rpms
/
bind
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i9c
rpms:c9
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:i8c
rpms:c8
rpms:i8c-beta
rpms:c8-beta
rpms:c9-beta
...
pull from: rpms:i10c-beta
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i9c
rpms:c9
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:i8c
rpms:c8
rpms:i8c-beta
rpms:c8-beta
rpms:c9-beta

No commits in common. 'c9' and 'i10c-beta' have entirely different histories.
c9 ... i10c-beta

70 changed files with 750 additions and 21923 deletions
Show Stats

2
.bind.metadata
Unescape View File

@ -1 +1 @@
30cbd1f3e9d2d47d653498143334128aac1f8fc0 SOURCES/bind-9.16.23.tar.xz e202ef1583ef39f1af0d3a9cb1e6f6adbc4a2314 SOURCES/bind-9.18.21.tar.xz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/bind-9.16.23.tar.xz SOURCES/bind-9.18.21.tar.xz

550
SOURCES/bind-9.10-dist-native-pkcs11.patch
Unescape View File

@ -1,550 +0,0 @@
From 040227009453b3f0aa7914c7a6a94dc57ad5269b Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Jan 2021 10:46:20 +0100
Subject: [PATCH] Enable custom pkcs11 native build
Share common parts like libisc, libcc and others. But provide native
pkcs11 libraries as a new copy of libdns and libns.
---
bin/Makefile.in | 2 +-
bin/confgen/Makefile.in | 2 +-
bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++---------------
bin/named-pkcs11/Makefile.in | 33 ++++++++++++++-------------
configure.ac | 19 ++++++++++++++++
lib/Makefile.in | 2 +-
lib/dns-pkcs11/Makefile.in | 22 +++++++++---------
lib/dns-pkcs11/tests/Makefile.in | 8 +++----
lib/ns-pkcs11/Makefile.in | 26 ++++++++++-----------
lib/ns-pkcs11/tests/Makefile.in | 12 +++++-----
make/includes.in | 7 ++++++
11 files changed, 101 insertions(+), 71 deletions(-)
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 9ad7f62..094775a 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,7 +11,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
TARGETS =
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index c126bf3..1b7512d 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-CDEFINES = @USE_PKCS11@
+CDEFINES =
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index ace0e5a..e0f6a00 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+# Add suffix to all targets
+EXEEXT = -pkcs11@EXEEXT@
+
# Alphabetically
-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-verify@EXEEXT@
+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
+ dnssec-verify${EXEEXT}
OBJS = dnssectool.@O@
@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
@BIND9_MAKE_RULES@
-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index 98125dd..518a75f 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@
-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
+# Skip building on PKCS11 variant
+DLZDRIVER_OBJS =
+DLZDRIVER_SRCS =
+DLZDRIVER_INCLUDES =
+DLZDRIVER_LIBS =
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
- ${NS_INCLUDES} ${DNS_INCLUDES} \
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
${DBDRIVER_INCLUDES} \
@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LIBXML2_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = @CONTRIB_DLZ@
+CDEFINES =
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-NSLIBS = ../../lib/ns/libns.@A@
+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
-NSDEPLIBS = ../../lib/ns/libns.@A@
+NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ feature-test@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
GEOIP2LINKOBJS = geoip.@O@
@@ -151,7 +152,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-c ${top_srcdir}/bin/tests/system/feature-test.c
-feature-test@EXEEXT@: feature-test.@O@
+feature-test-pkcs11@EXEEXT@: feature-test.@O@
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-install:: named@EXEEXT@ installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/configure.ac b/configure.ac
index 032228b..64e3da0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
#
# Applications linking with libdns also need to link with these libraries.
#
AC_SUBST(DNS_CRYPTO_LIBS)
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
#
# was --with-lmdb specified?
@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
AC_SUBST(BIND9_NS_BUILDINCLUDE)
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
AC_SUBST(BIND9_IRS_BUILDINCLUDE)
+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE)
+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE)
if test "X$srcdir" != "X"; then
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then
BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
+ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
+ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
else
BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE=""
@@ -2343,6 +2349,8 @@ else
BIND9_NS_BUILDINCLUDE=""
BIND9_BIND9_BUILDINCLUDE=""
BIND9_IRS_BUILDINCLUDE=""
+ BIND9_DNS_PKCS11_BUILDINCLUDE=""
+ BIND9_NS_PKCS11_BUILDINCLUDE=""
fi
AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
+ bin/dnssec-pkcs11/Makefile
bin/named/Makefile
bin/named/unix/Makefile
+ bin/named-pkcs11/Makefile
+ bin/named-pkcs11/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/plugins/Makefile
@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
+ lib/dns-pkcs11/Makefile
+ lib/dns-pkcs11/include/Makefile
+ lib/dns-pkcs11/include/dns/Makefile
+ lib/dns-pkcs11/include/dst/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([
lib/ns/include/Makefile
lib/ns/include/ns/Makefile
lib/ns/tests/Makefile
+ lib/ns-pkcs11/Makefile
+ lib/ns-pkcs11/include/Makefile
+ lib/ns-pkcs11/include/ns/Makefile
+ lib/ns-pkcs11/tests/Makefile
make/Makefile
make/mkdep
unit/unittest.sh
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 833964e..058ba2f 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc isccc dns ns isccfg bind9 irs
+SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 58bda3c..d6a45df 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
${ISC_INCLUDES} \
${FSTRM_CFLAGS} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
${LMDB_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = @USE_GSSAPI@
+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
CWARNINGS =
@@ -135,15 +135,15 @@ version.@O@: version.c
-DMAPAPI=\"${MAPAPI}\" \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
-release "${VERSION}" \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
include: gen
${MAKE} include/dns/enumtype.h
@@ -174,22 +174,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS}
-timestamp: include libdns.@A@
+timestamp: include libdns-pkcs11.@A@
touch timestamp
-testdirs: libdns.@A@
+testdirs: libdns-pkcs11.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-pkcs11.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 3bb5e01..c96fe7d 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../libdns.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
index bc683ce..7a9d2f2 100644
--- a/lib/ns-pkcs11/Makefile.in
+++ b/lib/ns-pkcs11/Makefile.in
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
${FSTRM_CFLAGS}
-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\"
+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
CWARNINGS =
@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
LIBS = @LIBS@
@@ -60,28 +60,28 @@ version.@O@: version.c
-DMAJOR=\"${MAJOR}\" \
-c ${srcdir}/version.c
-libns.@SA@: ${OBJS}
+libns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libns.la: ${OBJS}
+libns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
-release "${VERSION}" \
- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
-timestamp: libns.@A@
+timestamp: libns-pkcs11.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \
${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@
clean distclean::
- rm -f libns.@A@ timestamp
+ rm -f libns-pkcs11.@A@ timestamp
diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
index 4c3e694..c1b6d99 100644
--- a/lib/ns-pkcs11/tests/Makefile.in
+++ b/lib/ns-pkcs11/tests/Makefile.in
@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
${OPENSSL_CFLAGS} \
@CMOCKA_CFLAGS@
-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
-DNSDEPLIBS = ../../dns/libdns.@A@
-NSLIBS = ../libns.@A@
-NSDEPLIBS = ../libns.@A@
+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@
+NSLIBS = ../libns-pkcs11.@A@
+NSDEPLIBS = ../libns-pkcs11.@A@
LIBS = @LIBS@ @CMOCKA_LIBS@
diff --git a/make/includes.in b/make/includes.in
index b8317d3..b73b0c4 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include
+
+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/ns-pkcs11/include
+
--
2.26.3

