflow.db
@@ -0,0 +1,17 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 600
 +@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
 +		NS	ns
 +ns		A	192.0.2.1
 +
 +$GENERATE 19-28/2147483645	$ CNAME x
 -- 
 2.27.0
--- a/backport-0024-update-shell-syntax.patch
+++ b/backport-0024-update-shell-syntax.patch
@ -1,172 +0,0 @@
 From fc7ed00d70e616d3cce026dc35fc9b19a7598b9f Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Fri, 4 Mar 2022 15:13:25 -0800
 Subject: [PATCH] update shell syntax
 clean up the shell syntax in the checkzone test prior to adding
 a new test.
 (cherry picked from commit 2261c853b521e60500ed355961646bc2d3b0ed06)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/fc7ed00d70e616d3cce026dc35fc9b19a7598b9f
 ---
 bin/tests/system/checkzone/tests.sh | 54 ++++++++++++++---------------
 1 file changed, 27 insertions(+), 27 deletions(-)
 diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
 index 10c218925c..1e772f9d72 100644
 --- a/bin/tests/system/checkzone/tests.sh
 +++ b/bin/tests/system/checkzone/tests.sh
@@ -30,9 +30,9 @@ do
 		$CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1
 		;;
 	esac
 -	n=`expr $n + 1`
 +	n=$((n+1))
 	if [ $ret != 0 ]; then echo_i "failed"; fi
 -	status=`expr $status + $ret`
 +	status=$((status+ret))
 done
 for db in zones/bad*.db
@@ -48,9 +48,9 @@ do
 		;;
 	esac
 	test $v = 1 || ret=1
 -	n=`expr $n + 1`
 +	n=$((n+1))
 	if [ $ret != 0 ]; then echo_i "failed"; fi
 -	status=`expr $status + $ret`
 +	status=$((status+ret))
 done
 echo_i "checking with journal file ($n)"
@@ -58,16 +58,16 @@ ret=0
 $CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1
 $CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1
 $MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1
 -jlines=`$JOURNALPRINT test.orig.db.jnl | wc -l`
 +jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l)
 [ $jlines = 3 ] || ret=1
 $CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1
 cmp -s test.changed.db test.out1.db || ret=1
 mv -f test.orig.db.jnl test.journal
 $CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1
 cmp -s test.changed.db test.out2.db || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking with spf warnings ($n)"
 ret=0
@@ -79,25 +79,25 @@ grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1
 grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1
 grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1
 grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking with max ttl (text) ($n)"
 ret=0
 $CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1
 $CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking with max ttl (raw) ($n)"
 ret=0
 $CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1
 $CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking with max ttl (map) ($n)"
 ret=0
@@ -111,33 +111,33 @@ echo_i "checking for no 'inherited owner' warning on '\$INCLUDE file' with no ne
 ret=0
 $CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
 grep "inherited.owner" test.out1.$n > /dev/null && ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)"
 ret=0
 $CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1
 grep "inherited.owner" test.out1.$n > /dev/null || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)"
 ret=0
 $CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1
 grep "inherited.owner" test.out1.$n > /dev/null || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking that raw zone with bad class is handled ($n)"
 ret=0
 $CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1
 grep "failed: bad class" test.out.$n >/dev/null || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking that expirations that loop using serial arithmetic are handled ($n)"
 ret=0
@@ -164,25 +164,25 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)"
 ret=0
 $CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
 grep "is below a DNAME" test.out.$n >/dev/null || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
 ret=0
 $CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
 grep "is below a DNAME" test.out.$n >/dev/null || ret=1
 -n=`expr $n + 1`
 +n=$((n+1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
 -- 
 2.23.0
--- a/backport-0025-Test-CDS-DELETE-persists-after-zone-sign.patch
+++ b/backport-0025-Test-CDS-DELETE-persists-after-zone-sign.patch
@ -1,297 +0,0 @@
 From e5a5b23f410f60899453a713b98530f083647863 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Mon, 10 Jan 2022 15:46:25 +0100
 Subject: [PATCH] Test CDS DELETE persists after zone sign
 Add a test case for a dynamically added CDS DELETE record and make
 sure it is not removed when signing the zone. This happens because
 BIND maintains CDS and CDNSKEY publishing and it will only allow
 CDS DELETE records if the zone is transitioning to insecure. This is
 a state that can be identified when using KASP through 'dnssec-policy',
 but not when using 'auto-dnssec'.
 (cherry picked from commit f08277f9fbbf3e38b855d6849c6d430d64bd3713)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/e5a5b23f410f60899453a713b98530f083647863
 ---
 bin/tests/system/autosign/clean.sh            |  2 +
 bin/tests/system/autosign/ns2/keygen.sh       |  5 +-
 .../autosign/ns3/cdnskey-delete.example.db.in | 28 +++++++
 .../autosign/ns3/cds-delete.example.db.in     | 28 +++++++
 bin/tests/system/autosign/ns3/keygen.sh       | 25 +++++-
 bin/tests/system/autosign/ns3/named.conf.in   | 14 ++++
 bin/tests/system/autosign/tests.sh            | 83 +++++++++++++++++++
 7 files changed, 180 insertions(+), 5 deletions(-)
 create mode 100644 bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in
 create mode 100644 bin/tests/system/autosign/ns3/cds-delete.example.db.in
 diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh
 index bb738af862..f4ab636e8e 100644
 --- a/bin/tests/system/autosign/clean.sh
 +++ b/bin/tests/system/autosign/clean.sh
@@ -35,6 +35,8 @@ rm -f ns2/private.secure.example.db ns2/bar.db
 rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf
 rm -f ns3/*.nzf
 rm -f ns3/autonsec3.example.db
 +rm -f ns3/cdnskey-delete.example.db
 +rm -f ns3/cds-delete.example.db
 rm -f ns3/delzsk.example.db
 rm -f ns3/dname-at-apex-nsec3.example.db
 rm -f ns3/inacksk2.example.db
 diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
 index 8c9c80071c..383be7d3be 100644
 --- a/bin/tests/system/autosign/ns2/keygen.sh
 +++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -17,8 +17,9 @@ SYSTEMTESTTOP=../..
 # Have the child generate subdomain keys and pass DS sets to us.
 ( cd ../ns3 && $SHELL keygen.sh )
 -for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \
 -    dname-at-apex-nsec3
 +for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \
 +		 nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \
 +		 cdnskey-delete
 do
 	cp ../ns3/dsset-$subdomain.example$TP .
 done
 diff --git a/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in
 new file mode 100644
 index 0000000000..3083a79f7d
 --- /dev/null
 +++ b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in
@@ -0,0 +1,28 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0. If a copy of the MPL was not distributed with this
 +; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 300	; 5 minutes
 +@			IN SOA	mname1. . (
 +				2009102722 ; serial
 +				20         ; refresh (20 seconds)
 +				20         ; retry (20 seconds)
 +				1814400    ; expire (3 weeks)
 +				3600       ; minimum (1 hour)
 +				)
 +			NS	ns
 +ns			A	10.53.0.3
 +
 +a			A	10.0.0.1
 +b			A	10.0.0.2
 +d			A	10.0.0.4
 +z			A	10.0.0.26
 +a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 +x			CNAME	a
 diff --git a/bin/tests/system/autosign/ns3/cds-delete.example.db.in b/bin/tests/system/autosign/ns3/cds-delete.example.db.in
 new file mode 100644
 index 0000000000..3083a79f7d
 --- /dev/null
 +++ b/bin/tests/system/autosign/ns3/cds-delete.example.db.in
@@ -0,0 +1,28 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0. If a copy of the MPL was not distributed with this
 +; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 300	; 5 minutes
 +@			IN SOA	mname1. . (
 +				2009102722 ; serial
 +				20         ; refresh (20 seconds)
 +				20         ; retry (20 seconds)
 +				1814400    ; expire (3 weeks)
 +				3600       ; minimum (1 hour)
 +				)
 +			NS	ns
 +ns			A	10.53.0.3
 +
 +a			A	10.0.0.1
 +b			A	10.0.0.2
 +d			A	10.0.0.4
 +z			A	10.0.0.26
 +a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 +x			CNAME	a
 diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
 index 52b439f2bf..23d69f2fd5 100644
 --- a/bin/tests/system/autosign/ns3/keygen.sh
 +++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -333,7 +333,7 @@ $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || du
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 -#  A zone that starts with a active KSK + ZSK and a inactive ZSK.
 +# A zone that starts with a active KSK + ZSK and a inactive ZSK.
 #
 setup inacksk3.example
 cp $infile $zonefile
@@ -343,7 +343,7 @@ $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 -#  A zone that starts with a active KSK + ZSK and a inactive ZSK.
 +# A zone that starts with a active KSK + ZSK and a inactive ZSK.
 #
 setup inaczsk3.example
 cp $infile $zonefile
@@ -364,10 +364,29 @@ zsk=`$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out` || dumpit kg.
 echo $zsk > ../delzsk.key
 #
 -#  Check that NSEC3 are correctly signed and returned from below a DNAME
 +# Check that NSEC3 are correctly signed and returned from below a DNAME
 #
 setup dname-at-apex-nsec3.example
 cp $infile $zonefile
 ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 +
 +#
 +# Check that dynamically added CDS (DELETE) is kept in the zone after signing.
 +#
 +setup cds-delete.example
 +cp $infile $zonefile
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 +$DSFROMKEY $ksk.key > dsset-${zone}$TP
 +
 +#
 +# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after
 +# signing.
 +#
 +setup cdnskey-delete.example
 +cp $infile $zonefile
 +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out
 +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out
 +$DSFROMKEY $ksk.key > dsset-${zone}$TP
 diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
 index 66d0e027a5..8f2eb5675a 100644
 --- a/bin/tests/system/autosign/ns3/named.conf.in
 +++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -317,4 +317,18 @@ zone "dname-at-apex-nsec3.example" {
 	auto-dnssec maintain;
 };
 +zone "cds-delete.example" {
 +	type primary;
 +	file "cds-delete.example.db";
 +	allow-update { any; };
 +	auto-dnssec maintain;
 +};
 +
 +zone "cdnskey-delete.example" {
 +	type primary;
 +	file "cdnskey-delete.example.db";
 +	allow-update { any; };
 +	auto-dnssec maintain;
 +};
 +
 include "trusted.conf";
 diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
 index 448de3c55c..962ca4e546 100755
 --- a/bin/tests/system/autosign/tests.sh
 +++ b/bin/tests/system/autosign/tests.sh
@@ -1638,6 +1638,89 @@ inac=`grep "DNSKEY .* is now inactive" ns1/named.run | wc -l`
 [ "$inac" -eq 1 ] || ret=1
 del=`grep "DNSKEY .* is now deleted" ns1/named.run | wc -l`
 [ "$del" -eq 1 ] || ret=1
 +n=`expr $n + 1`
 +if [ $ret != 0 ]; then echo_i "failed"; fi
 +status=`expr $status + $ret`
 +
 +echo_i "checking that CDS (DELETE) persists after zone sign ($n)"
 +echo_i "update add cds-delete.example. CDS 0 0 00"
 +ret=0
 +$NSUPDATE > nsupdate.out 2>&1 <<END
 +server 10.53.0.3 ${PORT}
 +zone cds-delete.example.
 +update add cds-delete.example. 3600 CDS 0 0 0 00
 +send
 +END
 +
 +_cds_delete() (
 +	$DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1
 +	grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1
 +	return 0
 +)
 +_cdnskey_delete_nx() {
 +	$DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1
 +	grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1
 +	return 0
 +}
 +
 +echo_i "query cds-delete.example. CDS"
 +retry_quiet 10 _cds_delete cds-delete.example. || ret=1
 +echo_i "query cds-delete.example. CDNSKEY"
 +retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1
 +
 +echo_i "sign cds-delete.example."
 +nextpart ns3/named.run >/dev/null
 +$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1
 +wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run
 +# The CDS (DELETE) record should still be here.
 +echo_i "query cds-delete.example. CDS"
 +retry_quiet 1 _cds_delete cds-delete.example. || ret=1
 +# The CDNSKEY (DELETE) record should still not be added.
 +echo_i "query cds-delete.example. CDNSKEY"
 +retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1
 +
 +n=`expr $n + 1`
 +if [ $ret != 0 ]; then echo_i "failed"; fi
 +status=`expr $status + $ret`
 +
 +echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)"
 +echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA=="
 +ret=0
 +$NSUPDATE > nsupdate.out 2>&1 <<END
 +server 10.53.0.3 ${PORT}
 +zone cdnskey-delete.example.
 +update add cdnskey-delete.example. 3600 CDNSKEY 0 3 0 AA==
 +send
 +END
 +
 +_cds_delete_nx() (
 +	$DIG $DIGOPTS +noall +answer $1 cds @10.53.0.3 > dig.out.ns3.test$n || return 1
 +	grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1
 +	return 0
 +)
 +_cdnskey_delete() {
 +	$DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1
 +	grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1
 +	return 0
 +}
 +
 +echo_i "query cdnskey-delete.example. CDNSKEY"
 +retry_quiet 10 _cdnskey_delete cdnskey-delete.example. || ret=1
 +echo_i "query cdnskey-delete.example. CDS"
 +retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1
 +
 +echo_i "sign cdsnskey-delete.example."
 +nextpart ns3/named.run >/dev/null
 +$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1
 +wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run
 +# The CDNSKEY (DELETE) record should still be here.
 +echo_i "query cdnskey-delete.example. CDNSKEY"
 +retry_quiet 1 _cdnskey_delete cdnskey-delete.example. || ret=1
 +# The CDS (DELETE) record should still not be added.
 +echo_i "query cdnskey-delete.example. CDS"
 +retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1
 +
 +n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 -- 
 2.23.0
--- a/backport-0025-Update-dns_dnssec_syncdelete-function.patch
+++ b/backport-0025-Update-dns_dnssec_syncdelete-function.patch
@ -1,264 +0,0 @@
 From 42f43cebdd6887d42e9b440c2f2e15dd0812f252 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Mon, 10 Jan 2022 17:18:47 +0100
 Subject: [PATCH] Update dns_dnssec_syncdelete() function
 Update the function that synchronizes the CDS and CDNSKEY DELETE
 records. It now allows for the possibility that the CDS DELETE record
 is published and the CDNSKEY DELETE record is not, and vice versa.
 Also update the code in zone.c how 'dns_dnssec_syncdelete()' is called.
 With KASP, we still maintain the DELETE records our self. Otherwise,
 we publish the CDS and CDNSKEY DELETE record only if they are added
 to the zone. We do still check if these records can be signed by a KSK.
 This change will allow users to add a CDS and/or CDNSKEY DELETE record
 manually, without BIND removing them on the next zone sign.
 Note that this commit removes the check whether the key is a KSK, this
 check is redundant because this check is also made in
 'dst_key_is_signing()' when the role is set to DST_BOOL_KSK.
 (cherry picked from commit 3d05c99abbfc34644ffeffe2884b6335fc12e055)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/42f43cebdd6887d42e9b440c2f2e15dd0812f252
 ---
 lib/dns/dnssec.c             | 44 +++++++++---------
 lib/dns/include/dns/dnssec.h |  9 ++--
 lib/dns/zone.c               | 87 +++++++++++++++++++++++++++++-------
 3 files changed, 99 insertions(+), 41 deletions(-)
 diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
 index f9ae6acbb4..64c72b5d7a 100644
 --- a/lib/dns/dnssec.c
 +++ b/lib/dns/dnssec.c
@@ -2147,7 +2147,7 @@ isc_result_t
 dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
 		      dns_name_t *origin, dns_rdataclass_t zclass,
 		      dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx,
 -		      bool dnssec_insecure) {
 +		      bool expect_cds_delete, bool expect_cdnskey_delete) {
 	unsigned char dsbuf[5] = { 0, 0, 0, 0, 0 };  /* CDS DELETE rdata */
 	unsigned char keybuf[5] = { 0, 0, 3, 0, 0 }; /* CDNSKEY DELETE rdata */
 	char namebuf[DNS_NAME_FORMATSIZE];
@@ -2167,26 +2167,39 @@ dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
 	dns_name_format(origin, namebuf, sizeof(namebuf));
 -	if (dnssec_insecure) {
 -		if (!dns_rdataset_isassociated(cdnskey) ||
 -		    !exists(cdnskey, &cdnskey_delete)) {
 +	if (expect_cds_delete) {
 +		if (!dns_rdataset_isassociated(cds) ||
 +		    !exists(cds, &cds_delete)) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
 -				      "CDNSKEY (DELETE) for zone %s is now "
 +				      "CDS (DELETE) for zone %s is now "
 				      "published",
 				      namebuf);
 -			RETERR(addrdata(&cdnskey_delete, diff, origin, ttl,
 +			RETERR(addrdata(&cds_delete, diff, origin, ttl, mctx));
 +		}
 +	} else {
 +		if (dns_rdataset_isassociated(cds) && exists(cds, &cds_delete))
 +		{
 +			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 +				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
 +				      "CDS (DELETE) for zone %s is now "
 +				      "deleted",
 +				      namebuf);
 +			RETERR(delrdata(&cds_delete, diff, origin, cds->ttl,
 					mctx));
 		}
 +	}
 -		if (!dns_rdataset_isassociated(cds) ||
 -		    !exists(cds, &cds_delete)) {
 +	if (expect_cdnskey_delete) {
 +		if (!dns_rdataset_isassociated(cdnskey) ||
 +		    !exists(cdnskey, &cdnskey_delete)) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
 -				      "CDS (DELETE) for zone %s is now "
 +				      "CDNSKEY (DELETE) for zone %s is now "
 				      "published",
 				      namebuf);
 -			RETERR(addrdata(&cds_delete, diff, origin, ttl, mctx));
 +			RETERR(addrdata(&cdnskey_delete, diff, origin, ttl,
 +					mctx));
 		}
 	} else {
 		if (dns_rdataset_isassociated(cdnskey) &&
@@ -2199,17 +2212,6 @@ dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
 			RETERR(delrdata(&cdnskey_delete, diff, origin,
 					cdnskey->ttl, mctx));
 		}
 -
 -		if (dns_rdataset_isassociated(cds) && exists(cds, &cds_delete))
 -		{
 -			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 -				      DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
 -				      "CDS (DELETE) for zone %s is now "
 -				      "deleted",
 -				      namebuf);
 -			RETERR(delrdata(&cds_delete, diff, origin, cds->ttl,
 -					mctx));
 -		}
 	}
 	result = ISC_R_SUCCESS;
 diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
 index 0ac96fceb5..9791ef128d 100644
 --- a/lib/dns/include/dns/dnssec.h
 +++ b/lib/dns/include/dns/dnssec.h
@@ -370,11 +370,14 @@ isc_result_t
 dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
 		      dns_name_t *origin, dns_rdataclass_t zclass,
 		      dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx,
 -		      bool dnssec_insecure);
 +		      bool expect_cds_delete, bool expect_cdnskey_delete);
 /*%<
  * Add or remove the CDS DELETE record and the CDNSKEY DELETE record.
 - * If 'dnssec_insecure' is true, the DELETE records should be present.
 - * Otherwise, the DELETE records must be removed from the RRsets (if present).
 + * If 'expect_cds_delete' is true, the CDS DELETE record should be present.
 + * Otherwise, the CDS DELETE record must be removed from the RRsets (if
 + * present). If 'expect_cdnskey_delete' is true, the CDNSKEY DELETE record
 + * should be present. Otherwise, the CDNSKEY DELETE record must be removed
 + * from the RRsets (if present).
  *
  * Returns:
  *\li   ISC_R_SUCCESS
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index 131e3200d2..76f03683de 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -21483,16 +21483,69 @@ zone_rekey(dns_zone_t *zone) {
 	KASP_UNLOCK(kasp);
 	if (result == ISC_R_SUCCESS) {
 -		bool cds_delete = false;
 +		bool cdsdel = false;
 +		bool cdnskeydel = false;
 		isc_stdtime_t when;
 		/*
 		 * Publish CDS/CDNSKEY DELETE records if the zone is
 		 * transitioning from secure to insecure.
 		 */
 -		if (kasp != NULL &&
 -		    strcmp(dns_kasp_getname(kasp), "insecure") == 0) {
 -			cds_delete = true;
 +		if (kasp != NULL) {
 +			if (strcmp(dns_kasp_getname(kasp), "insecure") == 0) {
 +				cdsdel = true;
 +				cdnskeydel = true;
 +			}
 +		} else {
 +			/* Check if there is a CDS DELETE record. */
 +			if (dns_rdataset_isassociated(&cdsset)) {
 +				for (result = dns_rdataset_first(&cdsset);
 +				     result == ISC_R_SUCCESS;
 +				     result = dns_rdataset_next(&cdsset))
 +				{
 +					dns_rdata_t crdata = DNS_RDATA_INIT;
 +					dns_rdataset_current(&cdsset, &crdata);
 +					/*
 +					 * CDS deletion record has this form
 +					 * "0 0 0 00" which is 5 zero octets.