70
SOURCES/bind-9.11-feature-test-named.patch
Unescape View File

@ -1,70 +0,0 @@
From e9e7069ede766fa5c881517bdae74e2fc6682398 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 30 Jan 2019 14:37:17 +0100
Subject: [PATCH] Create feature-test in source directory
Feature-test tool is used in system tests to test compiled in changes.
Because we build more variants of named with different configuration,
compile feature-test for each of them this way.
Make gsstsig test supported
---
bin/named/Makefile.in | 14 ++++++++++++--
bin/tests/system/conf.sh.in | 2 +-
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index debb906adc..dd894fe934 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -56,7 +56,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LIBXML2_CFLAGS} \
${MAXMINDDB_CFLAGS}
-CDEFINES = @CONTRIB_DLZ@
+CDEFINES = @USE_GSSAPI@ @CONTRIB_DLZ@
CWARNINGS =
@@ -93,7 +93,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@
+TARGETS = named@EXEEXT@ feature-test@EXEEXT@
GEOIP2LINKOBJS = geoip.@O@
@@ -156,6 +156,16 @@ named@EXEEXT@: ${OBJS} ${DEPLIBS}
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
+# Bit of hack, do not produce intermediate .o object for featuretest
+feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -c ${top_srcdir}/bin/tests/system/feature-test.c
+
+feature-test@EXEEXT@: feature-test.@O@
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
+
+
clean distclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 9a61622143..f69c5be334 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -38,7 +38,7 @@ DELV=$TOP/bin/delv/delv
DIG=$TOP/bin/dig/dig
DNSTAPREAD=$TOP/bin/tools/dnstap-read
DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
-FEATURETEST=$TOP/bin/tests/system/feature-test
+FEATURETEST=$TOP/bin/named/feature-test
FSTRM_CAPTURE=@FSTRM_CAPTURE@
HOST=$TOP/bin/dig/host
IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
--
2.45.2

959
SOURCES/bind-9.11-fips-tests.patch
Unescape View File

@ -1,959 +0,0 @@
From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 2 Aug 2018 23:46:45 +0200
Subject: [PATCH] FIPS tests changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Squashed commit of the following:
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 20:35:13 2018 +0100
Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
commit ab303db70082db76ecf36493d0b82ef3e8750cad
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 18:11:10 2018 +0100
Changed root key to be RSASHA256
Change bad trusted key to be the same algorithm.
commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 16:56:17 2018 +0100
Change used key to not use hmac-md5
Fix upforwd test, do not use hmac-md5
commit aec891571626f053acfb4d0a247240cbc21a84e9
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 15:54:11 2018 +0100
Increase bitsize of DSA key to pass FIPS 140-2 mode.
commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 15:41:08 2018 +0100
Fix tsig and rndc tests for disabled md5
Use hmac-sha256 instead of hmac-md5.
commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 13:21:00 2018 +0100
Add md5 availability detection to featuretest
commit f389a918803e2853e4b55fed62765dc4a492e34f
Author: Petr Menšík <pemensik@redhat.com>
Date: Wed Mar 7 10:44:23 2018 +0100
Change tests to not use hmac-md5 algorithms if not required
Use hmac-sha256 instead of default hmac-md5 for allow-query
---
bin/tests/system/acl/ns2/named1.conf.in | 4 +-
bin/tests/system/acl/ns2/named2.conf.in | 4 +-
bin/tests/system/acl/ns2/named3.conf.in | 6 +-
bin/tests/system/acl/ns2/named4.conf.in | 4 +-
bin/tests/system/acl/ns2/named5.conf.in | 4 +-
bin/tests/system/acl/tests.sh | 32 ++++-----
.../system/allow-query/ns2/named10.conf.in | 2 +-
.../system/allow-query/ns2/named11.conf.in | 4 +-
.../system/allow-query/ns2/named12.conf.in | 2 +-
.../system/allow-query/ns2/named30.conf.in | 2 +-
.../system/allow-query/ns2/named31.conf.in | 4 +-
.../system/allow-query/ns2/named32.conf.in | 2 +-
.../system/allow-query/ns2/named40.conf.in | 4 +-
bin/tests/system/allow-query/tests.sh | 18 ++---
bin/tests/system/catz/ns1/named.conf.in | 2 +-
bin/tests/system/catz/ns2/named.conf.in | 2 +-
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
bin/tests/system/checkconf/good.conf | 2 +-
bin/tests/system/feature-test.c | 14 ++++
bin/tests/system/notify/ns5/named.conf.in | 6 +-
bin/tests/system/notify/tests.sh | 6 +-
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
bin/tests/system/nsupdate/setup.sh | 6 +-
bin/tests/system/nsupdate/tests.sh | 15 +++--
bin/tests/system/rndc/setup.sh | 2 +-
bin/tests/system/rndc/tests.sh | 23 ++++---
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
bin/tests/system/tsig/setup.sh | 5 ++
bin/tests/system/tsig/tests.sh | 65 ++++++++++++-------
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
bin/tests/system/upforwd/tests.sh | 2 +-
33 files changed, 162 insertions(+), 108 deletions(-)
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
index 60f22e1..249f672 100644
--- a/bin/tests/system/acl/ns2/named1.conf.in
+++ b/bin/tests/system/acl/ns2/named1.conf.in
@@ -33,12 +33,12 @@ options {
};
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
index ada97bc..f82d858 100644
--- a/bin/tests/system/acl/ns2/named2.conf.in
+++ b/bin/tests/system/acl/ns2/named2.conf.in
@@ -33,12 +33,12 @@ options {
};
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
index 97684e4..de6a2e9 100644
--- a/bin/tests/system/acl/ns2/named3.conf.in
+++ b/bin/tests/system/acl/ns2/named3.conf.in
@@ -33,17 +33,17 @@ options {
};
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key three {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
index 462b3fa..994b35c 100644
--- a/bin/tests/system/acl/ns2/named4.conf.in
+++ b/bin/tests/system/acl/ns2/named4.conf.in
@@ -33,12 +33,12 @@ options {
};
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
index 728da58..8f00d09 100644
--- a/bin/tests/system/acl/ns2/named5.conf.in
+++ b/bin/tests/system/acl/ns2/named5.conf.in
@@ -35,12 +35,12 @@ options {
};
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
index be59d64..13d5bdc 100644
--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
# key "one" should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# any other key should be fine
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
copy_setports ns2/named2.conf.in ns2/named.conf
@@ -39,18 +39,18 @@ sleep 5
# prefix 10/8 should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# any other address should work, as long as it sends key "one"
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
echo_i "testing nested ACL processing"
@@ -62,31 +62,31 @@ sleep 5
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# but only one or the other should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
t=`expr $t + 1`
@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
# and other values? right out
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
@@ -108,31 +108,31 @@ sleep 5
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
echo_i "testing allow-query-on ACL processing"
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
index 7d43e36..f7b25f9 100644
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
@@ -10,7 +10,7 @@
*/
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
index 2952518..121557e 100644
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
@@ -10,12 +10,12 @@
*/
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234efgh8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
index 0c01071..ceabbb5 100644
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
@@ -10,7 +10,7 @@
*/
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
index 4c17292..9cd9d1f 100644
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
@@ -10,7 +10,7 @@
*/
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
index a2690a4..f488730 100644
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
@@ -10,12 +10,12 @@
*/
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234efgh8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
index a0708c8..51fa457 100644
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
@@ -10,7 +10,7 @@
*/
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
index 687768e..d24d6d2 100644
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
acl badaccept { 10.53.0.1; };
key one {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234abcd8765";
};
key two {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "1234efgh8765";
};
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
index fe40635..543c663 100644
--- a/bin/tests/system/allow-query/tests.sh
+++ b/bin/tests/system/allow-query/tests.sh
@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
echo_i "test $n: views key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -500,7 +500,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "test $n: zone key allowed - query allowed"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -510,7 +510,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "test $n: zone key not allowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -520,7 +520,7 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "test $n: zone key disallowed - query refused"
ret=0
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
index 1218669..e62715e 100644
--- a/bin/tests/system/catz/ns1/named.conf.in
+++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -61,5 +61,5 @@ zone "catalog4.example" {
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
index 30333e6..4005152 100644
--- a/bin/tests/system/catz/ns2/named.conf.in
+++ b/bin/tests/system/catz/ns2/named.conf.in
@@ -70,5 +70,5 @@ zone "catalog4.example" {
key tsig_key. {
secret "LSAnCU+Z";
- algorithm hmac-md5;
+ algorithm hmac-sha256;
};
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
index 21be03e..e57c308 100644
--- a/bin/tests/system/checkconf/bad-tsig.conf
+++ b/bin/tests/system/checkconf/bad-tsig.conf
@@ -11,7 +11,7 @@
/* Bad secret */
key "badtsig" {
- algorithm hmac-md5;
+ algorithm hmac-sha256;
secret "jEdD+BPKg==";
};
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index e09b9e8..2e824b3 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -210,6 +210,6 @@ dyndb "name" "library.so" {
system;
};
key "mykey" {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
secret "qwertyuiopasdfgh";
};
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
index 877504f..577660a 100644
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -14,6 +14,7 @@
#include <string.h>
#include <unistd.h>
+#include <isc/md.h>
#include <isc/net.h>
#include <isc/print.h>
#include <isc/util.h>
@@ -186,6 +187,19 @@ main(int argc, char **argv) {
#endif /* ifdef DLZ_FILESYSTEM */
}
+ if (strcmp(argv[1], "--md5") == 0) {
+ unsigned char digest[ISC_MAX_MD_SIZE];
+ const unsigned char test[] = "test";
+ unsigned int size = sizeof(digest);
+
+ if (isc_md(ISC_MD_MD5, test, sizeof(test),
+ digest, &size) == ISC_R_SUCCESS) {
+ return (0);
+ } else {
+ return (1);
+ }
+ }
+
if (strcmp(argv[1], "--with-idn") == 0) {
#ifdef HAVE_LIBIDN2
return (0);
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
index 1ee8df4..2b75d9a 100644
--- a/bin/tests/system/notify/ns5/named.conf.in
+++ b/bin/tests/system/notify/ns5/named.conf.in
@@ -10,17 +10,17 @@
*/
key "a" {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
secret "aaaaaaaaaaaaaaaaaaaa";
};
key "b" {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
secret "bbbbbbbbbbbbbbbbbbbb";
};
key "c" {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
secret "cccccccccccccccccccc";
};
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
index 3d7e0b7..ec4d9a7 100644
--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
@@ -212,16 +212,16 @@ ret=0
$NSUPDATE << EOF
server 10.53.0.5 ${PORT}
zone x21
-key a aaaaaaaaaaaaaaaaaaaa
+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
update add added.x21 0 in txt "test string"
send
EOF
for i in 1 2 3 4 5 6 7 8 9
do
- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
txt > dig.out.b.ns5.test$n || ret=1
- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
txt > dig.out.c.ns5.test$n || ret=1
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index b51e700..436c97d 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -37,7 +37,7 @@ controls {
};
key altkey {
- algorithm hmac-md5;
+ algorithm hmac-sha512;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
index da6b3b4..c547e47 100644
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
@@ -32,7 +32,7 @@ controls {
};
key altkey {
- algorithm hmac-md5;
+ algorithm hmac-sha512;
secret "1234abcd8765";
};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index c055da3..4e1242b 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -56,7 +56,11 @@ EOF
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+if $FEATURETEST --md5; then
+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+else
+ echo -n > ns1/md5.key
+fi
$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b35d797..41c128e 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -797,7 +797,14 @@ fi
n=`expr $n + 1`
ret=0
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+if $FEATURETEST --md5
+then
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
+else
+ ALGS="sha1 sha224 sha256 sha384 sha512"
+ echo_i "skipping disabled md5 algorithm"
+fi
+for alg in $ALGS; do
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
update add ${alg}.keytests.nil. 600 A 10.10.10.3
@@ -805,7 +812,7 @@ send
END
done
sleep 2
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
@@ -816,7 +823,7 @@ fi
n=`expr $n + 1`
ret=0
echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
$NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
server 10.53.0.1 ${PORT}
@@ -825,7 +832,7 @@ send
END
done
sleep 2
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
+for alg in $ALGS; do
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
done
if [ $ret -ne 0 ]; then
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index b59e7a7..04d5f5a 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -33,7 +33,7 @@ make_key () {
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
}
-make_key 1 ${EXTRAPORT1} hmac-md5
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
make_key 2 ${EXTRAPORT2} hmac-sha1
make_key 3 ${EXTRAPORT3} hmac-sha224
make_key 4 ${EXTRAPORT4} hmac-sha256
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 9fd84ed..d0b188f 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "testing rndc with hmac-md5 ($n)"
-ret=0
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
-for i in 2 3 4 5 6
-do
- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
-done
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=`expr $status + $ret`
+if $FEATURETEST --md5
+then
+ echo_i "testing rndc with hmac-md5 ($n)"
+ ret=0
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+ for i in 2 3 4 5 6
+ do
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+ done
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+else
+ echo_i "skipping rndc with hmac-md5 ($n)"
+fi
n=`expr $n + 1`
echo_i "testing rndc with hmac-sha1 ($n)"
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
index 3470c4f..cf539cd 100644
--- a/bin/tests/system/tsig/ns1/named.conf.in
+++ b/bin/tests/system/tsig/ns1/named.conf.in
@@ -21,10 +21,7 @@ options {
notify no;
};
-key "md5" {
- secret "97rnFx24Tfna4mHPfgnerA==";
- algorithm hmac-md5;
-};
+# md5 key appended by setup.sh at the end
key "sha1" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
@@ -51,10 +48,7 @@ key "sha512" {
algorithm hmac-sha512;
};
-key "md5-trunc" {
- secret "97rnFx24Tfna4mHPfgnerA==";
- algorithm hmac-md5-80;
-};
+# md5-trunc key appended by setup.sh at the end
key "sha1-trunc" {
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
new file mode 100644
index 0000000..0682194
--- /dev/null
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
@@ -0,0 +1,10 @@
+# Conditionally included when support for MD5 is available
+key "md5" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5;
+};
+
+key "md5-trunc" {
+ secret "97rnFx24Tfna4mHPfgnerA==";
+ algorithm hmac-md5-80;
+};
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index e3b4a45..ae21d04 100644
--- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
+
+if $FEATURETEST --md5
+then
+ cat ns1/rndc5.conf.in >> ns1/named.conf
+fi
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index 38d842a..668aa6f 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
status=0
-echo_i "fetching using hmac-md5 (old form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
-fi
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (old form)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
-echo_i "fetching using hmac-md5 (new form)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+ echo_i "fetching using hmac-md5 (new form)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5"
fi
echo_i "fetching using hmac-sha1"
@@ -87,12 +92,17 @@ fi
# Truncated TSIG
#
#
-echo_i "fetching using hmac-md5 (trunc)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5 (trunc)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5 (trunc)"
fi
echo_i "fetching using hmac-sha1 (trunc)"
@@ -141,12 +151,17 @@ fi
# Check for bad truncation.
#
#
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
-ret=0
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
-if [ $ret -eq 1 ] ; then
- echo_i "failed"; status=1
+if $FEATURETEST --md5
+then
+ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
+ ret=0
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+ if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+ fi
+else
+ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
fi
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index 3873c7c..b359a5a 100644
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -10,7 +10,7 @@
*/
key "update.example." {
- algorithm "hmac-md5";
+ algorithm "hmac-sha256";
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index a50c896..8062d68 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "updating zone (signed) ($n)"
ret=0
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
server 10.53.0.3 ${PORT}
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
--
2.26.2