 +					 */
 +					if (crdata.length == 5U &&
 +					    memcmp(crdata.data,
 +						   (unsigned char[5]){ 0, 0, 0,
 +								       0, 0 },
 +						   5) == 0)
 +					{
 +						cdsdel = true;
 +						break;
 +					}
 +				}
 +			}
 +
 +			/* Check if there is a CDNSKEY DELETE record. */
 +			if (dns_rdataset_isassociated(&cdnskeyset)) {
 +				for (result = dns_rdataset_first(&cdnskeyset);
 +				     result == ISC_R_SUCCESS;
 +				     result = dns_rdataset_next(&cdnskeyset))
 +				{
 +					dns_rdata_t crdata = DNS_RDATA_INIT;
 +					dns_rdataset_current(&cdnskeyset,
 +							     &crdata);
 +					/*
 +					 * CDNSKEY deletion record has this form
 +					 * "0 3 0 AA==" which is 2 zero octets,
 +					 * a 3, and 2 zero octets.
 +					 */
 +					if (crdata.length == 5U &&
 +					    memcmp(crdata.data,
 +						   (unsigned char[5]){ 0, 0, 3,
 +								       0, 0 },
 +						   5) == 0)
 +					{
 +						cdnskeydel = true;
 +						break;
 +					}
 +				}
 +			}
 		}
 		/*
@@ -21529,36 +21582,36 @@ zone_rekey(dns_zone_t *zone) {
 			goto failure;
 		}
 -		if (cds_delete) {
 +		if (cdsdel || cdnskeydel) {
 			/*
 			 * Only publish CDS/CDNSKEY DELETE records if there is
 			 * a KSK that can be used to verify the RRset. This
 			 * means there must be a key with the KSK role that is
 			 * published and is used for signing.
 			 */
 -			cds_delete = false;
 +			bool allow = false;
 			for (key = ISC_LIST_HEAD(dnskeys); key != NULL;
 			     key = ISC_LIST_NEXT(key, link)) {
 				dst_key_t *dstk = key->key;
 -				bool ksk = false;
 -				(void)dst_key_getbool(dstk, DST_BOOL_KSK, &ksk);
 -				if (!ksk) {
 -					continue;
 -				}
 -				if (dst_key_haskasp(dstk) &&
 -				    dst_key_is_published(dstk, now, &when) &&
 +				if (dst_key_is_published(dstk, now, &when) &&
 				    dst_key_is_signing(dstk, DST_BOOL_KSK, now,
 						       &when))
 				{
 -					cds_delete = true;
 +					allow = true;
 					break;
 				}
 			}
 +			if (cdsdel) {
 +				cdsdel = allow;
 +			}
 +			if (cdnskeydel) {
 +				cdnskeydel = allow;
 +			}
 		}
 -		result = dns_dnssec_syncdelete(&cdsset, &cdnskeyset,
 -					       &zone->origin, zone->rdclass,
 -					       ttl, &diff, mctx, cds_delete);
 +		result = dns_dnssec_syncdelete(
 +			&cdsset, &cdnskeyset, &zone->origin, zone->rdclass, ttl,
 +			&diff, mctx, cdsdel, cdnskeydel);
 		if (result != ISC_R_SUCCESS) {
 			dnssec_log(zone, ISC_LOG_ERROR,
 				   "zone_rekey:couldn't update CDS/CDNSKEY "
 -- 
 2.23.0
--- a/backport-0026-Check-that-pending-negative-cache-entries-for-DS-can.patch
+++ b/backport-0026-Check-that-pending-negative-cache-entries-for-DS-can.patch
@ -1,118 +0,0 @@
 From b5f2ab9cd4e7d0fbcdce35e39e8b81f37699b5ad Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Thu, 14 Apr 2022 10:57:11 +1000
 Subject: [PATCH] Check that pending negative cache entries for DS can be used
 successfully
 Prime the cache with a negative cache DS entry then make a query for
 name beneath that entry. This will cause the DS entry to be retieved
 as part of the validation process.  Each RRset in the ncache entry
 will be validated and the trust level for each will be updated.
 (cherry picked from commit d2d9910da23951bf310c7be8ba68e1030eb13caa)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/b5f2ab9cd4e7d0fbcdce35e39e8b81f37699b5ad
 ---
 bin/tests/system/dnssec/ns2/example.db.in     |  4 +++
 .../system/dnssec/ns3/insecure2.example.db    | 27 +++++++++++++++++++
 bin/tests/system/dnssec/ns3/named.conf.in     |  6 +++++
 bin/tests/system/dnssec/tests.sh              | 18 +++++++++++++
 4 files changed, 55 insertions(+)
 create mode 100644 bin/tests/system/dnssec/ns3/insecure2.example.db
 diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in
 index 5ec88013c9..f711f5823f 100644
 --- a/bin/tests/system/dnssec/ns2/example.db.in
 +++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -55,6 +55,10 @@ ns3.secure		A	10.53.0.3
 insecure		NS	ns.insecure
 ns.insecure		A	10.53.0.3
 +; A second insecure subdomain
 +insecure2		NS	ns.insecure2
 +ns.insecure2		A	10.53.0.3
 +
 ; A secure subdomain we're going to inject bogus data into
 bogus			NS	ns.bogus
 ns.bogus		A	10.53.0.3
 diff --git a/bin/tests/system/dnssec/ns3/insecure2.example.db b/bin/tests/system/dnssec/ns3/insecure2.example.db
 new file mode 100644
 index 0000000000..76e3f47f21
 --- /dev/null
 +++ b/bin/tests/system/dnssec/ns3/insecure2.example.db
@@ -0,0 +1,27 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 300	; 5 minutes
 +@			IN SOA	mname1. . (
 +				2000042407 ; serial
 +				20         ; refresh (20 seconds)
 +				20         ; retry (20 seconds)
 +				1814400    ; expire (3 weeks)
 +				3600       ; minimum (1 hour)
 +				)
 +			NS	ns
 +ns			A	10.53.0.3
 +
 +a			A	10.0.0.1
 +b			A	10.0.0.2
 +d			A	10.0.0.4
 +x			DNSKEY	258 3 5 Cg==
 +z			A	10.0.0.26
 diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in
 index 202f6a931d..bd0771dd49 100644
 --- a/bin/tests/system/dnssec/ns3/named.conf.in
 +++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -78,6 +78,12 @@ zone "insecure.example" {
 	allow-update { any; };
 };
 +zone "insecure2.example" {
 +	type primary;
 +	file "insecure2.example.db";
 +	allow-update { any; };
 +};
 +
 zone "insecure.nsec3.example" {
 	type primary;
 	file "insecure.nsec3.example.db";
 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
 index c6410ae79e..db3e19533e 100644
 --- a/bin/tests/system/dnssec/tests.sh
 +++ b/bin/tests/system/dnssec/tests.sh
@@ -4412,5 +4412,23 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 +# Check that a query against a validating resolver succeeds when there is
 +# a negative cache entry with trust level "pending" for the DS.  Prime
 +# with a +cd DS query to produce the negative cache entry, then send a
 +# query that uses that entry as part of the validation process. [GL #3279]
 +echo_i "check that pending negative DS cache entry validates ($n)"
 +ret=0
 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1
 +grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1
 +grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1
 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1
 +dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1
 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1
 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1
 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
 +n=$((n+1))
 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 +status=$((status+ret))
 +
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
 -- 
 2.23.0
--- a/backport-0026-Update-the-rdataset-trust-field-in-ncache.c-rdataset.patch
+++ b/backport-0026-Update-the-rdataset-trust-field-in-ncache.c-rdataset.patch
@ -1,31 +0,0 @@
 From cb3c29cf8e77223d34f52e9fdf2ffb05337afe33 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Thu, 14 Apr 2022 11:16:32 +1000
 Subject: [PATCH] Update the rdataset->trust field in
 ncache.c:rdataset_settrust
 Both the trust recorded in the slab stucture and the trust on
 rdataset need to be updated.
 (cherry picked from commit d043a41499f5cc52920841ca7332b7cce7460aad)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/cb3c29cf8e77223d34f52e9fdf2ffb05337afe33
 ---
 lib/dns/ncache.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
 index 2316eb04a7..7bea3d376c 100644
 --- a/lib/dns/ncache.c
 +++ b/lib/dns/ncache.c
@@ -504,6 +504,7 @@ rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
 	unsigned char *raw = rdataset->private3;
 	raw[-1] = (unsigned char)trust;
 +	rdataset->trust = trust;
 }
 static dns_rdatasetmethods_t rdataset_methods = {
 -- 
 2.23.0
--- a/backport-0027-Prevent-memory-bloat-caused-by-a-jemalloc-quirk.patch
+++ b/backport-0027-Prevent-memory-bloat-caused-by-a-jemalloc-quirk.patch
@ -1,91 +0,0 @@
 From e850946557469f2cbe4fab76d1c52227ddf81a93 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
 Date: Thu, 21 Apr 2022 14:19:39 +0200
 Subject: [PATCH] Prevent memory bloat caused by a jemalloc quirk
 Since version 5.0.0, decay-based purging is the only available dirty
 page cleanup mechanism in jemalloc.  It relies on so-called tickers,
 which are simple data structures used for ensuring that certain actions
 are taken "once every N times".  Ticker data (state) is stored in a
 thread-specific data structure called tsd in jemalloc parlance.  Ticks
 are triggered when extents are allocated and deallocated.  Once every
 1000 ticks, jemalloc attempts to release some of the dirty pages hanging
 around (if any).  This allows memory use to be kept in check over time.
 This dirty page cleanup mechanism has a quirk.  If the first
 allocator-related action for a given thread is a free(), a
 minimally-initialized tsd is set up which does not include ticker data.
 When that thread subsequently calls *alloc(), the tsd transitions to its
 nominal state, but due to a certain flag being set during minimal tsd
 initialization, ticker data remains unallocated.  This prevents
 decay-based dirty page purging from working, effectively enabling memory
 exhaustion over time. [1]
 The quirk described above has been addressed (by moving ticker state to
 a different structure) in jemalloc's development branch [2], but not in
 any numbered jemalloc version released to date (the latest one being
 5.2.1 as of this writing).
 Work around the problem by ensuring that every thread spawned by
 isc_thread_create() starts with a malloc() call.  Avoid immediately
 calling free() for the dummy allocation to prevent an optimizing
 compiler from stripping away the malloc() + free() pair altogether.
 An alternative implementation of this workaround was considered that
 used a pair of isc_mem_create() + isc_mem_destroy() calls instead of
 malloc() + free(), enabling the change to be fully contained within
 isc__trampoline_run() (i.e. to not touch struct isc__trampoline), as the
 compiler is not allowed to strip away arbitrary function calls.
 However, that solution was eventually dismissed as it triggered
 ThreadSanitizer reports when tools like dig, nsupdate, or rndc exited
 abruptly without waiting for all worker threads to finish their work.
 [1] https://github.com/jemalloc/jemalloc/issues/2251
 [2] https://github.com/jemalloc/jemalloc/commit/c259323ab3082324100c708109dbfff660d0f4b8
 (cherry picked from commit 7aa7b6474bc5ea2b4ec4806c7509dc5ea73396e1)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/e850946557469f2cbe4fab76d1c52227ddf81a93
 ---
 lib/isc/trampoline.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
 diff --git a/lib/isc/trampoline.c b/lib/isc/trampoline.c
 index 4caa2e7574..e133c40084 100644
 --- a/lib/isc/trampoline.c
 +++ b/lib/isc/trampoline.c
@@ -31,6 +31,7 @@ struct isc__trampoline {
 	uintptr_t self;
 	isc_threadfunc_t start;
 	isc_threadarg_t arg;
 +	void *jemalloc_enforce_init;
 };
 static isc_once_t isc__trampoline_initialize_once = ISC_ONCE_INIT;
@@ -170,6 +171,7 @@ isc__trampoline_detach(isc__trampoline_t *trampoline) {
 		isc__trampoline_min = trampoline->tid;
 	}
 +	free(trampoline->jemalloc_enforce_init);
 	free(trampoline);
 	UNLOCK(&isc__trampoline_lock);
@@ -185,6 +187,15 @@ isc__trampoline_attach(isc__trampoline_t *trampoline) {
 	/* Initialize the trampoline */
 	isc_tid_v = trampoline->tid;
 	trampoline->self = isc_thread_self();
 +
 +	/*
 +	 * Ensure every thread starts with a malloc() call to prevent memory
 +	 * bloat caused by a jemalloc quirk.  While this dummy allocation is
 +	 * not used for anything, free() must not be immediately called for it
 +	 * so that an optimizing compiler does not strip away such a pair of
 +	 * malloc() + free() calls altogether, as it would foil the fix.
 +	 */
 +	trampoline->jemalloc_enforce_init = malloc(8);
 }
 isc_threadresult_t
 -- 
 2.23.0
--- a/backport-0028-Ensure-diff-variable-is-not-read-uninitialized.patch
+++ b/backport-0028-Ensure-diff-variable-is-not-read-uninitialized.patch
@ -1,42 +0,0 @@
 From 1bc75522035142a986466b321eefa42bb7bdb47a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 19 Jan 2022 13:35:32 +0100
 Subject: [PATCH] Ensure diff variable is not read uninitialized
 Coverity detected issues:
 - var_decl: Declaring variable "diff" without initializer.
 - uninit_use_in_call: Using uninitialized value "diff.tuples.head" when
  calling "dns_diff_clear".
 (cherry picked from commit 67e773c93c2fe164e3791e0b843f724a6d9358d4)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1bc75522035142a986466b321eefa42bb7bdb47a
 ---
 lib/dns/zone.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index 76f03683de..b7b02ae5f9 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -23328,7 +23328,7 @@ setserial(isc_task_t *task, isc_event_t *event) {
 	ENTER;
 	if (zone->update_disabled) {
 -		goto failure;
 +		goto disabled;
 	}
 	desired = sse->serial;
@@ -23407,6 +23407,8 @@ failure:
 		dns_db_detach(&db);
 	}
 	dns_diff_clear(&diff);
 +
 +disabled:
 	isc_event_free(&event);
 	dns_zone_idetach(&zone);
 -- 
 2.23.0
--- a/backport-0029-Initialize-printed-buffer.patch
+++ b/backport-0029-Initialize-printed-buffer.patch
@ -1,46 +0,0 @@
 From 1e88c0196c427de538f8ddfd6c1c3c7dd72f11d5 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 19 Jan 2022 14:47:13 +0100
 Subject: [PATCH] Initialize printed buffer
 - var_decl: Declaring variable "tbuf" without initializer
 - assign: Assigning: "target.base" = "tbuf", which points to
  uninitialized data
 - assign: Assigning: "r.base" = "target.base", which points to
  uninitialized data
 I expect it would correctly initialize length always. Add simple
 initialization to silent coverity.
 (cherry picked from commit 59132bd3ec8a9f648a1e1cf59f5f3b2d59f17927)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1e88c0196c427de538f8ddfd6c1c3c7dd72f11d5
 ---
 bin/dig/host.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)
 diff --git a/bin/dig/host.c b/bin/dig/host.c
 index 646c89783e..971cd974b7 100644
 --- a/bin/dig/host.c
 +++ b/bin/dig/host.c
@@ -208,15 +208,9 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 	isc_result_t result, loopresult;
 	isc_region_t r;
 	dns_name_t empty_name;
 -	char tbuf[4096];
 +	char tbuf[4096] = { 0 };
 	bool first;
 -	bool no_rdata;
 -
 -	if (sectionid == DNS_SECTION_QUESTION) {
 -		no_rdata = true;
 -	} else {
 -		no_rdata = false;
 -	}
 +	bool no_rdata = (sectionid == DNS_SECTION_QUESTION);
 	if (headers) {
 		printf(";; %s SECTION:\n", section_name);
 -- 
 2.23.0
--- a/backport-0030-Additional-safety-check-for-negative-array-index.patch
+++ b/backport-0030-Additional-safety-check-for-negative-array-index.patch
@ -1,35 +0,0 @@
 From c1b3862c4aef91b7b6a30c7cabb1f578839db83a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Wed, 19 Jan 2022 17:05:00 +0100
 Subject: [PATCH] Additional safety check for negative array index
 inet_ntop result should always protect against empty string accepted
 without an error. Make additional check to satisfy coverity scans.
 (cherry picked from commit 656a0f076f7f49d166b414d7cf5972d2919877d5)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c1b3862c4aef91b7b6a30c7cabb1f578839db83a
 ---
 lib/dns/rdata.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
 index 2c94d11765..b44894adbe 100644
 --- a/lib/dns/rdata.c
 +++ b/lib/dns/rdata.c
@@ -1890,9 +1890,9 @@ inet_totext(int af, uint32_t flags, isc_region_t *src, isc_buffer_t *target) {
 	 * parsing, so append 0 in that case.
 	 */
 	if (af == AF_INET6 && (flags & DNS_STYLEFLAG_YAML) != 0) {
 -		isc_textregion_t tr;
 -		isc_buffer_usedregion(target, (isc_region_t *)&tr);
 -		if (tr.base[tr.length - 1] == ':') {
 +		isc_region_t r;
 +		isc_buffer_usedregion(target, &r);
 +		if (r.length > 0 && r.base[r.length - 1] == ':') {
 			if (isc_buffer_availablelength(target) == 0) {
 				return (ISC_R_NOSPACE);
 			}
 -- 
 2.23.0
--- a/backport-0031-Fix-dig-nssearch-race-between-recv_done-and-send_don.patch
+++ b/backport-0031-Fix-dig-nssearch-race-between-recv_done-and-send_don.patch
@ -1,77 +0,0 @@
 From 1f2d2611ee23f0b9200dbea8a7b65fa9f3b86e3f Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Tue, 12 Apr 2022 13:00:45 +0000
 Subject: [PATCH] Fix dig +nssearch race between recv_done() and send_done()
 The `send_done()` callback needs to access query's `link.next` pointer
 when running in `+nssearch` mode, even if the query is already canceled
 or serviced, which can happen when `recv_done()` happens to be called
 earlier than `send_done()`.
 Keep the next query's pointer before unlinking the query from the
 lookup's queries list in `clear_query()` so that `send_done()` can
 use it even if the query is cleared.
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1f2d2611ee23f0b9200dbea8a7b65fa9f3b86e3f
 ---
 bin/dig/dighost.c         | 8 ++++++--
 bin/dig/include/dig/dig.h | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)
 diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
 index 27af3c80f1..e0ba9c2aae 100644
 --- a/bin/dig/dighost.c
 +++ b/bin/dig/dighost.c
@@ -1591,6 +1591,7 @@ clear_query(dig_query_t *query) {
 	}
 	if (ISC_LINK_LINKED(query, link)) {
 +		query->saved_next = ISC_LIST_NEXT(query, link);
 		ISC_LIST_UNLINK(lookup->q, query, link);
 	}
 	if (ISC_LINK_LINKED(query, clink)) {
@@ -1609,6 +1610,7 @@ clear_query(dig_query_t *query) {
 	isc_buffer_invalidate(&query->lengthbuf);
 	if (query->waiting_senddone) {
 +		debug("waiting senddone, delay freeing query");
 		query->pending_free = true;
 	} else {
 		query->magic = 0;
@@ -2583,6 +2585,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		ISC_LINK_INIT(query, clink);
 		ISC_LINK_INIT(query, link);
 +		query->saved_next = NULL;
 		query->magic = DIG_QUERY_MAGIC;
@@ -2617,10 +2620,11 @@ send_done(isc_task_t *_task, isc_event_t *event) {
 	query->waiting_senddone = false;
 	l = query->lookup;
 -	if (!query->pending_free && l->ns_search_only && !l->trace_root &&
 +	if (l == current_lookup && l->ns_search_only && !l->trace_root &&
 	    !l->tcp_mode) {
 		debug("sending next, since searching");
 -		next = ISC_LIST_NEXT(query, link);
 +		next = query->pending_free ? query->saved_next
 +					   : ISC_LIST_NEXT(query, link);
 		if (next != NULL) {
 			send_udp(next);
 		}
 diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
 index 79a868d1ef..9683e39892 100644
 --- a/bin/dig/include/dig/dig.h
 +++ b/bin/dig/include/dig/dig.h
@@ -183,6 +183,7 @@ struct dig_query {
 	isc_socket_t *sock;
 	ISC_LINK(dig_query_t) link;
 	ISC_LINK(dig_query_t) clink;
 +	dig_query_t   *saved_next;
 	isc_sockaddr_t sockaddr;
 	isc_time_t     time_sent;
 	isc_time_t     time_recv;
 -- 
 2.23.0
--- a/backport-0032-Add-test-cases-using-static-and-static-stub-zones.patch
+++ b/backport-0032-Add-test-cases-using-static-and-static-stub-zones.patch
@ -1,308 +0,0 @@
 From 967e5e09cd80bd74f96ad49d65b564ac58023f0c Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Mon, 28 Mar 2022 16:36:03 +1100
 Subject: [PATCH] Add test cases using static and static-stub zones
 RPZ NSIP and NSDNAME checks were failing with "unrecognized NS
 rpz_rrset_find() failed: glue" when static or static-stub zones
 where used to resolve the query name.
 Add tests using stub and static-stub zones that are expected to
 be filtered and not-filtered against NSIP and NSDNAME rules.
 stub and static-stub queries are expected to be filtered
 stub-nomatch and static-stub-nomatch queries are expected to be passed
 (cherry picked from commit 30cb70c82671e345810be546ffa902631b43d306)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/967e5e09cd80bd74f96ad49d65b564ac58023f0c
 ---
 bin/tests/system/rpz/ns10/hints         | 13 ++++++++
 bin/tests/system/rpz/ns10/named.conf.in | 42 +++++++++++++++++++++++++
 bin/tests/system/rpz/ns10/stub.db       | 21 +++++++++++++
 bin/tests/system/rpz/ns2/named.conf.in  |  4 +++
 bin/tests/system/rpz/ns2/stub.db        | 20 ++++++++++++
 bin/tests/system/rpz/ns3/named.conf.in  | 20 ++++++++++++
 bin/tests/system/rpz/setup.sh           |  1 +
 bin/tests/system/rpz/tests.sh           | 37 ++++++++++++++++++----
 8 files changed, 152 insertions(+), 6 deletions(-)
 create mode 100644 bin/tests/system/rpz/ns10/hints
 create mode 100644 bin/tests/system/rpz/ns10/named.conf.in
 create mode 100644 bin/tests/system/rpz/ns10/stub.db
 create mode 100644 bin/tests/system/rpz/ns2/stub.db
 diff --git a/bin/tests/system/rpz/ns10/hints b/bin/tests/system/rpz/ns10/hints
 new file mode 100644
 index 0000000000..b657c3980e
 --- /dev/null
 +++ b/bin/tests/system/rpz/ns10/hints
@@ -0,0 +1,13 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +.	120	NS	ns.
 +ns.	120	A	10.53.0.1
 diff --git a/bin/tests/system/rpz/ns10/named.conf.in b/bin/tests/system/rpz/ns10/named.conf.in
 new file mode 100644
 index 0000000000..b34ce79bb4
 --- /dev/null
 +++ b/bin/tests/system/rpz/ns10/named.conf.in
@@ -0,0 +1,42 @@
 +/*
 + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 + *
 + * SPDX-License-Identifier: MPL-2.0
 + *
 + * This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0.  If a copy of the MPL was not distributed with this
 + * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 + *
 + * See the COPYRIGHT file distributed with this work for additional
 + * information regarding copyright ownership.
 + */
 +
 +options {
 +	query-source address 10.53.0.10;
 +	notify-source 10.53.0.10;
 +	transfer-source 10.53.0.10;
 +	port @PORT@;
 +	pid-file "named.pid";
 +	session-keyfile "session.key";
 +	listen-on { 10.53.0.10; };
 +	listen-on-v6 { none; };
 +	notify no;
 +	minimal-responses no;
 +	recursion yes;
 +	dnssec-validation yes;
 +};
 +
 +key rndc_key {
 +	secret "1234abcd8765";
 +	algorithm hmac-sha256;
 +};
 +controls {
 +	inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 +};
 +
 +include "../trusted.conf";
 +zone "." { type hint; file "hints"; };
 +
 +# grafted on zones using stub and static-stub
 +zone "stub-nomatch."		    {type primary; file "stub.db"; };
 +zone "static-stub-nomatch."	    {type primary; file "stub.db"; };
 diff --git a/bin/tests/system/rpz/ns10/stub.db b/bin/tests/system/rpz/ns10/stub.db
 new file mode 100644
 index 0000000000..8ecac8c2b2
 --- /dev/null
 +++ b/bin/tests/system/rpz/ns10/stub.db
@@ -0,0 +1,21 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +; RPZ rewrite responses from this zone
 +
 +$TTL	120
 +@		SOA	ns  hostmaster.ns ( 1 3600 1200 604800 60 )
 +		NS	ns
 +ns		A	10.53.0.10
 +
 +a3-1		A	10.53.99.99
 +
 +a4-1		A	10.53.99.99
 diff --git a/bin/tests/system/rpz/ns2/named.conf.in b/bin/tests/system/rpz/ns2/named.conf.in
 index 48ab311a97..1dde354562 100644
 --- a/bin/tests/system/rpz/ns2/named.conf.in
 +++ b/bin/tests/system/rpz/ns2/named.conf.in
@@ -49,3 +49,7 @@ zone "tld2s."		    {type primary; file "tld2s.db";};
 zone "bl.tld2."		    {type primary; file "bl.tld2.db";
 				notify yes; notify-delay 0;};
 +
 +# grafted on zones using stub and static-stub
 +zone "stub."		    {type primary; file "stub.db"; };
 +zone "static-stub."	    {type primary; file "stub.db"; };
 diff --git a/bin/tests/system/rpz/ns2/stub.db b/bin/tests/system/rpz/ns2/stub.db
 new file mode 100644
 index 0000000000..e4b87817e7
 --- /dev/null
 +++ b/bin/tests/system/rpz/ns2/stub.db
@@ -0,0 +1,20 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +; RPZ rewrite responses from this zone
 +
 +$TTL	120
 +@		SOA	tld2.  hostmaster.ns.tld2. ( 1 3600 1200 604800 60 )
 +		NS	ns.sub1.tld2.
 +
 +a3-1		A	10.53.99.99
 +
 +a4-1		A	10.53.99.99
 diff --git a/bin/tests/system/rpz/ns3/named.conf.in b/bin/tests/system/rpz/ns3/named.conf.in
 index e5545a8720..30f08c804c 100644
 --- a/bin/tests/system/rpz/ns3/named.conf.in
 +++ b/bin/tests/system/rpz/ns3/named.conf.in
@@ -128,3 +128,23 @@ zone "fast-expire." {
 	primaries { 10.53.0.5; };
 	notify no;
 };
 +
 +zone "stub." {
 +	type stub;
 +	primaries { 10.53.0.2; };
 +};
 +
 +zone "static-stub." {
 +	type static-stub;
 +	server-addresses { 10.53.0.2; };
 +};
 +
 +zone "stub-nomatch." {
 +	type stub;
 +	primaries { 10.53.0.10; };
 +};
 +
 +zone "static-stub-nomatch." {
 +	type static-stub;
 +	server-addresses { 10.53.0.10; };
 +};
 diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
 index f9897b34de..fea43bdc36 100644
 --- a/bin/tests/system/rpz/setup.sh
 +++ b/bin/tests/system/rpz/setup.sh
@@ -54,6 +54,7 @@ copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
 copy_setports ns8/named.conf.in ns8/named.conf
 copy_setports ns9/named.conf.in ns9/named.conf
 +copy_setports ns10/named.conf.in ns10/named.conf
 copy_setports dnsrpzd.conf.in dnsrpzd.conf
 diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
 index 56a7f2e683..9fc5d08cf2 100644
 --- a/bin/tests/system/rpz/tests.sh
 +++ b/bin/tests/system/rpz/tests.sh
@@ -28,6 +28,8 @@ ns5=$ns.5		# another rewriting resolver
 ns6=$ns.6		# a forwarding server
 ns7=$ns.7		# another rewriting resolver
 ns8=$ns.8		# another rewriting resolver
 +ns9=$ns.9		# another rewriting resolver
 +ns10=$ns.10		# authoritative server
 HAVE_CORE=
@@ -406,6 +408,13 @@ nochange () {
     ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK
 }
 +nochange_ns10 () {
 +    make_dignm
 +    digcmd $* >$DIGNM
 +    digcmd $* @$ns10 >${DIGNM}_OK
 +    ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK
 +}
 +
 # check against a 'here document'
 here () {
     make_dignm
@@ -618,6 +627,7 @@ EOF
   # these tests assume "min-ns-dots 0"
   start_group "NSDNAME rewrites" test3
 +  nextpart ns3/named.run > /dev/null
   nochange a3-1.tld2				# 1
   nochange a3-1.tld2 +dnssec			# 2 this once caused problems
   nxdomain a3-1.sub1.tld2			# 3 NXDOMAIN *.sub1.tld2 by NSDNAME
@@ -630,25 +640,39 @@ EOF
   addr 127.0.0.1 a3-1.sub3.tld2			# 10 prefer policy for largest NSDNAME
   addr 127.0.0.2 a3-1.subsub.sub3.tld2		# 11
   nxdomain xxx.crash1.tld2			# 12 dns_db_detachnode() crash
 +
 +  nxdomain a3-1.stub				# 13
 +  nxdomain a3-1.static-stub			# 14
 +  nochange_ns10 a3-1.stub-nomatch		# 15
 +  nochange_ns10 a3-1.static-stub-nomatch	# 16
   if [ "$mode" = dnsrps ]; then
 -    addr 12.12.12.12 as-ns.tld5.		# 13 qname-as-ns
 +    addr 12.12.12.12 as-ns.tld5.		# 17 qname-as-ns
   fi
 +  nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
 +  setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
   end_group
   if [ "$mode" = dnsrps ]; then
 -    ckstats $ns3 test3 ns3 8
 +    ckstats $ns3 test3 ns3 10
   else
 -    ckstats $ns3 test3 ns3 7
 +    ckstats $ns3 test3 ns3 9
   fi
   # these tests assume "min-ns-dots 0"
   start_group "NSIP rewrites" test4
 +  nextpart ns3/named.run > /dev/null
   nxdomain a3-1.tld2				# 1 NXDOMAIN for all of tld2
   nochange a3-2.tld2.				# 2 exempt rewrite by name
   nochange a0-1.tld2.				# 3 exempt rewrite by address block
   nochange a3-1.tld4				# 4 different NS IP address
 +  nxdomain a4-1.stub				# 5
 +  nxdomain a4-1.static-stub			# 6
 +  nochange_ns10 a4-1.stub-nomatch		# 7
 +  nochange_ns10 a4-1.static-stub-nomatch	# 8
   if [ "$mode" = dnsrps ]; then
 -      addr 12.12.12.12 as-ns.tld5.		# 5 ip-as-ns
 +      addr 12.12.12.12 as-ns.tld5.		# 9 ip-as-ns
   fi
 +  nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" &&
 +  setret "seen: unrecognized NS rpz_rrset_find() failed: glue"
   end_group
   start_group "walled garden NSIP rewrites" test4a
@@ -660,9 +684,9 @@ EOF
 EOF
   end_group
   if [ "$mode" = dnsrps ]; then
 -    ckstats $ns3 test4 ns3 5
 +    ckstats $ns3 test4 ns3 7
   else
 -    ckstats $ns3 test4 ns3 4
 +    ckstats $ns3 test4 ns3 6
   fi
   # policies in ./test5 overridden by response-policy{} in ns3/named.conf
@@ -785,6 +809,7 @@ EOF
   fi
   # Ensure ns3 manages to transfer the fast-expire zone before shutdown.
 +  nextpartreset ns3/named.run
   wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run
   # reconfigure the ns5 primary server without the fast-expire zone, so
 -- 
 2.23.0
--- a/backport-0032-Allow-DNS_RPZ_POLICY_ERROR-to-be-converted-to-a-stri.patch
+++ b/backport-0032-Allow-DNS_RPZ_POLICY_ERROR-to-be-converted-to-a-stri.patch
@ -1,29 +0,0 @@
 From 36612dadff74e57139fe176729fa284b149b420f Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Wed, 4 May 2022 17:03:15 +1000
 Subject: [PATCH] Allow DNS_RPZ_POLICY_ERROR to be converted to a string
 (cherry picked from commit f498d2db0d9f3344d314956253beda73ac29ea4f)
 Conflict: adapt INSIST(0), ISC_UNREACHABLE
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/36612dadff74e57139fe176729fa284b149b420f
 ---
 lib/dns/rpz.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
 index d3baa71..1bdaac9 100644
 --- a/lib/dns/rpz.c
 +++ b/lib/dns/rpz.c
@@ -277,6 +277,9 @@ dns_rpz_policy2str(dns_rpz_policy_t policy) {
 	case DNS_RPZ_POLICY_DNS64:
 		str = "DNS64";
 		break;
 +	case DNS_RPZ_POLICY_ERROR:
 +		str = "ERROR";
 +		break;
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();
 -- 
 2.27.0
--- a/backport-0032-Check-the-cache-as-well-when-glue-NS-are-returned-pr.patch
+++ b/backport-0032-Check-the-cache-as-well-when-glue-NS-are-returned-pr.patch
@ -1,86 +0,0 @@
 From 8f23d56fba79ca063e3deacca973d89b327ccaed Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Wed, 4 May 2022 17:08:27 +1000
 Subject: [PATCH] Check the cache as well when glue NS are returned processing
 RPZ
 (cherry picked from commit 8fb72012e36961ff62a29d5f4599b3c41e48e7c9)
 Conflict: adapt seg3 and FALLTHROUGH
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8f23d56fba79ca063e3deacca973d89b327ccaed
 ---
 lib/ns/query.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)
 diff --git a/lib/ns/query.c b/lib/ns/query.c
 index f4547a5..5ba732f 100644
 --- a/lib/ns/query.c
 +++ b/lib/ns/query.c
@@ -3937,6 +3937,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 	dns_rpz_have_t have;
 	dns_rpz_popt_t popt;
 	int rpz_ver;
 +	unsigned int options;
 #ifdef USE_DNSRPS
 	librpz_emsg_t emsg;
 #endif /* ifdef USE_DNSRPS */
@@ -4187,7 +4188,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 	dns_fixedname_init(&nsnamef);
 	dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
 +	options = DNS_DBFIND_GLUEOK;
 	while (st->r.label > st->popt.min_ns_labels) {
 +		bool was_glue = false;
 		/*
 		 * Get NS rrset for each domain in the current qname.
 		 */
@@ -4202,7 +4205,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 		    !dns_rdataset_isassociated(st->r.ns_rdataset)) {
 			dns_db_t *db = NULL;
 			result = rpz_rrset_find(client, nsname,
 -						dns_rdatatype_ns,
 +						dns_rdatatype_ns, options,
 						DNS_RPZ_TYPE_NSDNAME, &db, NULL,
 						&st->r.ns_rdataset, resuming);
 			if (db != NULL) {
@@ -4212,8 +4215,10 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 				goto cleanup;
 			}
 			switch (result) {
 -			case ISC_R_SUCCESS:
 			case DNS_R_GLUE:
 +				was_glue = true;
 +				/* FALLTHROUGH */
 +			case ISC_R_SUCCESS:
 				result = dns_rdataset_first(st->r.ns_rdataset);
 				if (result != ISC_R_SUCCESS) {
 					goto cleanup;
@@ -4252,6 +4257,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 				continue;
 			}
 		}
 +
 		/*
 		 * Check all NS names.
 		 */
@@ -4302,7 +4308,17 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 			result = dns_rdataset_next(st->r.ns_rdataset);
 		} while (result == ISC_R_SUCCESS);
 		dns_rdataset_disassociate(st->r.ns_rdataset);
 -		st->r.label--;
 +
 +		/*
 +		 * If we just checked a glue NS RRset retry without allowing
 +		 * glue responses, otherwise setup for the next name.
 +		 */
 +		if (was_glue) {
 +			options = 0;
 +		} else {
 +			options = DNS_DBFIND_GLUEOK;
 +			st->r.label--;
 +		}
 		if (rpz_get_zbits(client, dns_rdatatype_any,
 				  DNS_RPZ_TYPE_NSDNAME) == 0 &&
 -- 
 2.27.0
--- a/backport-0032-Process-learned-records-as-well-as-glue.patch
+++ b/backport-0032-Process-learned-records-as-well-as-glue.patch
@ -1,207 +0,0 @@
 From 8c2ede6edcc917496eb7d6603c05427cbb9793cc Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Wed, 4 May 2022 15:40:53 +1000
 Subject: [PATCH] Process learned records as well as glue
 (cherry picked from commit 07c828531cb49deeba3e14d7a5ffef7934973562)
 Conflict: adapt seg2 and delete rpz_rewrite modify
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8c2ede6edcc917496eb7d6603c05427cbb9793cc
 ---
 lib/ns/query.c | 167 ++++++++++++++++++++++++++++---------------------
 1 file changed, 94 insertions(+), 73 deletions(-)
 diff --git a/lib/ns/query.c b/lib/ns/query.c
 index 5ba732f..e6b25bc 100644
 --- a/lib/ns/query.c
 +++ b/lib/ns/query.c
@@ -2774,7 +2774,7 @@ query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) {
  */
 static isc_result_t
 rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
 -	       dns_rpz_type_t rpz_type, dns_db_t **dbp,
 +	       unsigned int options, dns_rpz_type_t rpz_type, dns_db_t **dbp,
 	       dns_dbversion_t *version, dns_rdataset_t **rdatasetp,
 	       bool resuming) {
 	dns_rpz_st_t *st;
@@ -2843,7 +2843,7 @@ rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
 	found = dns_fixedname_initname(&fixed);
 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
 	dns_clientinfo_init(&ci, client, NULL);
 -	result = dns_db_findext(*dbp, name, version, type, DNS_DBFIND_GLUEOK,
 +	result = dns_db_findext(*dbp, name, version, type, options,
 				client->now, &node, found, &cm, &ci, *rdatasetp,
 				NULL);
 	if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
@@ -3588,82 +3588,104 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
 	struct in_addr ina;
 	struct in6_addr in6a;
 	isc_result_t result;
 +	unsigned int options = DNS_DBFIND_GLUEOK;
 +	bool done = false;
 	CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset");
 -	zbits = rpz_get_zbits(client, ip_type, rpz_type);
 -	if (zbits == 0) {
 -		return (ISC_R_SUCCESS);
 -	}
 +	do {
 +		zbits = rpz_get_zbits(client, ip_type, rpz_type);
 +		if (zbits == 0) {
 +			return (ISC_R_SUCCESS);
 +		}
 -	/*
 -	 * Get the A or AAAA rdataset.
 -	 */
 -	result = rpz_rrset_find(client, name, ip_type, rpz_type, ip_dbp,
 -				ip_version, ip_rdatasetp, resuming);
 -	switch (result) {
 -	case ISC_R_SUCCESS:
 -	case DNS_R_GLUE:
 -	case DNS_R_ZONECUT:
 -		break;
 -	case DNS_R_EMPTYNAME:
 -	case DNS_R_EMPTYWILD:
 -	case DNS_R_NXDOMAIN:
 -	case DNS_R_NCACHENXDOMAIN:
 -	case DNS_R_NXRRSET:
 -	case DNS_R_NCACHENXRRSET:
 -	case ISC_R_NOTFOUND:
 -		return (ISC_R_SUCCESS);
 -	case DNS_R_DELEGATION:
 -	case DNS_R_DUPLICATE:
 -	case DNS_R_DROP:
 -		return (result);
 -	case DNS_R_CNAME:
 -	case DNS_R_DNAME:
 -		rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type,
 -			     "NS address rewrite rrset", result);
 -		return (ISC_R_SUCCESS);
 -	default:
 -		if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
 -			client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
 -			rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
 +		/*
 +		 * Get the A or AAAA rdataset.
 +		 */
 +		result = rpz_rrset_find(client, name, ip_type, options,
 +					rpz_type, ip_dbp, ip_version,
 +					ip_rdatasetp, resuming);
 +		switch (result) {
 +		case ISC_R_SUCCESS:
 +		case DNS_R_GLUE:
 +		case DNS_R_ZONECUT:
 +			break;
 +		case DNS_R_EMPTYNAME:
 +		case DNS_R_EMPTYWILD:
 +		case DNS_R_NXDOMAIN:
 +		case DNS_R_NCACHENXDOMAIN:
 +		case DNS_R_NXRRSET:
 +		case DNS_R_NCACHENXRRSET:
 +		case ISC_R_NOTFOUND:
 +			return (ISC_R_SUCCESS);
 +		case DNS_R_DELEGATION:
 +		case DNS_R_DUPLICATE:
 +		case DNS_R_DROP:
 +			return (result);
 +		case DNS_R_CNAME:
 +		case DNS_R_DNAME:
 +			rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name,
 				     rpz_type, "NS address rewrite rrset",
 				     result);
 +			return (ISC_R_SUCCESS);
 +		default:
 +			if (client->query.rpz_st->m.policy !=
 +			    DNS_RPZ_POLICY_ERROR) {
 +				client->query.rpz_st->m.policy =
 +					DNS_RPZ_POLICY_ERROR;
 +				rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
 +					     rpz_type,
 +					     "NS address rewrite rrset",
 +					     result);
 +			}
 +			CTRACE(ISC_LOG_ERROR,
 +			       "rpz_rewrite_ip_rrset: unexpected "
 +			       "result");
 +			return (DNS_R_SERVFAIL);
 		}
 -		CTRACE(ISC_LOG_ERROR, "rpz_rewrite_ip_rrset: unexpected "
 -				      "result");
 -		return (DNS_R_SERVFAIL);
 -	}
 -	/*
 -	 * Check all of the IP addresses in the rdataset.
 -	 */
 -	for (result = dns_rdataset_first(*ip_rdatasetp);
 -	     result == ISC_R_SUCCESS; result = dns_rdataset_next(*ip_rdatasetp))
 -	{
 -		dns_rdata_t rdata = DNS_RDATA_INIT;
 -		dns_rdataset_current(*ip_rdatasetp, &rdata);
 -		switch (rdata.type) {
 -		case dns_rdatatype_a:
 -			INSIST(rdata.length == 4);
 -			memmove(&ina.s_addr, rdata.data, 4);
 -			isc_netaddr_fromin(&netaddr, &ina);
 -			break;
 -		case dns_rdatatype_aaaa:
 -			INSIST(rdata.length == 16);
 -			memmove(in6a.s6_addr, rdata.data, 16);
 -			isc_netaddr_fromin6(&netaddr, &in6a);
 -			break;
 -		default:
 -			continue;
 +		/*
 +		 * If we are processing glue setup for the next loop
 +		 * otherwise we are done.
 +		 */
 +		if (result == DNS_R_GLUE) {
 +			options = 0;
 +		} else {
 +			done = true;
 		}
 -		result = rpz_rewrite_ip(client, &netaddr, qtype, rpz_type,
 -					zbits, p_rdatasetp);
 -		if (result != ISC_R_SUCCESS) {
 -			return (result);
 +		/*
 +		 * Check all of the IP addresses in the rdataset.