58
SOURCES/bind-9.11-kyua-pkcs11.patch
Unescape View File

@ -1,58 +0,0 @@
From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
Add dns-pkcs11 tests Makefile to configure
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
---
configure.ac | 1 +
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
3 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index d80ae31..0fb9328 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
+ lib/dns-pkcs11/tests/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
diff --git a/lib/Kyuafile b/lib/Kyuafile
index 39ce986..037e5ef 100644
--- a/lib/Kyuafile
+++ b/lib/Kyuafile
@@ -2,8 +2,10 @@ syntax(2)
test_suite('bind9')
include('dns/Kyuafile')
+include('dns-pkcs11/Kyuafile')
include('irs/Kyuafile')
include('isc/Kyuafile')
include('isccc/Kyuafile')
include('isccfg/Kyuafile')
include('ns/Kyuafile')
+include('ns-pkcs11/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 934e8fd..658d1af 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -87,7 +87,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
+ /* PKCS11 variant gives different result, accept both */
+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
dst_key_free(&key);
}
--
2.20.1

29
SOURCES/bind-9.11-rh1666814.patch
Unescape View File

@ -1,29 +0,0 @@
From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 16 Jan 2019 16:27:33 +0100
Subject: [PATCH] Fix possible crash when loading corrupted file
Some values passes internal triggers by coincidence. Fix the check and
check also first_node_offset before even passing it further.
---
lib/dns/rbt.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 5aee5f6..7f2c2d2 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
header->first_node_offset);
- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
+ || header->first_node_offset > filesize) {
+
result = ISC_R_INVALIDFILE;
goto cleanup;
}
--
2.31.1

65
SOURCES/bind-9.11-tests-variants.patch
Unescape View File

@ -1,65 +0,0 @@
From 607cec78382b016aad0fe041f2e1895b6896c647 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 1 Mar 2019 15:48:20 +0100
Subject: [PATCH] Make alternative named builds testable in system tests
Red Hat has alternative variant builds of named, which are not ever
tested by system tests. New variables make it relatively easy to test
alternative variants.
For sdb variant use:
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
For pkcs variant use:
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
---
bin/tests/system/conf.sh.in | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index d859909..9152f07 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
DELV=$TOP/bin/delv/delv
DIG=$TOP/bin/dig/dig
DNSTAPREAD=$TOP/bin/tools/dnstap-read
-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
-FEATURETEST=$TOP/bin/named/feature-test
+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
+FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
FSTRM_CAPTURE=@FSTRM_CAPTURE@
HOST=$TOP/bin/dig/host
-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
JOURNALPRINT=$TOP/bin/tools/named-journalprint
-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
-KEYGEN=$TOP/bin/dnssec/dnssec-keygen
+KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
+KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
KEYMGR=$TOP/bin/python/dnssec-keymgr
MDIG=$TOP/bin/tools/mdig
-NAMED=$TOP/bin/named/named
+NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
NSEC3HASH=$TOP/bin/tools/nsec3hash
NSLOOKUP=$TOP/bin/dig/nslookup
NSUPDATE=$TOP/bin/nsupdate/nsupdate
@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
RESOLVE=$TOP/bin/tests/system/resolve
-REVOKE=$TOP/bin/dnssec/dnssec-revoke
+REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
RNDC=$TOP/bin/rndc/rndc
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
RRCHECKER=$TOP/bin/tools/named-rrchecker
-SETTIME=$TOP/bin/dnssec/dnssec-settime
-SIGNER=$TOP/bin/dnssec/dnssec-signzone
+SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
+SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
VERIFY=$TOP/bin/dnssec/dnssec-verify
WIRETEST=$TOP/bin/tests/wire_test
--
2.26.3

83
SOURCES/bind-9.14-config-pkcs11.patch
Unescape View File

@ -1,83 +0,0 @@
From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 18 Oct 2019 21:30:52 +0200
Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
Building two variants with the same common code requires to unset
USE_PKCS11 on part of build. That is not possible with config.h value.
Move it as normal define to CDEFINES.
---
bin/confgen/Makefile.in | 2 +-
configure.ac | 8 ++++++--
lib/dns/dst_internal.h | 12 +++++++++---
3 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 1b7512d..c126bf3 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-CDEFINES =
+CDEFINES = @USE_PKCS11@
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
diff --git a/configure.ac b/configure.ac
index f5483fe..08a7d8a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST])
AC_SUBST([PKCS11_TOOLS])
AC_SUBST([PKCS11_MANS])
+USE_PKCS11='-DUSE_PKCS11=0'
+USE_OPENSSL='-DUSE_OPENSSL=0'
AC_SUBST([CRYPTO])
AS_CASE([$CRYPTO],
- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
+ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'],
+ [USE_OPENSSL='-DUSE_OPENSSL=1'])
+AC_SUBST(USE_PKCS11)
+AC_SUBST(USE_OPENSSL)
# preparation for automake
# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index 2c3b4a3..55e9dc4 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -38,6 +38,13 @@
#include <isc/stdtime.h>
#include <isc/types.h>
+#ifndef USE_PKCS11
+#define USE_PKCS11 0
+#endif
+#ifndef USE_OPENSSL
+#define USE_OPENSSL (! USE_PKCS11)
+#endif
+
#if USE_PKCS11
#include <pk11/pk11.h>
#include <pk11/site.h>
@@ -116,11 +123,10 @@ struct dst_key {
void *generic;
dns_gss_ctx_id_t gssctx;
DH *dh;
-#if USE_OPENSSL
- EVP_PKEY *pkey;
-#endif /* if USE_OPENSSL */
#if USE_PKCS11
pk11_object_t *pkey;
+#else
+ EVP_PKEY *pkey;
#endif /* if USE_PKCS11 */
dst_hmac_key_t *hmac_key;
} keydata; /*%< pointer to key in crypto pkg fmt */
--
2.26.2