 +		 */
 +		for (result = dns_rdataset_first(*ip_rdatasetp);
 +		     result == ISC_R_SUCCESS;
 +		     result = dns_rdataset_next(*ip_rdatasetp))
 +		{
 +			dns_rdata_t rdata = DNS_RDATA_INIT;
 +			dns_rdataset_current(*ip_rdatasetp, &rdata);
 +			switch (rdata.type) {
 +			case dns_rdatatype_a:
 +				INSIST(rdata.length == 4);
 +				memmove(&ina.s_addr, rdata.data, 4);
 +				isc_netaddr_fromin(&netaddr, &ina);
 +				break;
 +			case dns_rdatatype_aaaa:
 +				INSIST(rdata.length == 16);
 +				memmove(in6a.s6_addr, rdata.data, 16);
 +				isc_netaddr_fromin6(&netaddr, &in6a);
 +				break;
 +			default:
 +				continue;
 +			}
 +
 +			result = rpz_rewrite_ip(client, &netaddr, qtype,
 +						rpz_type, zbits, p_rdatasetp);
 +			if (result != ISC_R_SUCCESS) {
 +				return (result);
 +			}
 		}
 -	}
 +	} while (!done &&
 +		 client->query.rpz_st->m.policy == DNS_RPZ_POLICY_MISS);
 	return (ISC_R_SUCCESS);
 }
 -- 
 2.27.0
--- a/backport-0032-Process-the-delegating-NS-RRset-when-checking-rpz-ru.patch
+++ b/backport-0032-Process-the-delegating-NS-RRset-when-checking-rpz-ru.patch
@ -1,27 +0,0 @@
 From 13129872eb0b3c9d63782f42d7f1752e5dabefcf Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Wed, 4 May 2022 14:45:19 +1000
 Subject: [PATCH] Process the delegating NS RRset when checking rpz rules
 (cherry picked from commit cf97c61f48f6cea6d9e67158485106f659433309)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/13129872eb0b3c9d63782f42d7f1752e5dabefcf
 ---
 lib/ns/query.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/lib/ns/query.c b/lib/ns/query.c
 index 771aa7b970..4eb95b808d 100644
 --- a/lib/ns/query.c
 +++ b/lib/ns/query.c
@@ -4211,6 +4211,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
 			}
 			switch (result) {
 			case ISC_R_SUCCESS:
 +			case DNS_R_GLUE:
 				result = dns_rdataset_first(st->r.ns_rdataset);
 				if (result != ISC_R_SUCCESS) {
 					goto cleanup;
 -- 
 2.23.0
--- a/backport-0033-Lock-the-trampoline-when-attaching.patch
+++ b/backport-0033-Lock-the-trampoline-when-attaching.patch
@ -1,207 +0,0 @@
 From be7f672fcc20a03d08c1f50b5b7a9f353ccd5dac Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Wed, 4 May 2022 09:26:34 +0200
 Subject: [PATCH] Lock the trampoline when attaching
 When attaching to the trampoline, the isc__trampoline_max was access
 unlocked.  This would not manifest under normal circumstances because we
 initialize 65 trampolines by default and that's enough for most
 commodity hardware, but there are ARM machines with 128+ cores where
 this would be reported by ThreadSanitizer.
 Add locking around the code in isc__trampoline_attach().  This also
 requires the lock to leak on exit (along with memory that we already)
 because a new thread might be attaching to the trampoline while we are
 running the library destructor at the same time.
 (cherry picked from commit 933162ae1400ed4d854c32613a7e0a6bbe0b31f7)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/be7f672fcc20a03d08c1f50b5b7a9f353ccd5dac
 ---
 lib/isc/trampoline.c | 87 ++++++++++++++++++++------------------------
 1 file changed, 39 insertions(+), 48 deletions(-)
 diff --git a/lib/isc/trampoline.c b/lib/isc/trampoline.c
 index e133c40084..965fd0552e 100644
 --- a/lib/isc/trampoline.c
 +++ b/lib/isc/trampoline.c
@@ -15,9 +15,9 @@
 #include <inttypes.h>
 #include <stdlib.h>
 +#include <uv.h>
 #include <isc/mem.h>
 -#include <isc/mutex.h>
 #include <isc/once.h>
 #include <isc/thread.h>
 #include <isc/util.h>
@@ -34,9 +34,26 @@ struct isc__trampoline {
 	void *jemalloc_enforce_init;
 };
 -static isc_once_t isc__trampoline_initialize_once = ISC_ONCE_INIT;
 -static isc_once_t isc__trampoline_shutdown_once = ISC_ONCE_INIT;
 -static isc_mutex_t isc__trampoline_lock;
 +/*
 + * We can't use isc_mem API here, because it's called too
 + * early and when the isc_mem_debugging flags are changed
 + * later and ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX flags are
 + * added, neither isc_mem_put() nor isc_mem_free() can be used
 + * to free up the memory allocated here because the flags were
 + * not set when calling isc_mem_get() or isc_mem_allocate()
 + * here.
 + *
 + * Since this is a single allocation at library load and deallocation at library
 + * unload, using the standard allocator without the tracking is fine for this
 + * single purpose.
 + *
 + * We can't use isc_mutex API either, because we track whether the mutexes get
 + * properly destroyed, and we intentionally leak the static mutex here without
 + * destroying it to prevent data race between library destructor running while
 + * thread is being still created.
 + */
 +
 +static uv_mutex_t isc__trampoline_lock;
 static isc__trampoline_t **trampolines;
 #if defined(HAVE_THREAD_LOCAL)
 #include <threads.h>
@@ -49,19 +66,6 @@ __declspec(thread) size_t isc_tid_v = SIZE_MAX;
 static size_t isc__trampoline_min = 1;
 static size_t isc__trampoline_max = 65;
 -/*
 - * We can't use isc_mem API here, because it's called too
 - * early and when the isc_mem_debugging flags are changed
 - * later and ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX flags are
 - * added, neither isc_mem_put() nor isc_mem_free() can be used
 - * to free up the memory allocated here because the flags were
 - * not set when calling isc_mem_get() or isc_mem_allocate()
 - * here.
 - *
 - * Actually, since this is a single allocation at library load
 - * and deallocation at library unload, using the standard
 - * allocator without the tracking is fine for this purpose.
 - */
 static isc__trampoline_t *
 isc__trampoline_new(int tid, isc_threadfunc_t start, isc_threadarg_t arg) {
 	isc__trampoline_t *trampoline = calloc(1, sizeof(*trampoline));
@@ -77,17 +81,17 @@ isc__trampoline_new(int tid, isc_threadfunc_t start, isc_threadarg_t arg) {
 	return (trampoline);
 }
 -static void
 -trampoline_initialize(void) {
 -	isc_mutex_init(&isc__trampoline_lock);
 +void
 +isc__trampoline_initialize(void) {
 +	uv_mutex_init(&isc__trampoline_lock);
 	trampolines = calloc(isc__trampoline_max, sizeof(trampolines[0]));
 	RUNTIME_CHECK(trampolines != NULL);
 	/* Get the trampoline slot 0 for the main thread */
 	trampolines[0] = isc__trampoline_new(0, NULL, NULL);
 -	trampolines[0]->self = isc_thread_self();
 	isc_tid_v = trampolines[0]->tid;
 +	trampolines[0]->self = isc_thread_self();
 	/* Initialize the other trampolines */
 	for (size_t i = 1; i < isc__trampoline_max; i++) {
@@ -97,38 +101,22 @@ trampoline_initialize(void) {
 }
 void
 -isc__trampoline_initialize(void) {
 -	isc_result_t result = isc_once_do(&isc__trampoline_initialize_once,
 -					  trampoline_initialize);
 -	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 -}
 -
 -static void
 -trampoline_shutdown(void) {
 +isc__trampoline_shutdown(void) {
 	/*
 	 * When the program using the library exits abruptly and the library
 	 * gets unloaded, there might be some existing trampolines from unjoined
 	 * threads.  We intentionally ignore those and don't check whether all
 -	 * trampolines have been cleared before exiting.
 +	 * trampolines have been cleared before exiting, so we leak a little bit
 +	 * of resources here, including the lock.
 	 */
 	free(trampolines[0]);
 -	free(trampolines);
 -	trampolines = NULL;
 -	isc_mutex_destroy(&isc__trampoline_lock);
 -}
 -
 -void
 -isc__trampoline_shutdown(void) {
 -	isc_result_t result = isc_once_do(&isc__trampoline_shutdown_once,
 -					  trampoline_shutdown);
 -	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 }
 isc__trampoline_t *
 isc__trampoline_get(isc_threadfunc_t start, isc_threadarg_t arg) {
 	isc__trampoline_t **tmp = NULL;
 	isc__trampoline_t *trampoline = NULL;
 -	LOCK(&isc__trampoline_lock);
 +	uv_mutex_lock(&isc__trampoline_lock);
 again:
 	for (size_t i = isc__trampoline_min; i < isc__trampoline_max; i++) {
 		if (trampolines[i] == NULL) {
@@ -152,17 +140,17 @@ again:
 	goto again;
 done:
 	INSIST(trampoline != NULL);
 -	UNLOCK(&isc__trampoline_lock);
 +	uv_mutex_unlock(&isc__trampoline_lock);
 	return (trampoline);
 }
 void
 isc__trampoline_detach(isc__trampoline_t *trampoline) {
 -	LOCK(&isc__trampoline_lock);
 -	REQUIRE(trampoline->tid > 0 &&
 -		(size_t)trampoline->tid < isc__trampoline_max);
 +	uv_mutex_lock(&isc__trampoline_lock);
 	REQUIRE(trampoline->self == isc_thread_self());
 +	REQUIRE(trampoline->tid > 0);
 +	REQUIRE((size_t)trampoline->tid < isc__trampoline_max);
 	REQUIRE(trampolines[trampoline->tid] == trampoline);
 	trampolines[trampoline->tid] = NULL;
@@ -174,15 +162,17 @@ isc__trampoline_detach(isc__trampoline_t *trampoline) {
 	free(trampoline->jemalloc_enforce_init);
 	free(trampoline);
 -	UNLOCK(&isc__trampoline_lock);
 +	uv_mutex_unlock(&isc__trampoline_lock);
 	return;
 }
 void
 isc__trampoline_attach(isc__trampoline_t *trampoline) {
 -	REQUIRE(trampoline->tid > 0 &&
 -		(size_t)trampoline->tid < isc__trampoline_max);
 +	uv_mutex_lock(&isc__trampoline_lock);
 	REQUIRE(trampoline->self == ISC__TRAMPOLINE_UNUSED);
 +	REQUIRE(trampoline->tid > 0);
 +	REQUIRE((size_t)trampoline->tid < isc__trampoline_max);
 +	REQUIRE(trampolines[trampoline->tid] == trampoline);
 	/* Initialize the trampoline */
 	isc_tid_v = trampoline->tid;
@@ -196,6 +186,7 @@ isc__trampoline_attach(isc__trampoline_t *trampoline) {
 	 * malloc() + free() calls altogether, as it would foil the fix.
 	 */
 	trampoline->jemalloc_enforce_init = malloc(8);
 +	uv_mutex_unlock(&isc__trampoline_lock);
 }
 isc_threadresult_t
 -- 
 2.23.0
--- a/backport-0034-prevent-a-possible-buffer-overflow-in-configuration-.patch
+++ b/backport-0034-prevent-a-possible-buffer-overflow-in-configuration-.patch
@ -1,42 +0,0 @@
 From b6670787d25743ddf39dfe8e615828efc928f50d Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Fri, 13 May 2022 19:59:58 -0700
 Subject: [PATCH] prevent a possible buffer overflow in configuration check
 corrected code that could have allowed a buffer overfow while
 parsing named.conf.
 (cherry picked from commit 921043b54161c7a3e6dc4036b038ca4dbc5fe472)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/b6670787d25743ddf39dfe8e615828efc928f50d
 ---
 lib/bind9/check.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/bind9/check.c b/lib/bind9/check.c
 index d446df3cd3..0be4871020 100644
 --- a/lib/bind9/check.c
 +++ b/lib/bind9/check.c
@@ -2500,8 +2500,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		} else if (dns_name_isula(zname)) {
 			ula = true;
 		}
 -		tmp += strlen(tmp);
 		len -= strlen(tmp);
 +		tmp += strlen(tmp);
 		(void)snprintf(tmp, len, "%u/%s", zclass,
 			       (ztype == CFG_ZONE_INVIEW) ? target
 			       : (viewname != NULL)	  ? viewname
@@ -3247,8 +3247,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		char *tmp = keydirbuf;
 		size_t len = sizeof(keydirbuf);
 		dns_name_format(zname, keydirbuf, sizeof(keydirbuf));
 -		tmp += strlen(tmp);
 		len -= strlen(tmp);
 +		tmp += strlen(tmp);
 		(void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir);
 		tresult = keydirexist(zconfig, (const char *)keydirbuf,
 				      kaspname, keydirs, logctx, mctx);
 -- 
 2.23.0
--- a/backport-0035-Add-lower-bound-checks-to-fetchlimit-test.patch
+++ b/backport-0035-Add-lower-bound-checks-to-fetchlimit-test.patch
@ -1,160 +0,0 @@
 From 6edbe8452cc4a5eb0e5cd6aa92039bb17d8fc9ef Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Sun, 8 May 2022 17:17:29 -0700
 Subject: [PATCH] Add lower bound checks to fetchlimit test
 Check that the recursing client count is above a reasonable
 minimum, as well as below a maximum, so that we can detect
 bugs that cause recursion to fail too early or too often.
 (cherry picked from commit 8834c44683f76b3e9fff795eb3d9ec52bc063b6a)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/6edbe8452cc4a5eb0e5cd6aa92039bb17d8fc9ef
 ---
 bin/tests/system/fetchlimit/tests.sh | 41 +++++++++++++++-------------
 1 file changed, 22 insertions(+), 19 deletions(-)
 diff --git a/bin/tests/system/fetchlimit/tests.sh b/bin/tests/system/fetchlimit/tests.sh
 index e7df552af0..55f4bf6a48 100644
 --- a/bin/tests/system/fetchlimit/tests.sh
 +++ b/bin/tests/system/fetchlimit/tests.sh
@@ -21,7 +21,7 @@ burst() {
     num=${3:-20}
     rm -f burst.input.$$
     while [ $num -gt 0 ]; do
 -        num=`expr $num - 1`
 +        num=$((num-1))
         echo "${num}${1}${2}.lamesub.example A" >> burst.input.$$
     done
     $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$
@@ -33,7 +33,9 @@ stat() {
             sed 's;.*: \([^/][^/]*\)/.*;\1;'`
     echo_i "clients: $clients"
     [ "$clients" = "" ] && return 1
 -    [ "$clients" -le $1 ]
 +    [ "$clients" -ge $1 ] || return 1
 +    [ "$clients" -le $2 ] || return 1
 +    return 0
 }
 status=0
@@ -47,13 +49,14 @@ for try in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
     burst a $try
     # fetches-per-server is at 400, but at 20qps against a lame server,
     # we'll reach 200 at the tenth second, and the quota should have been
 -    # tuned to less than that by then
 -    stat 200 || ret=1
 +    # tuned to less than that by then.
 +    [ $try -le 5 ] && low=$((try*10))
 +    stat 20 200 || ret=1
     [ $ret -eq 1 ] && break
     sleep 1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "dumping ADB data"
 $RNDCCMD dumpdb -adb
@@ -77,14 +80,14 @@ fails=`grep 'queries resulted in SERVFAIL' ns3/named.stats | sed 's/\([0-9][0-9]
 [ -z "$fails" ] && fails=0
 [ "$fails" -ge "$sspill" ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking lame server recovery"
 ret=0
 rm -f ans4/norespond
 for try in 1 2 3 4 5; do
     burst b $try
 -    stat 200 || ret=1
 +    stat 0 200 || ret=1
     [ $ret -eq 1 ] && break
     sleep 1
 done
@@ -99,7 +102,7 @@ quota=$5
 for try in 1 2 3 4 5 6 7 8 9 10; do
     burst c $try
 -    stat 20 || ret=1
 +    stat 0 20 || ret=1
     [ $ret -eq 1 ] && break
     sleep 1
 done
@@ -112,7 +115,7 @@ set -- $info
 [ ${5:-${quota}} -gt $quota ] || ret=1
 quota=$5
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 copy_setports ns3/named2.conf.in ns3/named.conf
 rndc_reconfig ns3 10.53.0.3
@@ -126,17 +129,17 @@ for try in 1 2 3 4 5; do
     burst b $try 300
     $DIGCMD a ${try}.example > dig.out.ns3.$try
     grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \
 -            success=`expr $success + 1`
 +            success=$((success+1))
     grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \
 -            fail=`expr $fail + 1`
 -    stat 50 || ret=1
 +            fail=$(($fail+1))
 +    stat 30 50 || ret=1
     [ $ret -eq 1 ] && break
     $RNDCCMD recursing 2>&1 | sed 's/^/ns3 /' | cat_i
     sleep 1
 done
 echo_i "$success successful valid queries, $fail SERVFAIL"
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking drop statistics"
 rm -f ns3/named.stats
@@ -151,7 +154,7 @@ drops=`grep 'queries dropped' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*
 [ -z "$drops" ] && drops=0
 [ "$drops" -ge "$zspill" ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 copy_setports ns3/named3.conf.in ns3/named.conf
 rndc_reconfig ns3 10.53.0.3
@@ -165,11 +168,11 @@ touch ans4/norespond
 for try in 1 2 3 4 5; do
     burst b $try 400
     $DIGCMD +time=2 a ${try}.example > dig.out.ns3.$try
 -    stat 400 || exceeded=`expr $exceeded + 1`
 +    stat 100 400 || exceeded=$((exceeded + 1))
     grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \
 -            success=`expr $success + 1`
 +            success=$((success+1))
     grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \
 -            fail=`expr $fail + 1`
 +            fail=$(($fail+1))
     sleep 1
 done
 echo_i "$success successful valid queries (expected 5)"
@@ -179,7 +182,7 @@ echo_i "$fail SERVFAIL responses (expected 0)"
 echo_i "clients count exceeded 400 on $exceeded trials (expected 0)"
 [ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; }
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "checking drop statistics"
 rm -f ns3/named.stats
@@ -191,7 +194,7 @@ done
 drops=`grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'`
 [ "${drops:-0}" -ne 0 ] || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=`expr $status + $ret`
 +status=$((status+ret))
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
 -- 
 2.23.0
--- a/backport-0035-Disable-EDNS-for-the-fetchlimit-test-server.patch
+++ b/backport-0035-Disable-EDNS-for-the-fetchlimit-test-server.patch
@ -1,71 +0,0 @@
 From 9582d05683742c4920c7125e8364a3345e6035b8 Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Thu, 5 May 2022 14:52:15 -0700
 Subject: [PATCH] Disable EDNS for the fetchlimit test server
 The fetchlimit test depends on a resolver continuing to try UDP
 and timing out while the client waits for resolution to succeed.
 but since commit bb990030 (flag day 2020), a fetch will always
 switch to TCP after two timeouts, unless EDNS was disabled for
 the query.
 This commit adds "edns no;" to server statements in the fetchlimit
 resolver, to restore the behavior expected by the test.
 (cherry picked from commit 81deb24deb26095cbf3eaec8e7763973ec4177c3)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/9582d05683742c4920c7125e8364a3345e6035b8
 ---
 bin/tests/system/fetchlimit/ns3/named1.conf.in | 4 ++++
 bin/tests/system/fetchlimit/ns3/named2.conf.in | 4 ++++
 bin/tests/system/fetchlimit/ns3/named3.conf.in | 4 ++++
 3 files changed, 12 insertions(+)
 diff --git a/bin/tests/system/fetchlimit/ns3/named1.conf.in b/bin/tests/system/fetchlimit/ns3/named1.conf.in
 index ab7c25a0af..3adfe473eb 100644
 --- a/bin/tests/system/fetchlimit/ns3/named1.conf.in
 +++ b/bin/tests/system/fetchlimit/ns3/named1.conf.in
@@ -28,6 +28,10 @@ options {
 	fetches-per-server 400;
 };
 +server 10.53.0.4 {
 +	edns no;
 +};
 +
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm hmac-sha256;
 diff --git a/bin/tests/system/fetchlimit/ns3/named2.conf.in b/bin/tests/system/fetchlimit/ns3/named2.conf.in
 index 27c5f33e3b..74374b106f 100644
 --- a/bin/tests/system/fetchlimit/ns3/named2.conf.in
 +++ b/bin/tests/system/fetchlimit/ns3/named2.conf.in
@@ -26,6 +26,10 @@ options {
 	fetches-per-zone 40;
 };
 +server 10.53.0.4 {
 +	edns no;
 +};
 +
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm hmac-sha256;
 diff --git a/bin/tests/system/fetchlimit/ns3/named3.conf.in b/bin/tests/system/fetchlimit/ns3/named3.conf.in
 index a5d1c165fb..3df353b07d 100644
 --- a/bin/tests/system/fetchlimit/ns3/named3.conf.in
 +++ b/bin/tests/system/fetchlimit/ns3/named3.conf.in
@@ -26,6 +26,10 @@ options {
 	recursive-clients 400;
 };
 +server 10.53.0.4 {
 +	edns no;
 +};
 +
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm hmac-sha256;
 -- 
 2.23.0
--- a/backport-0035-Fix-the-fetches-per-server-quota-calculation.patch
+++ b/backport-0035-Fix-the-fetches-per-server-quota-calculation.patch
@ -1,44 +0,0 @@
 From 8516efa4fda80d99b0376db6681fb6f31326061e Mon Sep 17 00:00:00 2001
 From: Evan Hunt <each@isc.org>
 Date: Wed, 4 May 2022 17:27:56 -0700
 Subject: [PATCH] Fix the fetches-per-server quota calculation
 Since commit bad5a523c2e, when the fetches-per-server quota
 was increased or decreased, instead of the value being set to
 the newly calculated quota, it was set to the *minimum* of
 the new quota or 1 - which effectively meant it was always set to 1.
 it should instead have been the maximum, to prevent the value from
 ever dropping to zero.