1144
SOURCES/bind-9.16-CVE-2021-25220-test.patch
View File

File diff suppressed because it is too large Load Diff

251
SOURCES/bind-9.16-CVE-2021-25220.patch
Unescape View File

@ -1,251 +0,0 @@
From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 19 Jan 2022 17:38:18 +1100
Subject: [PATCH] Add additional name checks when using a forwarder
When using a forwarder, check that the owner name of response
records are within the bailiwick of the forwarded name space.
(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b)
Check that the forward declaration is unchanged and not overridden
If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.
(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3)
Check cached names for possible "forward only" clause
When caching additional and glue data *not* from a forwarder, we must
check that there is no "forward only" clause covering the owner name
that would take precedence. Such names would normally be allowed by
baliwick rules, but a "forward only" zone introduces a new baliwick
scope.
(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78)
Look for zones deeper than the current domain or forward name
When caching glue, we need to ensure that there is no closer
source of truth for the name. If the owner name for the glue
record would be answered by a locally configured zone, do not
cache.
(cherry picked from commit 71b24210542730355149130770deea3e58d8527a)
---
lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 123 insertions(+), 5 deletions(-)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index a7bc661bb7..7603a07b7b 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -63,6 +63,8 @@
#include <dns/stats.h>
#include <dns/tsig.h>
#include <dns/validator.h>
+#include <dns/zone.h>
+
#ifdef WANT_QUERYTRACE
#define RTRACE(m) \
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \
@@ -337,6 +339,8 @@ struct fetchctx {
dns_fetch_t *qminfetch;
dns_rdataset_t qminrrset;
dns_name_t qmindcname;
+ dns_fixedname_t fwdfname;
+ dns_name_t *fwdname;
/*%
* The number of events we're waiting for.
@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
if (result == ISC_R_SUCCESS) {
fwd = ISC_LIST_HEAD(forwarders->fwdrs);
fctx->fwdpolicy = forwarders->fwdpolicy;
+ dns_name_copynf(domain, fctx->fwdname);
if (fctx->fwdpolicy == dns_fwdpolicy_only &&
isstrictsubdomain(domain, &fctx->domain))
{
@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
fctx->restarts = 0;
fctx->querysent = 0;
fctx->referrals = 0;
+
+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
+
TIME_NOW(&fctx->start);
fctx->timeouts = 0;
fctx->lamecount = 0;
@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
fname, &forwarders);
if (result == ISC_R_SUCCESS) {
fctx->fwdpolicy = forwarders->fwdpolicy;
+ dns_name_copynf(fname, fctx->fwdname);
}
if (fctx->fwdpolicy != dns_fwdpolicy_only) {
@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
}
}
+/*
+ * Returns true if 'name' is external to the namespace for which
+ * the server being queried can answer, either because it's not a
+ * subdomain or because it's below a forward declaration or a
+ * locally served zone.
+ */
+static inline bool
+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_forwarders_t *forwarders = NULL;
+ dns_fixedname_t fixed, zfixed;
+ dns_name_t *fname = dns_fixedname_initname(&fixed);
+ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
+ dns_name_t *apex = NULL;
+ dns_name_t suffix;
+ dns_zone_t *zone = NULL;
+ unsigned int labels;
+ dns_namereln_t rel;
+
+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
+
+ /*
+ * The name is outside the queried namespace.
+ */
+ rel = dns_name_fullcompare(name, apex, &(int){ 0 },
+ &(unsigned int){ 0U });
+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
+ return (true);
+ }
+
+ /*
+ * If the record lives in the parent zone, adjust the name so we
+ * look for the correct zone or forward clause.
+ */
+ labels = dns_name_countlabels(name);
+ if (dns_rdatatype_atparent(type) && labels > 1U) {
+ dns_name_init(&suffix, NULL);
+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+ name = &suffix;
+ } else if (rel == dns_namereln_equal) {
+ /* If 'name' is 'apex', no further checking is needed. */
+ return (false);
+ }
+
+ /*
+ * If there is a locally served zone between 'apex' and 'name'
+ * then don't cache.
+ */
+ LOCK(&fctx->res->view->lock);
+ if (fctx->res->view->zonetable != NULL) {
+ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
+ result = dns_zt_find(fctx->res->view->zonetable, name, options,
+ zfname, &zone);
+ if (zone != NULL) {
+ dns_zone_detach(&zone);
+ }
+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+ if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
+ &(unsigned int){ 0U }) ==
+ dns_namereln_subdomain)
+ {
+ UNLOCK(&fctx->res->view->lock);
+ return (true);
+ }
+ }
+ }
+ UNLOCK(&fctx->res->view->lock);
+
+ /*
+ * Look for a forward declaration below 'name'.
+ */
+ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
+ &forwarders);
+
+ if (ISFORWARDER(fctx->addrinfo)) {
+ /*
+ * See if the forwarder declaration is better.
+ */
+ if (result == ISC_R_SUCCESS) {
+ return (!dns_name_equal(fname, fctx->fwdname));
+ }
+
+ /*
+ * If the lookup failed, the configuration must have
+ * changed: play it safe and don't cache.
+ */
+ return (true);
+ } else if (result == ISC_R_SUCCESS &&
+ forwarders->fwdpolicy == dns_fwdpolicy_only &&
+ !ISC_LIST_EMPTY(forwarders->fwdrs))
+ {
+ /*
+ * If 'name' is covered by a 'forward only' clause then we
+ * can't cache this repsonse.
+ */
+ return (true);
+ }
+
+ return (false);
+}
+
static isc_result_t
check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
dns_section_t section) {
@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
result = dns_message_findname(rctx->query->rmessage, section, addname,
dns_rdatatype_any, 0, &name, NULL);
if (result == ISC_R_SUCCESS) {
- external = !dns_name_issubdomain(name, &fctx->domain);
+ external = name_external(name, type, fctx);
if (type == dns_rdatatype_a) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) {
break;
case dns_namereln_subdomain:
+ /*
+ * Don't accept DNAME from parent namespace.
+ */
+ if (name_external(name, dns_rdatatype_dname, fctx)) {
+ continue;
+ }
+
/*
* In-scope DNAME records must have at least
* as many labels as the domain being queried.
@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) {
DNS_SECTION_AUTHORITY);
while (!done && result == ISC_R_SUCCESS) {
dns_name_t *name = NULL;
- bool external;
dns_message_currentname(rctx->query->rmessage,
DNS_SECTION_AUTHORITY, &name);
- external = !dns_name_issubdomain(name, &fctx->domain);
- if (!external) {
+ if (!name_external(name, dns_rdatatype_ns, fctx)) {
dns_rdataset_t *rdataset = NULL;
/*
@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
}
if (!dns_name_issubdomain(name, &fctx->domain)) {
- /* Invalid name found; preserve it for logging later */
+ /*
+ * Invalid name found; preserve it for logging
+ * later.
+ */
rctx->found_name = name;
rctx->found_type = ISC_LIST_HEAD(name->list)->type;
continue;
--
2.34.1

81
SOURCES/bind-9.16-CVE-2022-0396.patch
Unescape View File

@ -1,81 +0,0 @@
From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 8 Feb 2022 12:42:34 +0100
Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb()
When sock->closehandle_cb is set, we need to run nmhandle_detach_cb()
asynchronously to ensure correct order of multiple packets processing in
the isc__nm_process_sock_buffer(). When not run asynchronously, it
would cause:
a) out-of-order processing of the return codes from processbuffer();
b) stack growth because the next TCP DNS message read callback will
be called from within the current TCP DNS message read callback.
The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP
sockets which calls isc__nm_process_sock_buffer(). If the read callback
(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't
attach to the nmhandle (f.e. because it wants to drop the processing or
we send the response directly via uv_try_write()), the
isc__nm_resume_processing() (via .closehandle_cb) would call
isc__nm_process_sock_buffer() recursively.
The below shortened code path shows how the stack can grow:
1: ns__client_request(handle, ...);
2: isc_nm_tcpdns_sequential(handle);
3: ns_query_start(client, handle);
4: query_lookup(qctx);
5: query_send(qctcx->client);
6: isc__nmhandle_detach(&client->reqhandle);
7: nmhandle_detach_cb(&handle);
8: sock->closehandle_cb(sock); // isc__nm_resume_processing
9: isc__nm_process_sock_buffer(sock);
10: processbuffer(sock); // isc__nm_tcpdns_processbuffer
11: isc_nmhandle_attach(req->handle, &handle);
12: isc__nm_readcb(sock, req, ISC_R_SUCCESS);
13: isc__nm_async_readcb(NULL, ...);
14: uvreq->cb.recv(...); // ns__client_request
Instead, if 'sock->closehandle_cb' is set, we need to run detach the
handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in
the code flow above does not start this recursion. This ensures the
correct order when processing multiple packets in the function
'isc__nm_process_sock_buffer()' and prevents the stack growth.
When not run asynchronously, the out-of-order processing leaves the
first TCP socket open until all requests on the stream have been
processed.
If the pipelining is disabled on the TCP via `keep-response-order`
configuration option, named would keep the first socket in lingering
CLOSE_WAIT state when the client sends an incomplete packet and then
closes the connection from the client side.
(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17)
---
lib/isc/netmgr/netmgr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index 3283eb6e4f..0ed3182fb6 100644
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
handle = *handlep;
*handlep = NULL;
+ /*
+ * If the closehandle_cb is set, it needs to run asynchronously to
+ * ensure correct ordering of the isc__nm_process_sock_buffer().
+ */
sock = handle->sock;
- if (sock->tid == isc_nm_tid()) {
+ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) {
nmhandle_detach_cb(&handle FLARG_PASS);
} else {
isc__netievent_detach_t *event =
--
2.34.1