 (cherry picked from commit 694bc50273ddc01c571dd917415d24b42ca39de8)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/8516efa4fda80d99b0376db6681fb6f31326061e
 ---
 lib/dns/adb.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/lib/dns/adb.c b/lib/dns/adb.c
 index d5ef99bb61..f86e5125e5 100644
 --- a/lib/dns/adb.c
 +++ b/lib/dns/adb.c
@@ -4324,7 +4324,7 @@ maybe_adjust_quota(dns_adb_t *adb, dns_adbaddrinfo_t *addr, bool timeout) {
 		uint_fast32_t new_quota =
 			adb->quota * quota_adj[--addr->entry->mode] / 10000;
 		atomic_store_release(&addr->entry->quota,
 -				     ISC_MIN(1, new_quota));
 +				     ISC_MAX(1, new_quota));
 		log_quota(addr->entry,
 			  "atr %0.2f, quota increased to %" PRIuFAST32,
 			  addr->entry->atr, new_quota);
@@ -4334,7 +4334,7 @@ maybe_adjust_quota(dns_adb_t *adb, dns_adbaddrinfo_t *addr, bool timeout) {
 		uint_fast32_t new_quota =
 			adb->quota * quota_adj[++addr->entry->mode] / 10000;
 		atomic_store_release(&addr->entry->quota,
 -				     ISC_MIN(1, new_quota));
 +				     ISC_MAX(1, new_quota));
 		log_quota(addr->entry,
 			  "atr %0.2f, quota decreased to %" PRIuFAST32,
 			  addr->entry->atr, new_quota);
 -- 
 2.23.0
--- a/backport-0036-Add-kasp-test-for-3302.patch
+++ b/backport-0036-Add-kasp-test-for-3302.patch
@ -1,113 +0,0 @@
 From 6226ab2fa910f01d75fd5b5c91c6452e38d1e7d0 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Tue, 3 May 2022 12:24:58 +0200
 Subject: [PATCH] Add kasp test for #3302
 Add a test case that triggers a keymgr run that will not trigger any
 metadata changes. Ensure that the last status change of the key files
 is unmodified.
 (cherry picked from commit 7249bad706ab7e15660f4317dbfb76c65bd059cd)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/6226ab2fa910f01d75fd5b5c91c6452e38d1e7d0
 ---
 bin/tests/system/kasp.sh       | 12 ++++++++++-
 bin/tests/system/kasp/tests.sh | 38 ++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)
 diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
 index 01bcce3fd0..f41911a68e 100644
 --- a/bin/tests/system/kasp.sh
 +++ b/bin/tests/system/kasp.sh
@@ -64,6 +64,9 @@ VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0="
 # EXPECT_KRRSIG
 # LEGACY
 # PRIVATE
 +# PRIVKEY_STAT
 +# PUBKEY_STAT
 +# STATE_STAT
 key_key() {
 	echo "${1}__${2}"
@@ -86,6 +89,10 @@ key_save()
 	key_set "$1" BASEFILE "$BASE_FILE"
 	# Save creation date.
 	key_set "$1" CREATED "${KEY_CREATED}"
 +	# Save key change time.
 +	key_set "$1" PRIVKEY_STAT $(stat -c '%Z' "${BASE_FILE}.private")
 +	key_set "$1" PUBKEY_STAT $(stat -c '%Z' "${BASE_FILE}.key")
 +	key_set "$1" STATE_STAT $(stat -c '%Z' "${BASE_FILE}.state")
 }
 # Clear key state.
@@ -98,6 +105,7 @@ key_clear() {
 	key_set "$1" "ROLE" 'none'
 	key_set "$1" "KSK" 'no'
 	key_set "$1" "ZSK" 'no'
 +	key_set "$1" "FLAGS" '0'
 	key_set "$1" "LIFETIME" 'none'
 	key_set "$1" "ALG_NUM" '0'
 	key_set "$1" "ALG_STR" 'none'
@@ -118,7 +126,9 @@ key_clear() {
 	key_set "$1" "EXPECT_KRRSIG" 'no'
 	key_set "$1" "LEGACY" 'no'
 	key_set "$1" "PRIVATE" 'yes'
 -	key_set "$1" "FLAGS" '0'
 +	key_set "$1" "PRIVKEY_STAT" '0'
 +	key_set "$1" "PUBKEY_STAT" '0'
 +	key_set "$1" "STATE_STAT" '0'
 }
 # Start clear.
 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
 index f4b3714a54..eccf33a2d3 100644
 --- a/bin/tests/system/kasp/tests.sh
 +++ b/bin/tests/system/kasp/tests.sh
@@ -294,6 +294,44 @@ check_apex
 check_subdomain
 dnssec_verify
 +# Trigger a keymgr run. Make sure the key files are not touched if there are
 +# no modifications to the key metadata.
 +n=$((n+1))
 +echo_i "make sure key files are untouched if metadata does not change ($n)"
 +ret=0
 +basefile=$(key_get KEY1 BASEFILE)
 +privkey_stat=$(key_get KEY1 PRIVKEY_STAT)
 +pubkey_stat=$(key_get KEY1 PUBKEY_STAT)
 +state_stat=$(key_get KEY1 STATE_STAT)
 +
 +nextpart $DIR/named.run > /dev/null
 +rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
 +wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run
 +privkey_stat2=$(stat -c '%Z' "${basefile}.private")
 +pubkey_stat2=$(stat -c '%Z' "${basefile}.key")
 +state_stat2=$(stat -c '%Z' "${basefile}.state")
 +test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)"
 +test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)"
 +test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)"
 +test "$ret" -eq 0 || echo_i "failed"
 +status=$((status+ret))
 +
 +n=$((n+1))
 +echo_i "again ($n)"
 +ret=0
 +
 +nextpart $DIR/named.run > /dev/null
 +rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
 +wait_for_log 3 "keymgr: done" $DIR/named.run
 +privkey_stat2=$(stat -c '%Z' "${basefile}.private")
 +pubkey_stat2=$(stat -c '%Z' "${basefile}.key")
 +state_stat2=$(stat -c '%Z' "${basefile}.state")
 +test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)"
 +test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)"
 +test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)"
 +test "$ret" -eq 0 || echo_i "failed"
 +status=$((status+ret))
 +
 # Update zone.
 n=$((n+1))
 echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)"
 -- 
 2.23.0
--- a/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch
+++ b/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch
@ -1,235 +0,0 @@
 From c2e8c722980cd40e163f748e8502c9637ea55cf3 Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Tue, 3 May 2022 12:28:31 +0200
 Subject: [PATCH] Check if key metadata is modified before writing
 Add a new parameter to the dst_key structure, mark a key modified if
 dst_key_(un)set[bool,num,state,time] is called. Only write out key
 files during a keymgr run if the metadata has changed.
 (cherry picked from commit 1da91b3ab46b3d875213a473595e671d9ff9c76f)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c2e8c722980cd40e163f748e8502c9637ea55cf3
 ---
 lib/dns/dst_api.c         | 26 ++++++++++++++++++++++++++
 lib/dns/dst_internal.h    |  1 +
 lib/dns/include/dst/dst.h | 20 ++++++++++++++++++++
 lib/dns/keymgr.c          | 17 ++++++++++++++++-
 4 files changed, 63 insertions(+), 1 deletion(-)
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
 index ab371330f0..8873a041b8 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -490,6 +490,16 @@ dst_key_isexternal(dst_key_t *key) {
 	return (key->external);
 }
 +void
 +dst_key_setmodified(dst_key_t *key, bool value) {
 +	key->modified = value;
 +}
 +
 +bool
 +dst_key_ismodified(dst_key_t *key) {
 +	return (key->modified);
 +}
 +
 isc_result_t
 dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
 		    int type, const char *directory, isc_mem_t *mctx,
@@ -637,6 +647,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
 	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
 	{
 		RETERR(computeid(pubkey));
 +		pubkey->modified = false;
 		*keyp = pubkey;
 		pubkey = NULL;
 		goto out;
@@ -690,6 +701,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type,
 		RETERR(DST_R_INVALIDPRIVATEKEY);
 	}
 +	key->modified = false;
 	*keyp = key;
 	key = NULL;
@@ -1047,6 +1059,8 @@ dst_key_setbool(dst_key_t *key, int type, bool value) {
 	REQUIRE(type <= DST_MAX_BOOLEAN);
 	isc_mutex_lock(&key->mdlock);
 +	key->modified = key->modified || !key->boolset[type] ||
 +			key->bools[type] != value;
 	key->bools[type] = value;
 	key->boolset[type] = true;
 	isc_mutex_unlock(&key->mdlock);
@@ -1058,6 +1072,7 @@ dst_key_unsetbool(dst_key_t *key, int type) {
 	REQUIRE(type <= DST_MAX_BOOLEAN);
 	isc_mutex_lock(&key->mdlock);
 +	key->modified = key->modified || key->boolset[type];
 	key->boolset[type] = false;
 	isc_mutex_unlock(&key->mdlock);
 }
@@ -1089,6 +1104,8 @@ dst_key_setnum(dst_key_t *key, int type, uint32_t value) {
 	REQUIRE(type <= DST_MAX_NUMERIC);
 	isc_mutex_lock(&key->mdlock);
 +	key->modified = key->modified || !key->numset[type] ||
 +			key->nums[type] != value;
 	key->nums[type] = value;
 	key->numset[type] = true;
 	isc_mutex_unlock(&key->mdlock);
@@ -1100,6 +1117,7 @@ dst_key_unsetnum(dst_key_t *key, int type) {
 	REQUIRE(type <= DST_MAX_NUMERIC);
 	isc_mutex_lock(&key->mdlock);
 +	key->modified = key->modified || key->numset[type];
 	key->numset[type] = false;
 	isc_mutex_unlock(&key->mdlock);
 }
@@ -1130,6 +1148,8 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
 	REQUIRE(type <= DST_MAX_TIMES);
 	isc_mutex_lock(&key->mdlock);
 +	key->modified = key->modified || !key->timeset[type] ||
 +			key->times[type] != when;
 	key->times[type] = when;
 	key->timeset[type] = true;
 	isc_mutex_unlock(&key->mdlock);
@@ -1141,6 +1161,7 @@ dst_key_unsettime(dst_key_t *key, int type) {
 	REQUIRE(type <= DST_MAX_TIMES);
 	isc_mutex_lock(&key->mdlock);
 +	key->modified = key->modified || key->timeset[type];
 	key->timeset[type] = false;
 	isc_mutex_unlock(&key->mdlock);
 }
@@ -1172,6 +1193,8 @@ dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state) {
 	REQUIRE(type <= DST_MAX_KEYSTATES);
 	isc_mutex_lock(&key->mdlock);
 +	key->modified = key->modified || !key->keystateset[type] ||
 +			key->keystates[type] != state;
 	key->keystates[type] = state;
 	key->keystateset[type] = true;
 	isc_mutex_unlock(&key->mdlock);
@@ -1183,6 +1206,7 @@ dst_key_unsetstate(dst_key_t *key, int type) {
 	REQUIRE(type <= DST_MAX_KEYSTATES);
 	isc_mutex_lock(&key->mdlock);
 +	key->modified = key->modified || key->keystateset[type];
 	key->keystateset[type] = false;
 	isc_mutex_unlock(&key->mdlock);
 }
@@ -2747,4 +2771,6 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) {
 			dst_key_unsetstate(to, i);
 		}
 	}
 +
 +	dst_key_setmodified(to, dst_key_ismodified(from));
 }
 diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
 index e26837bfe4..4933cfd5aa 100644
 --- a/lib/dns/dst_internal.h
 +++ b/lib/dns/dst_internal.h
@@ -147,6 +147,7 @@ struct dst_key {
 	bool inactive; /*%< private key not present as it is
 			* inactive */
 	bool external; /*%< external key */
 +	bool modified; /*%< set to true if key file metadata has changed */
 	int fmt_major; /*%< private key format, major version
 			* */
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
 index d50761a63c..eab5501029 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
@@ -1107,6 +1107,26 @@ dst_key_isexternal(dst_key_t *key);
  *	'key' to be valid.
  */
 +void
 +dst_key_setmodified(dst_key_t *key, bool value);
 +/*%<
 + * If 'value' is true, this marks the key to indicate that key file metadata
 + * has been modified. If 'value' is false, this resets the value, for example
 + * after you have written the key to file.
 + *
 + * Requires:
 + *	'key' to be valid.
 + */
 +
 +bool
 +dst_key_ismodified(dst_key_t *key);
 +/*%<
 + * Check if the key file has been modified.
 + *
 + * Requires:
 + *	'key' to be valid.
 + */
 +
 bool
 dst_key_haskasp(dst_key_t *key);
 /*%<
 diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
 index 965782b1f3..b01286575f 100644
 --- a/lib/dns/keymgr.c
 +++ b/lib/dns/keymgr.c
@@ -1512,6 +1512,7 @@ transition:
 			/* It is safe to make the transition. */
 			dst_key_setstate(dkey->key, i, next_state);
 			dst_key_settime(dkey->key, keystatetimes[i], now);
 +			INSIST(dst_key_ismodified(dkey->key));
 			changed = true;
 		}
 	}
@@ -2183,9 +2184,10 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
 	for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL;
 	     dkey = ISC_LIST_NEXT(dkey, link))
 	{
 -		if (!dkey->purge) {
 +		if (dst_key_ismodified(dkey->key) && !dkey->purge) {
 			dns_dnssec_get_hints(dkey, now);
 			RETERR(dst_key_tofile(dkey->key, options, directory));
 +			dst_key_setmodified(dkey->key, false);
 		}
 	}
@@ -2205,6 +2207,13 @@ failure:
 		}
 	}
 +	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
 +		char namebuf[DNS_NAME_FORMATSIZE];
 +		dns_name_format(origin, namebuf, sizeof(namebuf));
 +		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
 +			      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3),
 +			      "keymgr: %s done", namebuf);
 +	}
 	return (result);
 }
@@ -2282,6 +2291,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 	dns_dnssec_get_hints(ksk_key, now);
 	result = dst_key_tofile(ksk_key->key, options, directory);
 +	if (result == ISC_R_SUCCESS) {
 +		dst_key_setmodified(ksk_key->key, false);
 +	}
 	isc_dir_close(&dir);
 	return (result);
@@ -2582,6 +2594,9 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
 	dns_dnssec_get_hints(key, now);
 	result = dst_key_tofile(key->key, options, directory);
 +	if (result == ISC_R_SUCCESS) {
 +		dst_key_setmodified(key->key, false);
 +	}
 	isc_dir_close(&dir);
 	return (result);
 -- 
 2.27.0
--- a/backport-0037-Don-t-process-DNSSEC-related-and-ZONEMD-records-in-c.patch
+++ b/backport-0037-Don-t-process-DNSSEC-related-and-ZONEMD-records-in-c.patch
@ -1,63 +0,0 @@
 From 1dc7288708a2c1027405d5c2b376809a335cf252 Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Wed, 1 Jun 2022 08:51:55 +0000
 Subject: [PATCH] Don't process DNSSEC-related and ZONEMD records in catz
 When processing a catalog zone update, skip processing records with
 DNSSEC-related and ZONEMD types, because we are not interested in them
 in the context of a catalog zone, and processing them will fail and
 produce an unnecessary warning message.
 (cherry picked from commit 73d664313703d2874c3b1a4380afdcd8ba26dc62)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1dc7288708a2c1027405d5c2b376809a335cf252
 ---
 lib/dns/catz.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 diff --git a/lib/dns/catz.c b/lib/dns/catz.c
 index 53fbb1c2a7..a749ffa9d4 100644
 --- a/lib/dns/catz.c
 +++ b/lib/dns/catz.c
@@ -1799,6 +1799,12 @@ cleanup:
 	return (result);
 }
 +static bool
 +catz_rdatatype_is_processable(const dns_rdatatype_t type) {
 +	return (!dns_rdatatype_isdnssec(type) && type != dns_rdatatype_cds &&
 +		type != dns_rdatatype_cdnskey && type != dns_rdatatype_zonemd);
 +}
 +
 void
 dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 	dns_catz_zone_t *oldzone = NULL, *newzone = NULL;
@@ -1908,6 +1914,17 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 		result = dns_rdatasetiter_first(rdsiter);
 		while (result == ISC_R_SUCCESS) {
 			dns_rdatasetiter_current(rdsiter, &rdataset);
 +
 +			/*
 +			 * Skip processing DNSSEC-related and ZONEMD types,
 +			 * because we are not interested in them in the context
 +			 * of a catalog zone, and processing them will fail
 +			 * and produce an unnecessary warning message.
 +			 */
 +			if (!catz_rdatatype_is_processable(rdataset.type)) {
 +				goto next;
 +			}
 +
 			result = dns_catz_update_process(catzs, newzone, name,
 							 &rdataset);
 			if (result != ISC_R_SUCCESS) {
@@ -1930,6 +1947,7 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 					      cname, classbuf, typebuf,
 					      isc_result_totext(result));
 			}
 +		next:
 			dns_rdataset_disassociate(&rdataset);
 			if (result != ISC_R_SUCCESS) {
 				break;
 -- 
 2.23.0
--- a/backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch
+++ b/backport-0037-Fix-CID-352776-Concurrent-data-access-violations.patch
@ -1,76 +0,0 @@
 From 7c42c04f3fa1c6b936debe48b435b9ef9da464bd Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Mon, 16 May 2022 19:00:47 +0200
 Subject: [PATCH] Fix CID 352776: Concurrent data access violations
 *** CID 352776:  Concurrent data access violations  (MISSING_LOCK)
 /lib/dns/dst_api.c: 474 in dst_key_setmodified()
 468     dst_key_isexternal(dst_key_t *key) {
 469		return (key->external);
 470     }
 471
 472     void
 473     dst_key_setmodified(dst_key_t *key, bool value) {
 >>>     CID 352776:  Concurrent data access violations  (MISSING_LOCK)
 >>>     Accessing "key->modified" without holding lock
 >>>	"dst_key.mdlock". Elsewhere, "dst_key.modified" is accessed with
 >>>	"dst_key.mdlock" held 8 out of 11 times (8 of these accesses
 >>>	strongly imply that it is necessary).
 474		key->modified = value;
 475     }
 476
 477     bool
 478     dst_key_ismodified(dst_key_t *key) {
 479		return (key->modified);
 (cherry picked from commit 1fa24d0afbc01d25d71446156758b3a945db5b5f)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/7c42c04f3fa1c6b936debe48b435b9ef9da464bd
 ---
 lib/dns/dst_api.c         | 12 ++++++++++--
 lib/dns/include/dst/dst.h |  2 +-
 2 files changed, 11 insertions(+), 3 deletions(-)
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
 index 8873a041b8..e5a52aea37 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -492,12 +492,20 @@ dst_key_isexternal(dst_key_t *key) {
 void
 dst_key_setmodified(dst_key_t *key, bool value) {
 +	isc_mutex_lock(&key->mdlock);
 	key->modified = value;
 +	isc_mutex_unlock(&key->mdlock);
 }
 bool
 -dst_key_ismodified(dst_key_t *key) {
 -	return (key->modified);
 +dst_key_ismodified(const dst_key_t *key) {
 +	bool modified;
 +
 +	isc_mutex_lock(&(((dst_key_t *)key)->mdlock));
 +	modified = key->modified;
 +	isc_mutex_unlock(&(((dst_key_t *)key)->mdlock));
 +
 +	return (modified);
 }
 isc_result_t
 diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
 index eab5501029..3185e9f91b 100644
 --- a/lib/dns/include/dst/dst.h
 +++ b/lib/dns/include/dst/dst.h
@@ -1119,7 +1119,7 @@ dst_key_setmodified(dst_key_t *key, bool value);
  */
 bool
 -dst_key_ismodified(dst_key_t *key);
 +dst_key_ismodified(const dst_key_t *key);
 /*%<
  * Check if the key file has been modified.
  *
 -- 
 2.27.0
--- a/backport-0037-Require-valid-key-for-dst_key-functions.patch
+++ b/backport-0037-Require-valid-key-for-dst_key-functions.patch
@ -1,70 +0,0 @@
 From d3147417c55cb1277cac42034198a3011c8f5cfb Mon Sep 17 00:00:00 2001
 From: Matthijs Mekking <matthijs@isc.org>
 Date: Tue, 17 May 2022 12:02:43 +0200
 Subject: [PATCH] Require valid key for dst_key functions
 Make sure that the key structure is valid when calling the following
 functions:
 - dst_key_setexternal
 - dst_key_isexternal
 - dst_key_setmodified
 - dst_key_ismodified
 This commit is adapted because 9.16 has a different approach
 of deconsting the variable.