60
SOURCES/bind-9.16-CVE-2022-2795.patch
Unescape View File

@ -1,60 +0,0 @@
From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 8 Sep 2022 11:11:30 +0200
Subject: [PATCH] Bound the amount of work performed for delegations
Limit the amount of database lookups that can be triggered in
fctx_getaddresses() (i.e. when determining the name server addresses to
query next) by setting a hard limit on the number of NS RRs processed
for any delegation encountered. Without any limit in place, named can
be forced to perform large amounts of database lookups per each query
received, which severely impacts resolver performance.
The limit used (20) is an arbitrary value that is considered to be big
enough for any sane DNS delegation.
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
---
lib/dns/resolver.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index d2cf14bbc8..73a0ee9f77 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -195,6 +195,12 @@
*/
#define NS_FAIL_LIMIT 4
#define NS_RR_LIMIT 5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
/* Number of hash buckets for zone counters */
#ifndef RES_DOMAIN_BUCKETS
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
bool need_alternate = false;
bool all_spilled = true;
unsigned int no_addresses = 0;
+ unsigned int ns_processed = 0;
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
@@ -3902,6 +3909,11 @@ normal_nses:
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
+
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
+ result = ISC_R_NOMORE;
+ break;
+ }
}
if (result != ISC_R_NOMORE) {
return (result);
--
2.37.3

116
SOURCES/bind-9.16-CVE-2022-3080.patch
Unescape View File

@ -1,116 +0,0 @@
From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 20 Sep 2022 11:34:42 +0200
Subject: [PATCH 2/4] Fix CVE-2022-3080
5960. [security] Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query.
(CVE-2022-3080) [GL #3517]
---
lib/ns/include/ns/query.h | 1 +
lib/ns/query.c | 42 ++++++++++++++++++++++++---------------
2 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h
index 4d48cf6..34b3070 100644
--- a/lib/ns/include/ns/query.h
+++ b/lib/ns/include/ns/query.h
@@ -145,6 +145,7 @@ struct query_ctx {
bool authoritative; /* authoritative query? */
bool want_restart; /* CNAME chain or other
* restart needed */
+ bool refresh_rrset; /* stale RRset refresh needed */
bool need_wildcardproof; /* wildcard proof needed */
bool nxrewrite; /* negative answer from RPZ */
bool findcoveringnsec; /* lookup covering NSEC */
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 249321c..a450cb7 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) {
bool dbfind_stale = false;
bool stale_timeout = false;
bool stale_found = false;
- bool refresh_rrset = false;
bool stale_refresh_window = false;
CCTRACE(ISC_LOG_DEBUG(3), "query_lookup");
@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) {
"%s stale answer used, an attempt to "
"refresh the RRset will still be made",
namebuf);
- refresh_rrset = STALE(qctx->rdataset);
- qctx->client->nodetach = refresh_rrset;
+ qctx->refresh_rrset = STALE(qctx->rdataset);
}
} else {
/*
@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) {
result = query_gotanswer(qctx, result);
- if (refresh_rrset) {
- /*
- * If we reached this point then it means that we have found a
- * stale RRset entry in cache and BIND is configured to allow
- * queries to be answered with stale data if no active RRset
- * is available, i.e. "stale-anwer-client-timeout 0". But, we
- * still need to refresh the RRset.
- */
- query_refresh_rrset(qctx);
- }
-
cleanup:
return (result);
}
@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) {
/*
* On normal lookups, clear any rdatasets that were added on a
- * lookup due to stale-answer-client-timeout.
+ * lookup due to stale-answer-client-timeout. Do not clear if we
+ * are going to refresh the RRset, because the stale contents are
+ * prioritized.
*/
if (QUERY_STALEOK(&qctx->client->query) &&
- !QUERY_STALETIMEOUT(&qctx->client->query))
+ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset)
{
+ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale");
query_clear_stale(qctx->client);
/*
* We can clear the attribute to prevent redundant clearing
@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) {
/*
* Client may have been detached after query_send(), so
* we test and store the flag state here, for safety.
+ * If we are refreshing the RRSet, we must not detach from the client
+ * in the query_send(), so we need to override the flag.
*/
+ if (qctx->refresh_rrset) {
+ qctx->client->nodetach = true;
+ }
nodetach = qctx->client->nodetach;
query_send(qctx->client);
+
+ if (qctx->refresh_rrset) {
+ /*
+ * If we reached this point then it means that we have found a
+ * stale RRset entry in cache and BIND is configured to allow
+ * queries to be answered with stale data if no active RRset
+ * is available, i.e. "stale-anwer-client-timeout 0". But, we
+ * still need to refresh the RRset. To prevent adding duplicate
+ * RRsets, clear the RRsets from the message before doing the
+ * refresh.
+ */
+ message_clearrdataset(qctx->client->message, 0);
+ query_refresh_rrset(qctx);
+ }
+
if (!nodetach) {
qctx->detach_client = true;
}
--
2.37.3