 (cherry picked from commit 888ec4e0d407a9333017d6997a2be81a69658e1f)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d3147417c55cb1277cac42034198a3011c8f5cfb
 ---
 lib/dns/dst_api.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)
 diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
 index e5a52aea37..f5741a1af4 100644
 --- a/lib/dns/dst_api.c
 +++ b/lib/dns/dst_api.c
@@ -482,16 +482,22 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
 void
 dst_key_setexternal(dst_key_t *key, bool value) {
 +	REQUIRE(VALID_KEY(key));
 +
 	key->external = value;
 }
 bool
 dst_key_isexternal(dst_key_t *key) {
 +	REQUIRE(VALID_KEY(key));
 +
 	return (key->external);
 }
 void
 dst_key_setmodified(dst_key_t *key, bool value) {
 +	REQUIRE(VALID_KEY(key));
 +
 	isc_mutex_lock(&key->mdlock);
 	key->modified = value;
 	isc_mutex_unlock(&key->mdlock);
@@ -500,10 +506,15 @@ dst_key_setmodified(dst_key_t *key, bool value) {
 bool
 dst_key_ismodified(const dst_key_t *key) {
 	bool modified;
 +	dst_key_t *k;
 -	isc_mutex_lock(&(((dst_key_t *)key)->mdlock));
 +	REQUIRE(VALID_KEY(key));
 +
 +	DE_CONST(key, k);
 +
 +	isc_mutex_lock(&k->mdlock);
 	modified = key->modified;
 -	isc_mutex_unlock(&(((dst_key_t *)key)->mdlock));
 +	isc_mutex_unlock(&k->mdlock);
 	return (modified);
 }
 -- 
 2.27.0
--- a/backport-0038-Do-not-cancel-processing-record-datasets-in-catalog-.patch
+++ b/backport-0038-Do-not-cancel-processing-record-datasets-in-catalog-.patch
@ -1,45 +0,0 @@
 From 87b3ced5fefffae9627ec23f7f509be6d79c39e7 Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Thu, 24 Mar 2022 21:38:08 +0000
 Subject: [PATCH] Do not cancel processing record datasets in catalog zone
 after an error
 When there are multiple record datasets in a database node of a catalog
 zone, and BIND encounters a soft error during processing of a dataset,
 it breaks from the loop and doesn't process the other datasets in the
 node.
 There are cases when this is not desired. For example, the catalog zones
 draft version 5 states that there must be a TXT RRset named
 `version.$CATZ` with exactly one RR, but it doesn't set a limitation
 on possible non-TXT RRsets named `version.$CATZ` existing alongside
 with the TXT one. In case when one exists, we will get a processing
 error and will not continue the loop to process the TXT RRset coming
 next.
 Remove the "break" statement to continue processing all record datasets.
 (cherry picked from commit 0b2d5490cd8b17a01852fcd9e0a0e0c4b9c93ab6)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/87b3ced5fefffae9627ec23f7f509be6d79c39e7
 ---
 lib/dns/catz.c | 3 ---
 1 file changed, 3 deletions(-)
 diff --git a/lib/dns/catz.c b/lib/dns/catz.c
 index a749ffa9d4..e46549be5e 100644
 --- a/lib/dns/catz.c
 +++ b/lib/dns/catz.c
@@ -1949,9 +1949,6 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 			}
 		next:
 			dns_rdataset_disassociate(&rdataset);
 -			if (result != ISC_R_SUCCESS) {
 -				break;
 -			}
 			result = dns_rdatasetiter_next(rdsiter);
 		}
 -- 
 2.23.0
--- a/backport-0039-corrected-the-opcode-param-to-opcode_totext.patch
+++ b/backport-0039-corrected-the-opcode-param-to-opcode_totext.patch
@ -1,28 +0,0 @@
 From 66cfaf0fb057eebb51a37d55c2e85679725bc740 Mon Sep 17 00:00:00 2001
 From: JINMEI Tatuya <jtatuya@infoblox.com>
 Date: Mon, 13 Jun 2022 16:25:40 -0700
 Subject: [PATCH] corrected the opcode param to opcode_totext
 (cherry picked from commit 2b81a696593bdc406f0cadf2ec930118a86bf92c)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/66cfaf0fb057eebb51a37d55c2e85679725bc740
 ---
 lib/dns/zone.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index b7b02ae5f9..ded4bb5f23 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -13144,7 +13144,7 @@ stub_glue_response_cb(isc_task_t *task, isc_event_t *event) {
 		isc_buffer_t rb;
 		isc_buffer_init(&rb, opcode, sizeof(opcode));
 -		(void)dns_opcode_totext(msg->rcode, &rb);
 +		(void)dns_opcode_totext(msg->opcode, &rb);
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refreshing stub: "
 -- 
 2.23.0
--- a/backport-0040-make-the-fix-more-complete.patch
+++ b/backport-0040-make-the-fix-more-complete.patch
@ -1,46 +0,0 @@
 From 673211492ceff3b80c0307726f2956c7fbd4c9dd Mon Sep 17 00:00:00 2001
 From: JINMEI Tatuya <jtatuya@infoblox.com>
 Date: Mon, 13 Jun 2022 16:30:00 -0700
 Subject: [PATCH] make the fix more complete
 (cherry picked from commit a58647df6a0afa188ed90c410d79ccfaeacfbf8b)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/673211492ceff3b80c0307726f2956c7fbd4c9dd
 ---
 lib/dns/zone.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/lib/dns/zone.c b/lib/dns/zone.c
 index ded4bb5f23..cd4db58eaf 100644
 --- a/lib/dns/zone.c
 +++ b/lib/dns/zone.c
@@ -13573,7 +13573,7 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 		isc_buffer_t rb;
 		isc_buffer_init(&rb, opcode, sizeof(opcode));
 -		(void)dns_opcode_totext(msg->rcode, &rb);
 +		(void)dns_opcode_totext(msg->opcode, &rb);
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refreshing stub: "
@@ -13979,7 +13979,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 		isc_buffer_t rb;
 		isc_buffer_init(&rb, opcode, sizeof(opcode));
 -		(void)dns_opcode_totext(msg->rcode, &rb);
 +		(void)dns_opcode_totext(msg->opcode, &rb);
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refresh: "
@@ -18171,7 +18171,7 @@ forward_callback(isc_task_t *task, isc_event_t *event) {
 		isc_buffer_t rb;
 		isc_buffer_init(&rb, opcode, sizeof(opcode));
 -		(void)dns_opcode_totext(msg->rcode, &rb);
 +		(void)dns_opcode_totext(msg->opcode, &rb);
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "forwarding dynamic update: "
 -- 
 2.23.0
--- a/backport-0041-Gracefully-handle-uv_read_start-failures.patch
+++ b/backport-0041-Gracefully-handle-uv_read_start-failures.patch
@ -1,261 +0,0 @@
 From 6cfab7e4f737803e0fc686ea7b7be0d9215489c2 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 14 Jun 2022 09:17:08 +0200
 Subject: [PATCH] Gracefully handle uv_read_start() failures
 Under specific rare timing circumstances the uv_read_start() could
 fail with UV_EINVAL when the connection is reset between the connect (or
 accept) and the uv_read_start() call on the nmworker loop.  Handle such
 situation gracefully by propagating the errors from uv_read_start() into
 upper layers, so the socket can be internally closed().
 (cherry picked from commit b432d5d3bcccf199141564b6a87d2cdac296ed7e)
 Conflict: adapt isc__nm_start_reading modify
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/6cfab7e4f737803e0fc686ea7b7be0d9215489c2
 ---
 lib/isc/netmgr/netmgr-int.h |  4 ++--
 lib/isc/netmgr/netmgr.c     | 32 +++++++++++++++++++++-----------
 lib/isc/netmgr/tcp.c        | 10 ++++++++--
 lib/isc/netmgr/tcpdns.c     | 25 +++++++++++++++++++------
 lib/isc/netmgr/udp.c        | 10 ++++++++--
 5 files changed, 58 insertions(+), 23 deletions(-)
 diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
 index e43bc9f..326535c 100644
 --- a/lib/isc/netmgr/netmgr-int.h
 +++ b/lib/isc/netmgr/netmgr-int.h
@@ -1560,11 +1560,11 @@ isc__nm_tcp_read_cb(uv_stream_t *stream, ssize_t nread, const uv_buf_t *buf);
 void
 isc__nm_tcpdns_read_cb(uv_stream_t *stream, ssize_t nread, const uv_buf_t *buf);
 -void
 +isc_result_t
 isc__nm_start_reading(isc_nmsocket_t *sock);
 void
 isc__nm_stop_reading(isc_nmsocket_t *sock);
 -void
 +isc_result_t
 isc__nm_process_sock_buffer(isc_nmsocket_t *sock);
 void
 isc__nm_resume_processing(void *arg);
 diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
 index 701f9a9..71c6d62 100644
 --- a/lib/isc/netmgr/netmgr.c
 +++ b/lib/isc/netmgr/netmgr.c
@@ -2162,12 +2162,13 @@ isc__nm_alloc_cb(uv_handle_t *handle, size_t size, uv_buf_t *buf) {
 	worker->recvbuf_inuse = true;
 }
 -void
 +isc_result_t
 isc__nm_start_reading(isc_nmsocket_t *sock) {
 +	isc_result_t result = ISC_R_SUCCESS;
 	int r;
 	if (sock->reading) {
 -		return;
 +		return (ISC_R_SUCCESS);
 	}
 	switch (sock->type) {
@@ -2187,8 +2188,14 @@ isc__nm_start_reading(isc_nmsocket_t *sock) {
 		INSIST(0);
 		ISC_UNREACHABLE();
 	}
 -	RUNTIME_CHECK(r == 0);
 -	sock->reading = true;
 +
 +	if (r != 0) {
 +		result = isc__nm_uverr2result(r);
 +	} else {
 +		sock->reading = true;
 +	}
 +
 +	return (result);
 }
 void
@@ -2250,7 +2257,7 @@ processbuffer(isc_nmsocket_t *sock) {
  * limit. In this case we'll be called again by resume_processing()
  * later.
  */
 -void
 +isc_result_t
 isc__nm_process_sock_buffer(isc_nmsocket_t *sock) {
 	for (;;) {
 		int_fast32_t ah = atomic_load(&sock->ah);
@@ -2261,7 +2268,10 @@ isc__nm_process_sock_buffer(isc_nmsocket_t *sock) {
 			 * Don't reset the timer until we have a
 			 * full DNS message.
 			 */
 -			isc__nm_start_reading(sock);
 +			result = isc__nm_start_reading(sock);
 +			if (result != ISC_R_SUCCESS) {
 +				return (result);
 +			}
 			/*
 			 * Start the timer only if there are no externally used
 			 * active handles, there's always one active handle
@@ -2271,11 +2281,11 @@ isc__nm_process_sock_buffer(isc_nmsocket_t *sock) {
 			if (ah == 1) {
 				isc__nmsocket_timer_start(sock);
 			}
 -			return;
 +			goto done;
 		case ISC_R_CANCELED:
 			isc__nmsocket_timer_stop(sock);
 			isc__nm_stop_reading(sock);
 -			return;
 +			goto done;
 		case ISC_R_SUCCESS:
 			/*
 			 * Stop the timer on the successful message read, this
@@ -2289,13 +2299,15 @@ isc__nm_process_sock_buffer(isc_nmsocket_t *sock) {
 			    ah >= STREAM_CLIENTS_PER_CONN)
 			{
 				isc__nm_stop_reading(sock);
 -				return;
 +				goto done;
 			}
 			break;
 		default:
 			INSIST(0);
 		}
 	}
 +done:
 +	return (ISC_R_SUCCESS);
 }
 void
 diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
 index 009e431..735b29d 100644
 --- a/lib/isc/netmgr/tcp.c
 +++ b/lib/isc/netmgr/tcp.c
@@ -743,18 +743,24 @@ isc__nm_async_tcpstartread(isc__networker_t *worker, isc__netievent_t *ev0) {
 	isc__netievent_tcpstartread_t *ievent =
 		(isc__netievent_tcpstartread_t *)ev0;
 	isc_nmsocket_t *sock = ievent->sock;
 +	isc_result_t result;
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
 	UNUSED(worker);
 	if (isc__nmsocket_closing(sock)) {
 +		result = ISC_R_CANCELED;
 +	} else {
 +		result = isc__nm_start_reading(sock);
 +	}
 +
 +	if (result != ISC_R_SUCCESS) {
 		sock->reading = true;
 -		isc__nm_tcp_failed_read_cb(sock, ISC_R_CANCELED);
 +		isc__nm_tcp_failed_read_cb(sock, result);
 		return;
 	}
 -	isc__nm_start_reading(sock);
 	isc__nmsocket_timer_start(sock);
 }
 diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
 index 4689f56..3bc8e05 100644
 --- a/lib/isc/netmgr/tcpdns.c
 +++ b/lib/isc/netmgr/tcpdns.c
@@ -709,6 +709,7 @@ isc__nm_async_tcpdnsread(isc__networker_t *worker, isc__netievent_t *ev0) {
 	isc__netievent_tcpdnsread_t *ievent =
 		(isc__netievent_tcpdnsread_t *)ev0;
 	isc_nmsocket_t *sock = ievent->sock;
 +	isc_result_t result;
 	UNUSED(worker);
@@ -716,12 +717,15 @@ isc__nm_async_tcpdnsread(isc__networker_t *worker, isc__netievent_t *ev0) {
 	REQUIRE(sock->tid == isc_nm_tid());
 	if (isc__nmsocket_closing(sock)) {
 -		sock->reading = true;
 -		isc__nm_failed_read_cb(sock, ISC_R_CANCELED, false);
 -		return;
 +		result = ISC_R_CANCELED;
 +	} else {
 +		result = isc__nm_process_sock_buffer(sock);
 	}
 -	isc__nm_process_sock_buffer(sock);
 +	if (result != ISC_R_SUCCESS) {
 +		sock->reading = true;
 +		isc__nm_failed_read_cb(sock, result, false);
 +	}
 }
 /*
@@ -813,6 +817,7 @@ isc__nm_tcpdns_read_cb(uv_stream_t *stream, ssize_t nread,
 	isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)stream);
 	uint8_t *base = NULL;
 	size_t len;
 +	isc_result_t result;
 	REQUIRE(VALID_NMSOCK(sock));
 	REQUIRE(sock->tid == isc_nm_tid());
@@ -856,7 +861,10 @@ isc__nm_tcpdns_read_cb(uv_stream_t *stream, ssize_t nread,
 		sock->read_timeout = atomic_load(&sock->mgr->idle);
 	}
 -	isc__nm_process_sock_buffer(sock);
 +	result = isc__nm_process_sock_buffer(sock);
 +	if (result != ISC_R_SUCCESS) {
 +		isc__nm_failed_read_cb(sock, result, true);
 +	}
 free:
 	isc__nm_free_uvbuf(sock, buf);
 }
@@ -999,7 +1007,12 @@ accept_connection(isc_nmsocket_t *ssock, isc_quota_t *quota) {
 	 * prep_destroy()->tcpdns_close_direct().
 	 */
 	isc_nmhandle_attach(handle, &csock->recv_handle);
 -	isc__nm_process_sock_buffer(csock);
 +	result = isc__nm_process_sock_buffer(csock);
 +	if (result != ISC_R_SUCCESS) {
 +		isc_nmhandle_detach(&csock->recv_handle);
 +		isc_nmhandle_detach(&handle);
 +		goto failure;
 +	}
 	/*
 	 * The initial timer has been set, update the read timeout for the next
 diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
 index 305ac29..1af63af 100644
 --- a/lib/isc/netmgr/udp.c
 +++ b/lib/isc/netmgr/udp.c
@@ -879,6 +879,7 @@ void
 isc__nm_async_udpread(isc__networker_t *worker, isc__netievent_t *ev0) {
 	isc__netievent_udpread_t *ievent = (isc__netievent_udpread_t *)ev0;
 	isc_nmsocket_t *sock = ievent->sock;
 +	isc_result_t result;
 	UNUSED(worker);
@@ -886,12 +887,17 @@ isc__nm_async_udpread(isc__networker_t *worker, isc__netievent_t *ev0) {
 	REQUIRE(sock->tid == isc_nm_tid());
 	if (isc__nmsocket_closing(sock)) {
 +		result = ISC_R_CANCELED;
 +	} else {
 +		result = isc__nm_start_reading(sock);
 +	}
 +
 +	if (result != ISC_R_SUCCESS) {
 		sock->reading = true;
 -		isc__nm_failed_read_cb(sock, ISC_R_CANCELED, false);
 +		isc__nm_failed_read_cb(sock, result, false);
 		return;
 	}
 -	isc__nm_start_reading(sock);
 	isc__nmsocket_timer_start(sock);
 }
 -- 
 2.27.0
--- a/backport-0042-Fix-a-race-between-resolver-query-timeout-and-valida.patch
+++ b/backport-0042-Fix-a-race-between-resolver-query-timeout-and-valida.patch
@ -1,174 +0,0 @@
 From 058a2e7d4437f383c5cda3a44921e49ad272f9fb Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Fri, 10 Jun 2022 14:44:52 +0000
 Subject: [PATCH] Fix a race between resolver query timeout and validation
 The `resolver.c:validated()` function unlinks the current validator from
 the fetch's validators list, which can leave it empty, then unlocks
 the bucket lock. If, by a chance, the fetch was timed out just before
 the `validated()` call, the final timeout callback running in parallel
 with `validated()` can find the fetch context with no active fetches
 and with an empty validators list and destroy it, which is unexpected
 for the `validated()` function and can lead to a crash.
 Increase the fetch context's reference count in the beginning of
 `validated()` and decrease it when it finishes its work to avoid the
 unexpected destruction of the fetch context.
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/058a2e7d4437f383c5cda3a44921e49ad272f9fb
 ---
 lib/dns/resolver.c | 63 +++++++++++++++++++++-------------------------
 1 file changed, 28 insertions(+), 35 deletions(-)
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index f34b9e318e..e8899d2457 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -5746,12 +5746,13 @@ validated(isc_task_t *task, isc_event_t *event) {
 	dns_rdataset_t *rdataset;
 	dns_rdataset_t *sigrdataset;
 	dns_resolver_t *res;
 -	dns_valarg_t *valarg;
 +	dns_valarg_t *valarg = event->ev_arg;
 	dns_validatorevent_t *vevent;
 	fetchctx_t *fctx;
 	bool chaining;
 	bool negative;
 	bool sentresponse;
 +	bool bucket_empty;
 	isc_result_t eresult = ISC_R_SUCCESS;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_stdtime_t now;
@@ -5765,14 +5766,15 @@ validated(isc_task_t *task, isc_event_t *event) {
 	UNUSED(task); /* for now */
 	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
 -	valarg = event->ev_arg;
 +	REQUIRE(VALID_FCTX(valarg->fctx));
 +	REQUIRE(!ISC_LIST_EMPTY(valarg->fctx->validators));
 +
 	fctx = valarg->fctx;
 +	fctx_increference(fctx);
 	dns_message_attach(valarg->message, &message);
 -	REQUIRE(VALID_FCTX(fctx));
 	res = fctx->res;
 	addrinfo = valarg->addrinfo;
 -	REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
 	vevent = (dns_validatorevent_t *)event;
 	fctx->vresult = vevent->result;
@@ -5810,12 +5812,8 @@ validated(isc_task_t *task, isc_event_t *event) {
 	 * so, destroy the fctx.
 	 */
 	if (SHUTTINGDOWN(fctx) && !sentresponse) {
 -		bool bucket_empty;
 -		bucket_empty = maybe_destroy(fctx, true);
 +		maybe_destroy(fctx, true);
 		UNLOCK(&res->buckets[bucketnum].lock);
 -		if (bucket_empty) {
 -			empty_bucket(res);
 -		}
 		goto cleanup_event;
 	}
@@ -5877,18 +5875,15 @@ validated(isc_task_t *task, isc_event_t *event) {
 				(void)dns_db_deleterdataset(fctx->cache, node,
 							    NULL, vevent->type,
 							    0);
 -			}
 -			if (result == ISC_R_SUCCESS &&
 -			    vevent->sigrdataset != NULL) {
 -				(void)dns_db_deleterdataset(
 -					fctx->cache, node, NULL,
 -					dns_rdatatype_rrsig, vevent->type);
 -			}
 -			if (result == ISC_R_SUCCESS) {
 +				if (vevent->sigrdataset != NULL) {
 +					(void)dns_db_deleterdataset(
 +						fctx->cache, node, NULL,
 +						dns_rdatatype_rrsig,
 +						vevent->type);
 +				}
 				dns_db_detachnode(fctx->cache, &node);
 			}
 -		}
 -		if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) {
 +		} else if (!negative) {
 			/*
 			 * Cache the data as pending for later validation.
 			 */
@@ -5901,20 +5896,16 @@ validated(isc_task_t *task, isc_event_t *event) {
 				(void)dns_db_addrdataset(
 					fctx->cache, node, NULL, now,
 					vevent->rdataset, 0, NULL);
 -			}
 -			if (result == ISC_R_SUCCESS &&
 -			    vevent->sigrdataset != NULL) {
 -				(void)dns_db_addrdataset(
 -					fctx->cache, node, NULL, now,
 -					vevent->sigrdataset, 0, NULL);
 -			}
 -			if (result == ISC_R_SUCCESS) {
 +				if (vevent->sigrdataset != NULL) {
 +					(void)dns_db_addrdataset(
 +						fctx->cache, node, NULL, now,
 +						vevent->sigrdataset, 0, NULL);
 +				}
 				dns_db_detachnode(fctx->cache, &node);
 			}
 		}
 		result = fctx->vresult;
 		add_bad(fctx, message, addrinfo, result, badns_validation);
 -		isc_event_free(&event);
 		UNLOCK(&res->buckets[bucketnum].lock);
 		INSIST(fctx->validator == NULL);
 		fctx->validator = ISC_LIST_HEAD(fctx->validators);
@@ -5942,8 +5933,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 			fctx_try(fctx, true, true); /* Locks bucket. */
 		}
 -		dns_message_detach(&message);
 -		return;
 +		goto cleanup_event;
 	}
 	if (negative) {
@@ -6057,19 +6047,15 @@ validated(isc_task_t *task, isc_event_t *event) {
 	}
 	if (sentresponse) {
 -		bool bucket_empty = false;
 		/*
 		 * If we only deferred the destroy because we wanted to cache
 		 * the data, destroy now.
 		 */
 		dns_db_detachnode(fctx->cache, &node);
 		if (SHUTTINGDOWN(fctx)) {
 -			bucket_empty = maybe_destroy(fctx, true);
 +			maybe_destroy(fctx, true);
 		}
 		UNLOCK(&res->buckets[bucketnum].lock);
 -		if (bucket_empty) {
 -			empty_bucket(res);
 -		}
 		goto cleanup_event;
 	}
@@ -6210,6 +6196,13 @@ cleanup_event:
 	INSIST(node == NULL);
 	dns_message_detach(&message);
 	isc_event_free(&event);
 +
 +	LOCK(&res->buckets[fctx->bucketnum].lock);
 +	bucket_empty = fctx_decreference(fctx);
 +	UNLOCK(&res->buckets[fctx->bucketnum].lock);
 +	if (bucket_empty) {
 +		empty_bucket(res);
 +	}
 }
 static void
 -- 
 2.23.0
--- a/backport-0042-Remove-resolver.c-maybe_destroy.patch
+++ b/backport-0042-Remove-resolver.c-maybe_destroy.patch
@ -1,150 +0,0 @@
 From 61d77affdd39a352de5f386dc08818174fbaa781 Mon Sep 17 00:00:00 2001
 From: Aram Sargsyan <aram@isc.org>
 Date: Wed, 15 Jun 2022 10:27:41 +0000
 Subject: [PATCH] Remove resolver.c:maybe_destroy()
 After refactoring of `validated()`, the `maybe_destroy()` function is
 no longer expected to actually destroy the fetch context when it is
 being called, so effectively it only ensures that the validators are
 canceled when the context has no more queries and pending events, but
 that is redundant, because `maybe_destroy()` `REQUIRE`s that the context
 should be in the shutting down state, and the function which sets that
 state is already canceling the validators in its own turn.
 As a failsafe, to make sure that no validators will be created after
 `fctx_doshutdown()` is called, add an early return from `valcreate()` if
 the context is in the shutting down state.
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/61d77affdd39a352de5f386dc08818174fbaa781
 ---
 lib/dns/resolver.c | 73 +++++-----------------------------------------
 1 file changed, 7 insertions(+), 66 deletions(-)
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
 index e8899d2457..15297024c0 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
@@ -641,8 +641,6 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 		  dns_rdataset_t *ardataset, isc_result_t *eresultp);
 static void
 validated(isc_task_t *task, isc_event_t *event);
 -static bool
 -maybe_destroy(fetchctx_t *fctx, bool locked);
 static void
 add_bad(fetchctx_t *fctx, dns_message_t *rmessage, dns_adbaddrinfo_t *addrinfo,
 	isc_result_t reason, badnstype_t badtype);
@@ -902,14 +900,16 @@ valcreate(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo,
 	  dns_rdataset_t *sigrdataset, unsigned int valoptions,
 	  isc_task_t *task) {
 	dns_validator_t *validator = NULL;
 -	dns_valarg_t *valarg;
 +	dns_valarg_t *valarg = NULL;
 	isc_result_t result;
 +	if (SHUTTINGDOWN(fctx)) {
 +		return (ISC_R_SHUTTINGDOWN);
 +	}
 +
 	valarg = isc_mem_get(fctx->mctx, sizeof(*valarg));
 +	*valarg = (dns_valarg_t){ .fctx = fctx, .addrinfo = addrinfo };
 -	valarg->fctx = fctx;
 -	valarg->addrinfo = addrinfo;
 -	valarg->message = NULL;
 	dns_message_attach(message, &valarg->message);
 	if (!ISC_LIST_EMPTY(fctx->validators)) {
@@ -4434,7 +4434,6 @@ resume_qmin(isc_task_t *task, isc_event_t *event) {
 	LOCK(&res->buckets[bucketnum].lock);
 	if (SHUTTINGDOWN(fctx)) {
 -		maybe_destroy(fctx, true);
 		UNLOCK(&res->buckets[bucketnum].lock);
 		goto cleanup;
 	}
@@ -5679,58 +5678,6 @@ clone_results(fetchctx_t *fctx) {
 #define CHASE(r)      (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
 #define CHECKNAMES(r) (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
 -/*
 - * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
 - * no references and is no longer waiting for any events).
 - *
 - * Requires:
 - *      '*fctx' is shutting down.
 - *
 - * Returns:
 - *	true if the resolver is exiting and this is the last fctx in the bucket.
 - */
 -static bool
 -maybe_destroy(fetchctx_t *fctx, bool locked) {
 -	unsigned int bucketnum;
 -	bool bucket_empty = false;
 -	dns_resolver_t *res = fctx->res;
 -	dns_validator_t *validator, *next_validator;
 -	bool dodestroy = false;
 -
 -	bucketnum = fctx->bucketnum;
 -	if (!locked) {
 -		LOCK(&res->buckets[bucketnum].lock);
 -	}
 -
 -	REQUIRE(SHUTTINGDOWN(fctx));
 -
 -	if (fctx->pending != 0 || fctx->nqueries != 0) {
 -		goto unlock;
 -	}
 -
 -	for (validator = ISC_LIST_HEAD(fctx->validators); validator != NULL;
 -	     validator = next_validator)
 -	{
 -		next_validator = ISC_LIST_NEXT(validator, link);
 -		dns_validator_cancel(validator);
 -	}
 -
 -	if (isc_refcount_current(&fctx->references) == 0 &&
 -	    ISC_LIST_EMPTY(fctx->validators))
 -	{
 -		bucket_empty = fctx_unlink(fctx);
 -		dodestroy = true;
 -	}
 -unlock:
 -	if (!locked) {
 -		UNLOCK(&res->buckets[bucketnum].lock);
 -	}
 -	if (dodestroy) {
 -		fctx_destroy(fctx);
 -	}
 -	return (bucket_empty);
 -}
 -
 /*
  * The validator has finished.
  */
@@ -5807,12 +5754,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 	sentresponse = ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
 	/*
 -	 * If shutting down, ignore the results.  Check to see if we're
 -	 * done waiting for validator completions and ADB pending events; if
 -	 * so, destroy the fctx.
 +	 * If shutting down, ignore the results.
 	 */
 	if (SHUTTINGDOWN(fctx) && !sentresponse) {
 -		maybe_destroy(fctx, true);
 		UNLOCK(&res->buckets[bucketnum].lock);
 		goto cleanup_event;
 	}
@@ -6052,9 +5996,6 @@ validated(isc_task_t *task, isc_event_t *event) {
 		 * the data, destroy now.
 		 */
 		dns_db_detachnode(fctx->cache, &node);
 -		if (SHUTTINGDOWN(fctx)) {
 -			maybe_destroy(fctx, true);
 -		}
 		UNLOCK(&res->buckets[bucketnum].lock);
 		goto cleanup_event;
 	}
 -- 
 2.23.0
--- a/backport-0043-Check-for-overflow-in-GENERATE-computations.patch
+++ b/backport-0043-Check-for-overflow-in-GENERATE-computations.patch
@ -1,64 +0,0 @@
 From 16ac79a8f720a917b0f787178905a8df56d4d557 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 1 Jul 2022 11:40:37 +1000
 Subject: [PATCH] Check for overflow in $GENERATE computations
 $GENERATE uses 'int' for its computations and some constructions
 can overflow values that can be represented by an 'int' resulting
 in undefined behaviour.  Detect these conditions and return a
 range error.
 (cherry picked from commit 5327b9708fd0e5d0d6c95183cca9eafb4a1cfe05)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/16ac79a8f720a917b0f787178905a8df56d4d557
 ---
 .../checkzone/zones/bad-generate-range.db      | 18 ++++++++++++++++++
 lib/dns/master.c                               |  7 +++++++
 2 files changed, 25 insertions(+)
 create mode 100644 bin/tests/system/checkzone/zones/bad-generate-range.db
 diff --git a/bin/tests/system/checkzone/zones/bad-generate-range.db b/bin/tests/system/checkzone/zones/bad-generate-range.db
 new file mode 100644
 index 0000000000..62a9e15684
 --- /dev/null
 +++ b/bin/tests/system/checkzone/zones/bad-generate-range.db
@@ -0,0 +1,18 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 600
 +@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
 +		NS	ns
 +ns		A	192.0.2.1
 +
 +; 2147483647 + 1 overflows what can be represented in an 'int'
 +$GENERATE 1-1   host$	TXT foo${2147483647}
 diff --git a/lib/dns/master.c b/lib/dns/master.c
 index e1ba723104..e938b15a0e 100644
 --- a/lib/dns/master.c
 +++ b/lib/dns/master.c
@@ -735,6 +735,13 @@ genname(char *name, int it, char *buffer, size_t length) {
 					continue;
 				}
 			}
 +			/*
 +			 * 'it' is >= 0 so we don't need to check for
 +			 * underflow.
 +			 */
 +			if ((it > 0 && delta > INT_MAX - it)) {
 +				return (ISC_R_RANGE);
 +			}
 			if (nibblemode) {
 				n = nibbles(numbuf, sizeof(numbuf), width,
 					    mode[0], it + delta);
 -- 
 2.23.0
--- a/backport-0043-Tighten-GENERATE-directive-parsing.patch
+++ b/backport-0043-Tighten-GENERATE-directive-parsing.patch
@ -1,161 +0,0 @@
 From d10e20da0dbd6d6438d55a5e9c6e22cee70aec20 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Fri, 1 Jul 2022 11:13:51 +1000
 Subject: [PATCH] Tighten $GENERATE directive parsing
 The original sscanf processing allowed for a number of syntax errors
 to be accepted.  This included missing the closing brace in
 ${modifiers}
 Look for both comma and right brace as intermediate seperators as
 well as consuming the final right brace in the sscanf processing
 for ${modifiers}.  Check when we got right brace to determine if
 the sscanf consumed more input than expected and if so behave as
 if it had stopped at the first right brace.
 (cherry picked from commit 7be64c0e94c967c0014a0b960a495c4fb05f1fc2)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d10e20da0dbd6d6438d55a5e9c6e22cee70aec20
 ---
 .../checkzone/zones/bad-generate-garbage.db   | 17 ++++++++++
 .../zones/bad-generate-missing-brace.db       | 17 ++++++++++
 .../checkzone/zones/good-generate-modifier.db | 20 +++++++++++
 lib/dns/master.c                              | 33 ++++++++++++-------
 4 files changed, 76 insertions(+), 11 deletions(-)
 create mode 100644 bin/tests/system/checkzone/zones/bad-generate-garbage.db
 create mode 100644 bin/tests/system/checkzone/zones/bad-generate-missing-brace.db
 create mode 100644 bin/tests/system/checkzone/zones/good-generate-modifier.db
 diff --git a/bin/tests/system/checkzone/zones/bad-generate-garbage.db b/bin/tests/system/checkzone/zones/bad-generate-garbage.db
 new file mode 100644
 index 0000000000..0d66e753b6
 --- /dev/null
 +++ b/bin/tests/system/checkzone/zones/bad-generate-garbage.db
@@ -0,0 +1,17 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 600
 +@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
 +		NS	ns
 +ns		A	192.0.2.1
 +
 +$GENERATE 0-7   host$	A 1.2.3.${1,0,dgarbagegarbage}
 diff --git a/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db
 new file mode 100644
 index 0000000000..314583e71a
 --- /dev/null
 +++ b/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db
@@ -0,0 +1,17 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 600
 +@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
 +		NS	ns
 +ns		A	192.0.2.1
 +
 +$GENERATE 0-7   host$	A 1.2.3.${1000
 diff --git a/bin/tests/system/checkzone/zones/good-generate-modifier.db b/bin/tests/system/checkzone/zones/good-generate-modifier.db
 new file mode 100644
 index 0000000000..3c811d60e0
 --- /dev/null
 +++ b/bin/tests/system/checkzone/zones/good-generate-modifier.db
@@ -0,0 +1,20 @@
 +; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 +;
 +; SPDX-License-Identifier: MPL-2.0
 +;
 +; This Source Code Form is subject to the terms of the Mozilla Public
 +; License, v. 2.0.  If a copy of the MPL was not distributed with this
 +; file, you can obtain one at https://mozilla.org/MPL/2.0/.
 +;
 +; See the COPYRIGHT file distributed with this work for additional
 +; information regarding copyright ownership.
 +
 +$TTL 600
 +@		SOA	ns hostmaster 2011012708 3600 1200 604800 1200
 +		NS	ns
 +ns		A	192.0.2.1
 +
 +$GENERATE 0-7   host$	A 1.2.3.${1,0,d}
 +$GENERATE 8-9   host$	A 1.2.3.${1,0}
 +$GENERATE 10-11 host$	A 1.2.3.${1}
 +$GENERATE 1024-1026 ${0,3,n}	AAAA 2001:db8::${0,4,x}
 diff --git a/lib/dns/master.c b/lib/dns/master.c
 index e938b15a0e..1ad658b7f4 100644
 --- a/lib/dns/master.c
 +++ b/lib/dns/master.c
@@ -683,7 +683,10 @@ genname(char *name, int it, char *buffer, size_t length) {
 	char fmt[sizeof("%04000000000d")];
 	char numbuf[128];
 	char *cp;
 -	char mode[2];
 +	char mode[2] = { 0 };
 +	char brace[2] = { 0 };
 +	char comma1[2] = { 0 };
 +	char comma2[2] = { 0 };
 	int delta = 0;
 	isc_textregion_t r;
 	unsigned int n;
@@ -708,23 +711,31 @@ genname(char *name, int it, char *buffer, size_t length) {
 			strlcpy(fmt, "%d", sizeof(fmt));
 			/* Get format specifier. */
 			if (*name == '{') {
 -				n = sscanf(name, "{%d,%u,%1[doxXnN]}", &delta,
 -					   &width, mode);
 -				switch (n) {
 -				case 1:
 -					break;
 -				case 2:
 +				n = sscanf(name,
 +					   "{%d%1[,}]%u%1[,}]%1[doxXnN]%1[}]",
 +					   &delta, comma1, &width, comma2, mode,
 +					   brace);
 +				if (n < 2 || n > 6) {
 +					return (DNS_R_SYNTAX);
 +				}
 +				if (comma1[0] == '}') {
 +					/* %{delta} */
 +				} else if (comma1[0] == ',' && comma2[0] == '}')
 +				{
 +					/* %{delta,width} */
 					n = snprintf(fmt, sizeof(fmt), "%%0%ud",
 						     width);
 -					break;
 -				case 3:
 +				} else if (comma1[0] == ',' &&
 +					   comma2[0] == ',' && mode[0] != 0 &&
 +					   brace[0] == '}')
 +				{
 +					/* %{delta,width,format} */
 					if (mode[0] == 'n' || mode[0] == 'N') {
 						nibblemode = true;
 					}
 					n = snprintf(fmt, sizeof(fmt),
 						     "%%0%u%c", width, mode[0]);
 -					break;
 -				default:
 +				} else {
 					return (DNS_R_SYNTAX);
 				}
 				if (n >= sizeof(fmt)) {
 -- 
 2.23.0
--- a/backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch
+++ b/backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch
@ -1,39 +0,0 @@
 From 88751da1145e1bbc4ed32fd100184f3f0d7e2ad1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 15 Feb 2022 14:44:29 +0100
 Subject: [PATCH] Add UV_RUNTIME_CHECK() macro to print uv_strerror()
 When libuv functions fail, they return correct return value that could
 be useful for more detailed debugging.  Currently, we usually just check
 whether the return value is 0 and invoke assertion error if it doesn't
 throwing away the details why the call has failed.  Unfortunately, this
 often happen on more exotic platforms.
 Add a UV_RUNTIME_CHECK() macro that can be used to print more detailed
 error message (via uv_strerror() before ending the execution of the
 program abruptly with the assertion.
 (cherry picked from commit 62e15bb06db5e7d209e8c20d7bdb1501df7dfba8)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/88751da1145e1bbc4ed32fd100184f3f0d7e2ad1
 ---
 lib/isc/netmgr/netmgr-int.h | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
 index 326535c..23bc2a2 100644
 --- a/lib/isc/netmgr/netmgr-int.h
 +++ b/lib/isc/netmgr/netmgr-int.h
@@ -1607,3 +1607,9 @@ isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult);
  * changed in the future.
  */
 #define STREAM_CLIENTS_PER_CONN 23
 +
 +#define UV_RUNTIME_CHECK(func, ret)                                           \
 +       if (ret != 0) {                                                       \
 +               isc_error_fatal(__FILE__, __LINE__, "%s failed: %s\n", #func, \
 +                               uv_strerror(ret));                            \
 +       }
 -- 
 2.27.0
--- a/backport-0045-Move-setting-the-sock-write_timeout-to-the-async_-se.patch
+++ b/backport-0045-Move-setting-the-sock-write_timeout-to-the-async_-se.patch
@ -1,88 +0,0 @@
 From ed4eda5ebc77c08b7ef1e6c94bea373c00c903c8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
 Date: Tue, 17 May 2022 21:31:37 +0200
 Subject: [PATCH] Move setting the sock->write_timeout to the async_*send
 Setting the sock->write_timeout from the TCP, TCPDNS, and TLSDNS send
 functions could lead to (harmless) data race when setting the value for
 the first time when the isc_nm_send() function would be called from
 thread not-matching the socket we are sending to.  Move the setting the
 sock->write_timeout to the matching async function which is always
 called from the matching thread.
 (cherry picked from commit 61117840c18778e69e3073cc01dbea579271a014)
 Conflict: NA
 Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/ed4eda5ebc77c08b7ef1e6c94bea373c00c903c8
 ---
 lib/isc/netmgr/tcp.c    | 14 +++++++-------
 lib/isc/netmgr/tcpdns.c | 15 ++++++++-------
 2 files changed, 15 insertions(+), 14 deletions(-)
 diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
 index a8d1dba6d4..eaad8da7c6 100644
 --- a/lib/isc/netmgr/tcp.c
 +++ b/lib/isc/netmgr/tcp.c
@@ -1083,13 +1083,6 @@ isc__nm_tcp_send(isc_nmhandle_t *handle, const isc_region_t *region,
 	uvreq->cb.send = cb;
 	uvreq->cbarg = cbarg;
 -	if (sock->write_timeout == 0) {
 -		sock->write_timeout =
 -			(atomic_load(&sock->keepalive)
 -				 ? atomic_load(&sock->mgr->keepalive)
 -				 : atomic_load(&sock->mgr->idle));
 -	}
 -
 	ievent = isc__nm_get_netievent_tcpsend(sock->mgr, sock, uvreq);
 	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
 				     (isc__netievent_t *)ievent);
@@ -1134,6 +1127,13 @@ isc__nm_async_tcpsend(isc__networker_t *worker, isc__netievent_t *ev0) {
 	REQUIRE(sock->tid == isc_nm_tid());
 	UNUSED(worker);
 +	if (sock->write_timeout == 0) {
 +		sock->write_timeout =
 +			(atomic_load(&sock->keepalive)
 +				 ? atomic_load(&sock->mgr->keepalive)
 +				 : atomic_load(&sock->mgr->idle));
 +	}
 +
 	result = tcp_send_direct(sock, uvreq);
 	if (result != ISC_R_SUCCESS) {
 		isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]);
 diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
 index e287f0a282..6f513b49ce 100644
 --- a/lib/isc/netmgr/tcpdns.c
 +++ b/lib/isc/netmgr/tcpdns.c
@@ -1088,13 +1088,6 @@ isc__nm_tcpdns_send(isc_nmhandle_t *handle, isc_region_t *region,
 	uvreq->cb.send = cb;
 	uvreq->cbarg = cbarg;
 -	if (sock->write_timeout == 0) {
 -		sock->write_timeout =
 -			(atomic_load(&sock->keepalive)
 -				 ? atomic_load(&sock->mgr->keepalive)
 -				 : atomic_load(&sock->mgr->idle));
 -	}
 -
 	ievent = isc__nm_get_netievent_tcpdnssend(sock->mgr, sock, uvreq);
 	isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid],
 				     (isc__netievent_t *)ievent);
@@ -1141,6 +1134,14 @@ isc__nm_async_tcpdnssend(isc__networker_t *worker, isc__netievent_t *ev0) {
 	isc_result_t result;
 	isc_nmsocket_t *sock = ievent->sock;
 	isc__nm_uvreq_t *uvreq = ievent->req;
 +
 +	if (sock->write_timeout == 0) {
 +		sock->write_timeout =
 +			(atomic_load(&sock->keepalive)
 +				 ? atomic_load(&sock->mgr->keepalive)
 +				 : atomic_load(&sock->mgr->idle));
 +	}
 +
 	uv_buf_t bufs[2] = { { .base = uvreq->tcplen, .len = 2 },
 			     { .base = uvreq->uvbuf.base,
 			       .len = uvreq->uvbuf.len } };
 -- 
 2.23.0
--- a/bind-9.11-fips-tests.patch
+++ b/bind-9.11-fips-tests.patch
@ -93,12 +93,11 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
 bin/tests/system/upforwd/tests.sh             |  2 +-
 33 files changed, 162 insertions(+), 108 deletions(-)
 create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
 diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
-index 60f22e1..249f672 100644
+index 745048a..93cb411 100644
 --- a/bin/tests/system/acl/ns2/named1.conf.in
 +++ b/bin/tests/system/acl/ns2/named1.conf.in
-@@ -33,12 +33,12 @@ options {
+@@ -35,12 +35,12 @@ options {
 };
 key one {
@ -114,10 +113,10 @@ index 60f22e1..249f672 100644
 };
 diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
-index ada97bc..f82d858 100644
+index 21aa991..78e71cc 100644
 --- a/bin/tests/system/acl/ns2/named2.conf.in
 +++ b/bin/tests/system/acl/ns2/named2.conf.in
-@@ -33,12 +33,12 @@ options {
+@@ -35,12 +35,12 @@ options {
 };
 key one {
@ -133,10 +132,10 @@ index ada97bc..f82d858 100644
 };
 diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
-index 97684e4..de6a2e9 100644
+index 3208c92..bed6325 100644
 --- a/bin/tests/system/acl/ns2/named3.conf.in
 +++ b/bin/tests/system/acl/ns2/named3.conf.in
-@@ -33,17 +33,17 @@ options {
+@@ -35,17 +35,17 @@ options {
 };
 key one {
@ -158,28 +157,9 @@ index 97684e4..de6a2e9 100644
 };
 diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
-index 462b3fa..994b35c 100644
+index 14e82ed..a22cafe 100644
 --- a/bin/tests/system/acl/ns2/named4.conf.in
 +++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -33,12 +33,12 @@ options {
 };
 key one {
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 	secret "1234abcd8765";
 };
 key two {
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 	secret "1234abcd8765";
 };
 diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
 index 728da58..8f00d09 100644
 --- a/bin/tests/system/acl/ns2/named5.conf.in
 +++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -35,12 +35,12 @@ options {
 };
@ -195,11 +175,30 @@ index 728da58..8f00d09 100644
 	secret "1234abcd8765";
 };
 diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
 index f43f33c..f4a865a 100644
 --- a/bin/tests/system/acl/ns2/named5.conf.in
 +++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -37,12 +37,12 @@ options {
 };
 key one {
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 	secret "1234abcd8765";
 };
 key two {
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 	secret "1234abcd8765";
 };
 diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
-index be59d64..13d5bdc 100644
+index e30569e..edd2155 100644
 --- a/bin/tests/system/acl/tests.sh
 +++ b/bin/tests/system/acl/tests.sh
-@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
+@@ -24,14 +24,14 @@ echo_i "testing basic ACL processing"
 # key "one" should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -216,7 +215,7 @@ index be59d64..13d5bdc 100644
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
 copy_setports ns2/named2.conf.in ns2/named.conf
-@@ -39,18 +39,18 @@ sleep 5
+@@ -41,18 +41,18 @@ sleep 5
 # prefix 10/8 should fail
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -238,7 +237,7 @@ index be59d64..13d5bdc 100644
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
 echo_i "testing nested ACL processing"
-@@ -62,31 +62,31 @@ sleep 5
+@@ -64,31 +64,31 @@ sleep 5
 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -275,7 +274,7 @@ index be59d64..13d5bdc 100644
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
 t=`expr $t + 1`
-@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
+@@ -99,7 +99,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
 # and other values? right out
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -284,7 +283,7 @@ index be59d64..13d5bdc 100644
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
 # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
-@@ -108,31 +108,31 @@ sleep 5
+@@ -110,31 +110,31 @@ sleep 5
 # should succeed
 t=`expr $t + 1`
 $DIG $DIGOPTS tsigzone. \
@ -322,10 +321,10 @@ index be59d64..13d5bdc 100644
 echo_i "testing allow-query-on ACL processing"
 diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
-index 7d43e36..f7b25f9 100644
+index b91d19a..7d777c2 100644
 --- a/bin/tests/system/allow-query/ns2/named10.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named10.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key one {
@ -335,10 +334,10 @@ index 7d43e36..f7b25f9 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
-index 2952518..121557e 100644
+index 308c4ca..00f6f40 100644
 --- a/bin/tests/system/allow-query/ns2/named11.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named11.conf.in
-@@ -10,12 +10,12 @@
+@@ -12,12 +12,12 @@
  */
 key one {
@ -354,10 +353,10 @@ index 2952518..121557e 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
-index 0c01071..ceabbb5 100644
+index 6b0fe55..491e514 100644
 --- a/bin/tests/system/allow-query/ns2/named12.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named12.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key one {
@ -367,10 +366,10 @@ index 0c01071..ceabbb5 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
-index 4c17292..9cd9d1f 100644
+index aefc474..7c06596 100644
 --- a/bin/tests/system/allow-query/ns2/named30.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named30.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key one {
@ -380,10 +379,10 @@ index 4c17292..9cd9d1f 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
-index a2690a4..f488730 100644
+index 27eccc2..eecb990 100644
 --- a/bin/tests/system/allow-query/ns2/named31.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named31.conf.in
-@@ -10,12 +10,12 @@
+@@ -12,12 +12,12 @@
  */
 key one {
@ -399,10 +398,10 @@ index a2690a4..f488730 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
-index a0708c8..51fa457 100644
+index adbb203..744d122 100644
 --- a/bin/tests/system/allow-query/ns2/named32.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named32.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key one {
@ -412,10 +411,10 @@ index a0708c8..51fa457 100644
 };
 diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
-index 687768e..d24d6d2 100644
+index 364f94b..9518f82 100644
 --- a/bin/tests/system/allow-query/ns2/named40.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named40.conf.in
-@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
+@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
 acl badaccept { 10.53.0.1; };
 key one {
@ -431,10 +430,10 @@ index 687768e..d24d6d2 100644
 };
 diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
-index fe40635..543c663 100644
+index 41c7bb7..9d121b3 100644
 --- a/bin/tests/system/allow-query/tests.sh
 +++ b/bin/tests/system/allow-query/tests.sh
-@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
+@@ -184,7 +184,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: key allowed - query allowed"
 ret=0
@ -443,7 +442,7 @@ index fe40635..543c663 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
+@@ -197,7 +197,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: key not allowed - query refused"
 ret=0
@ -452,7 +451,7 @@ index fe40635..543c663 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
+@@ -210,7 +210,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: key disallowed - query refused"
 ret=0
@ -461,7 +460,7 @@ index fe40635..543c663 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
+@@ -343,7 +343,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: views key allowed - query allowed"
 ret=0
@ -470,7 +469,7 @@ index fe40635..543c663 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
+@@ -356,7 +356,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: views key not allowed - query refused"
 ret=0
@ -479,7 +478,7 @@ index fe40635..543c663 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
+@@ -369,7 +369,7 @@ rndc_reload ns2 10.53.0.2
 echo_i "test $n: views key disallowed - query refused"
 ret=0
@ -488,7 +487,7 @@ index fe40635..543c663 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -500,7 +500,7 @@ status=`expr $status + $ret`
+@@ -502,7 +502,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key allowed - query allowed"
 ret=0
@ -497,7 +496,7 @@ index fe40635..543c663 100644
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -510,7 +510,7 @@ status=`expr $status + $ret`
+@@ -512,7 +512,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key not allowed - query refused"
 ret=0
@ -506,7 +505,7 @@ index fe40635..543c663 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -520,7 +520,7 @@ status=`expr $status + $ret`
+@@ -522,7 +522,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "test $n: zone key disallowed - query refused"
 ret=0
@ -515,33 +514,11 @@ index fe40635..543c663 100644
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
 index 1218669..e62715e 100644
 --- a/bin/tests/system/catz/ns1/named.conf.in
 +++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -61,5 +61,5 @@ zone "catalog4.example" {
 key tsig_key. {
 	secret "LSAnCU+Z";
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 };
 diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
 index 30333e6..4005152 100644
 --- a/bin/tests/system/catz/ns2/named.conf.in
 +++ b/bin/tests/system/catz/ns2/named.conf.in
@@ -70,5 +70,5 @@ zone "catalog4.example" {
 key tsig_key. {
 	secret "LSAnCU+Z";
 -	algorithm hmac-md5;
 +	algorithm hmac-sha256;
 };
 diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
-index 21be03e..e57c308 100644
+index 4af25b0..9f202d5 100644
 --- a/bin/tests/system/checkconf/bad-tsig.conf
 +++ b/bin/tests/system/checkconf/bad-tsig.conf
-@@ -11,7 +11,7 @@
+@@ -13,7 +13,7 @@
 /* Bad secret */
 key "badtsig" {
@ -551,10 +528,10 @@ index 21be03e..e57c308 100644
 };
 diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
-index e09b9e8..2e824b3 100644
+index 0ecdb68..90b8ab3 100644
 --- a/bin/tests/system/checkconf/good.conf
 +++ b/bin/tests/system/checkconf/good.conf
-@@ -210,6 +210,6 @@ dyndb "name" "library.so" {
+@@ -284,6 +284,6 @@ dyndb "name" "library.so" {
 	system;
 };
 key "mykey" {
@ -563,10 +540,10 @@ index e09b9e8..2e824b3 100644
 	secret "qwertyuiopasdfgh";
 };
 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index 877504f..577660a 100644
+index 161a80c..c386200 100644
 --- a/bin/tests/system/feature-test.c
 +++ b/bin/tests/system/feature-test.c
-@@ -14,6 +14,7 @@
+@@ -17,6 +17,7 @@
 #include <string.h>
 #include <unistd.h>
@ -574,7 +551,7 @@ index 877504f..577660a 100644
 #include <isc/net.h>
 #include <isc/print.h>
 #include <isc/util.h>
-@@ -186,6 +187,19 @@ main(int argc, char **argv) {
+@@ -195,6 +196,19 @@ main(int argc, char **argv) {
 #endif /* ifdef DLZ_FILESYSTEM */
 	}
@ -595,10 +572,10 @@ index 877504f..577660a 100644
 #ifdef HAVE_LIBIDN2
 		return (0);
 diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
-index 1ee8df4..2b75d9a 100644
+index 5cab276..d4a7bf3 100644
 --- a/bin/tests/system/notify/ns5/named.conf.in
 +++ b/bin/tests/system/notify/ns5/named.conf.in
-@@ -10,17 +10,17 @@
+@@ -12,17 +12,17 @@
  */
 key "a" {
@ -620,10 +597,10 @@ index 1ee8df4..2b75d9a 100644
 };
 diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
-index 3d7e0b7..ec4d9a7 100644
+index c02654e..0453a87 100644
 --- a/bin/tests/system/notify/tests.sh
 +++ b/bin/tests/system/notify/tests.sh
-@@ -212,16 +212,16 @@ ret=0
+@@ -214,16 +214,16 @@ ret=0
 $NSUPDATE << EOF
 server 10.53.0.5 ${PORT}
 zone x21
@ -644,10 +621,10 @@ index 3d7e0b7..ec4d9a7 100644
 	grep "test string" dig.out.b.ns5.test$n > /dev/null &&
 	grep "test string" dig.out.c.ns5.test$n > /dev/null &&
 diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
-index b51e700..436c97d 100644
+index a5cc36d..7bb8923 100644
 --- a/bin/tests/system/nsupdate/ns1/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns1/named.conf.in
-@@ -37,7 +37,7 @@ controls {
+@@ -40,7 +40,7 @@ controls {
 };
 key altkey {
@ -657,10 +634,10 @@ index b51e700..436c97d 100644
 };
 diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
-index da6b3b4..c547e47 100644
+index f1a1735..da2b3d1 100644
 --- a/bin/tests/system/nsupdate/ns2/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns2/named.conf.in
-@@ -32,7 +32,7 @@ controls {
+@@ -34,7 +34,7 @@ controls {
 };
 key altkey {
@ -670,10 +647,10 @@ index da6b3b4..c547e47 100644
 };
 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index c055da3..4e1242b 100644
+index c9a756e..fac39d4 100644
 --- a/bin/tests/system/nsupdate/setup.sh
 +++ b/bin/tests/system/nsupdate/setup.sh
-@@ -56,7 +56,11 @@ EOF
+@@ -73,7 +73,11 @@ EOF
 $DDNSCONFGEN -q -z example.nil > ns1/ddns.key
@ -687,11 +664,11 @@ index c055da3..4e1242b 100644
 $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
 $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index b35d797..41c128e 100755
+index 67ffc27..c554a3f 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
-@@ -797,7 +797,14 @@ fi
+@@ -852,7 +852,14 @@ fi
- n=`expr $n + 1`
+ n=$((n + 1))
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do
@ -706,7 +683,7 @@ index b35d797..41c128e 100755
     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
-@@ -805,7 +812,7 @@ send
+@@ -860,7 +867,7 @@ send
 END
 done
 sleep 2
@ -715,8 +692,8 @@ index b35d797..41c128e 100755
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
 done
 if [ $ret -ne 0 ]; then
-@@ -816,7 +823,7 @@ fi
+@@ -871,7 +878,7 @@ fi
- n=`expr $n + 1`
+ n=$((n + 1))
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do
@ -724,7 +701,7 @@ index b35d797..41c128e 100755
     secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
     $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
 server 10.53.0.1 ${PORT}
-@@ -825,7 +832,7 @@ send
+@@ -880,7 +887,7 @@ send
 END
 done
 sleep 2
@ -734,10 +711,10 @@ index b35d797..41c128e 100755
 done
 if [ $ret -ne 0 ]; then
 diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
-index b59e7a7..04d5f5a 100644
+index e7df6e4..7292818 100644
 --- a/bin/tests/system/rndc/setup.sh
 +++ b/bin/tests/system/rndc/setup.sh
-@@ -33,7 +33,7 @@ make_key () {
+@@ -40,7 +40,7 @@ make_key () {
             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
 }
@ -747,10 +724,10 @@ index b59e7a7..04d5f5a 100644
 make_key 3 ${EXTRAPORT3} hmac-sha224
 make_key 4 ${EXTRAPORT4} hmac-sha256
 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index 9fd84ed..d0b188f 100644
+index 43e89d3..c2ee158 100644
 --- a/bin/tests/system/rndc/tests.sh
 +++ b/bin/tests/system/rndc/tests.sh
-@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -351,15 +351,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 n=`expr $n + 1`
@ -781,10 +758,10 @@ index 9fd84ed..d0b188f 100644
 n=`expr $n + 1`
 echo_i "testing rndc with hmac-sha1 ($n)"
 diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
-index 3470c4f..cf539cd 100644
+index 76cf970..22637af 100644
 --- a/bin/tests/system/tsig/ns1/named.conf.in
 +++ b/bin/tests/system/tsig/ns1/named.conf.in
-@@ -21,10 +21,7 @@ options {
+@@ -23,10 +23,7 @@ options {
 	notify no;
 };
@ -796,7 +773,7 @@ index 3470c4f..cf539cd 100644
 key "sha1" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-@@ -51,10 +48,7 @@ key "sha512" {
+@@ -53,10 +50,7 @@ key "sha512" {
 	algorithm hmac-sha512;
 };
@ -808,27 +785,11 @@ index 3470c4f..cf539cd 100644
 key "sha1-trunc" {
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
 diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
 new file mode 100644
 index 0000000..0682194
 --- /dev/null
 +++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
 +# Conditionally included when support for MD5 is available
 +key "md5" {
 +	secret "97rnFx24Tfna4mHPfgnerA==";
 +	algorithm hmac-md5;
 +};
 +
 +key "md5-trunc" {
 +	secret "97rnFx24Tfna4mHPfgnerA==";
 +	algorithm hmac-md5-80;
 +};
 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
-index e3b4a45..ae21d04 100644
+index 6020947..c8b69d0 100644
 --- a/bin/tests/system/tsig/setup.sh
 +++ b/bin/tests/system/tsig/setup.sh
-@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
+@@ -17,3 +17,8 @@ SYSTEMTESTTOP=..
 $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
@ -838,10 +799,10 @@ index e3b4a45..ae21d04 100644
 +	cat ns1/rndc5.conf.in >> ns1/named.conf
 +fi
 diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
-index 38d842a..668aa6f 100644
+index 02199e6..bbc39ab 100644
 --- a/bin/tests/system/tsig/tests.sh
 +++ b/bin/tests/system/tsig/tests.sh
-@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
+@@ -28,20 +28,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
 status=0
@ -852,6 +813,13 @@ index 38d842a..668aa6f 100644
 -if [ $ret -eq 1 ] ; then
 -	echo_i "failed"; status=1
 -fi
 -
 -echo_i "fetching using hmac-md5 (new form)"
 -ret=0
 -$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
 -if [ $ret -eq 1 ] ; then
 -	echo_i "failed"; status=1
 +if $FEATURETEST --md5
 +then
 +	echo_i "fetching using hmac-md5 (old form)"
@ -861,13 +829,7 @@ index 38d842a..668aa6f 100644
 +	if [ $ret -eq 1 ] ; then
 +		echo_i "failed"; status=1
 +	fi
- 
+
 -echo_i "fetching using hmac-md5 (new form)"
 -ret=0
 -$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
 -if [ $ret -eq 1 ] ; then
 -	echo_i "failed"; status=1
 +	echo_i "fetching using hmac-md5 (new form)"
 +	ret=0
 +	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
@ -880,7 +842,7 @@ index 38d842a..668aa6f 100644
 fi
 echo_i "fetching using hmac-sha1"
-@@ -87,12 +92,17 @@ fi
+@@ -89,12 +94,17 @@ fi
 #	Truncated TSIG
 #
 #
@ -904,7 +866,7 @@ index 38d842a..668aa6f 100644
 fi
 echo_i "fetching using hmac-sha1 (trunc)"
-@@ -141,12 +151,17 @@ fi
+@@ -143,12 +153,17 @@ fi
 #	Check for bad truncation.
 #
 #
@ -929,10 +891,10 @@ index 38d842a..668aa6f 100644
 echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
 diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
-index 3873c7c..b359a5a 100644
+index c2b57dd..cb13aa1 100644
 --- a/bin/tests/system/upforwd/ns1/named.conf.in
 +++ b/bin/tests/system/upforwd/ns1/named.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
  */
 key "update.example." {
@ -942,18 +904,18 @@ index 3873c7c..b359a5a 100644
 };
 diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
-index a50c896..8062d68 100644
+index 35c5588..c71042c 100644
 --- a/bin/tests/system/upforwd/tests.sh
 +++ b/bin/tests/system/upforwd/tests.sh
-@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+@@ -81,7 +81,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 echo_i "updating zone (signed) ($n)"
 ret=0
 -$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
 +$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
 local 10.53.0.1
 server 10.53.0.3 ${PORT}
 update add updated.example. 600 A 10.10.10.1
 update add updated.example. 600 TXT Foo
 -- 
 2.26.2
--- a/bind.spec
+++ b/bind.spec
@ -30,7 +30,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.37
-Release:  3
+Release:  4
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -67,14 +67,17 @@ Patch2:bind-9.10-dist-native-pkcs11.patch
 Patch3: bind-9.11-kyua-pkcs11.patch
 # Common patches
 Patch10: bind-9.5-PIE.patch
-Patch16: bind-9.16-redhat_doc.patch
+Patch11: bind-9.16-redhat_doc.patch
-Patch72: bind-9.5-dlz-64bit.patch
+Patch12: bind-9.5-dlz-64bit.patch
-Patch106:bind93-rh490837.patch
+Patch13: bind93-rh490837.patch
-Patch112:bind97-rh645544.patch
+Patch14: bind97-rh645544.patch
-Patch130:bind-9.9.1-P2-dlz-libdb.patch
+Patch15: bind-9.9.1-P2-dlz-libdb.patch
 Patch16: bind-9.11-fips-tests.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/2689
-Patch164:bind-9.11-rh1666814.patch
+Patch17: bind-9.11-rh1666814.patch
-Patch165:bind-9.18-zt-include-rwlock.patch
+Patch18: bind-9.18-zt-include-rwlock.patch
 Patch6001: CVE-2022-2906.patch
 Patch9000: bugfix-limit-numbers-of-test-threads.patch
@ -1086,6 +1089,12 @@ fi;
 %endif
 %changelog
 * Tue Feb 14 2023 zhanghao<zhanghao383@huawei.com> - 32:9.16.37-4
 - Type:requirement
 - CVE:NA
 - SUG:NA
 - DESC:fix two patch from 9.16.23 and delete useless Patches 
 * Mon Feb 13 2023 zhanghao<zhanghao383@huawei.com> - 32:9.16.37-3
 - Type:bugfix
 - CVE:NA