240
SOURCES/bind-9.16-CVE-2022-3094-1.patch
Unescape View File

@ -1,240 +0,0 @@
From 18036bb3f435eaa20d60093738c61e5da42a6cfe Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 1 Sep 2022 16:05:04 -0700
Subject: [PATCH] add an update quota
limit the number of simultaneous DNS UPDATE events that can be
processed by adding a quota for update and update forwarding.
this quota currently, arbitrarily, defaults to 100.
also add a statistics counter to record when the update quota
has been exceeded.
(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826)
---
bin/named/bind9.xsl | 4 +++-
bin/named/bind9.xsl.h | 6 +++++-
bin/named/statschannel.c | 5 +++--
doc/arm/reference.rst | 5 +++++
lib/ns/include/ns/server.h | 1 +
lib/ns/include/ns/stats.h | 4 +++-
lib/ns/server.c | 2 ++
lib/ns/update.c | 37 ++++++++++++++++++++++++++++++++++++-
8 files changed, 58 insertions(+), 6 deletions(-)
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
index 5078115..194625b 100644
--- a/bin/named/bind9.xsl
+++ b/bin/named/bind9.xsl
@@ -12,7 +12,9 @@
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
<xsl:output method="html" indent="yes" version="4.0"/>
- <xsl:template match="statistics[@version=&quot;3.11&quot;]">
+ <!-- the version number **below** must match version in bin/named/statschannel.c -->
+ <!-- don't forget to update "/xml/v<STATS_XML_VERSION_MAJOR>" in the HTTP endpoints listed below -->
+ <xsl:template match="statistics[@version=&quot;3.11.1&quot;]">
<html>
<head>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
index e30f7f5..b182742 100644
--- a/bin/named/bind9.xsl.h
+++ b/bin/named/bind9.xsl.h
@@ -20,7 +20,11 @@ static char xslmsg[] =
"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" "
"xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
- " <xsl:template match=\"statistics[@version=&quot;3.11&quot;]\">\n"
+ " <!-- the version number **below** must match version in "
+ "bin/named/statschannel.c -->\n"
+ " <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in "
+ "the HTTP endpoints listed below -->\n"
+ " <xsl:template match=\"statistics[@version=&quot;3.11.1&quot;]\">\n"
" <html>\n"
" <head>\n"
" <script type=\"text/javascript\" "
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 832ce93..7361ead 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -335,6 +335,7 @@ init_desc(void) {
SET_NSSTATDESC(reclimitdropped,
"queries dropped due to recursive client limit",
"RecLimitDropped");
+ SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
INSIST(i == ns_statscounter_max);
@@ -2007,7 +2008,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
"href=\"/bind9.xsl\""));
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
- ISC_XMLCHAR "3.11"));
+ ISC_XMLCHAR "3.11.1"));
/* Set common fields for statistics dump */
dumparg.type = isc_statsformat_xml;
@@ -2876,7 +2877,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
/*
* These statistics are included no matter which URL we use.
*/
- obj = json_object_new_string("1.5");
+ obj = json_object_new_string("1.5.1");
CHECKMEM(obj);
json_object_object_add(bindstats, "json-stats-version", obj);
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 2d05aec..25c20d7 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6705,6 +6705,11 @@ Name Server Statistics Counters
``UpdateBadPrereq``
This indicates the number of dynamic updates rejected due to a prerequisite failure.
+``UpdateQuota``
+ This indicates the number of times a dynamic update or update
+ forwarding request was rejected because the number of pending
+ requests exceeded the update quota.
+
``RateDropped``
This indicates the number of responses dropped due to rate limits.
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
index 6a1f345..0abb579 100644
--- a/lib/ns/include/ns/server.h
+++ b/lib/ns/include/ns/server.h
@@ -84,6 +84,7 @@ struct ns_server {
isc_quota_t recursionquota;
isc_quota_t tcpquota;
isc_quota_t xfroutquota;
+ isc_quota_t updquota;
/*% Test options and other configurables */
uint32_t options;
diff --git a/lib/ns/include/ns/stats.h b/lib/ns/include/ns/stats.h
index 3c08799..95b15d0 100644
--- a/lib/ns/include/ns/stats.h
+++ b/lib/ns/include/ns/stats.h
@@ -106,7 +106,9 @@ enum {
ns_statscounter_reclimitdropped = 66,
- ns_statscounter_max = 67,
+ ns_statscounter_updatequota = 67,
+
+ ns_statscounter_max = 68,
};
void
diff --git a/lib/ns/server.c b/lib/ns/server.c
index a970a28..540bc2e 100644
--- a/lib/ns/server.c
+++ b/lib/ns/server.c
@@ -52,6 +52,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
isc_quota_init(&sctx->xfroutquota, 10);
isc_quota_init(&sctx->tcpquota, 10);
isc_quota_init(&sctx->recursionquota, 100);
+ isc_quota_init(&sctx->updquota, 100);
CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx));
@@ -131,6 +132,7 @@ ns_server_detach(ns_server_t **sctxp) {
isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret));
}
+ isc_quota_destroy(&sctx->updquota);
isc_quota_destroy(&sctx->recursionquota);
isc_quota_destroy(&sctx->tcpquota);
isc_quota_destroy(&sctx->xfroutquota);
diff --git a/lib/ns/update.c b/lib/ns/update.c
index 546b70a..1871438 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
update_event_t *event = NULL;
isc_task_t *zonetask = NULL;
+ result = isc_quota_attach(&client->manager->sctx->updquota,
+ &(isc_quota_t *){ NULL });
+ if (result != ISC_R_SUCCESS) {
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
+ "update failed: too many DNS UPDATEs queued (%s)",
+ isc_result_totext(result));
+ ns_stats_increment(client->manager->sctx->nsstats,
+ ns_statscounter_updatequota);
+ ns_client_drop(client, result);
+ isc_nmhandle_detach(&client->reqhandle);
+ return (DNS_R_DROP);
+ }
+
event = (update_event_t *)isc_event_allocate(
client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
sizeof(*event));
@@ -1676,12 +1689,18 @@ failure:
dns_zone_gettype(zone) == dns_zone_mirror);
inc_stats(client, zone, ns_statscounter_updaterej);
}
+
/*
* We failed without having sent an update event to the zone.
* We are still in the client task context, so we can
* simply give an error response without switching tasks.
*/
- respond(client, result);
+ if (result == DNS_R_DROP) {
+ ns_client_drop(client, result);
+ } else {
+ respond(client, result);
+ }
+
if (zone != NULL) {
dns_zone_detach(&zone);
}
@@ -3489,6 +3508,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
respond(client, uev->result);
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
isc_event_free(&event);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3505,6 +3525,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
INSIST(client->nupdates > 0);
client->nupdates--;
respond(client, DNS_R_SERVFAIL);
+
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
isc_event_free(&event);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3542,6 +3564,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
client->nupdates--;
ns_client_sendraw(client, uev->answer);
dns_message_detach(&uev->answer);
+
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
isc_event_free(&event);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3576,6 +3600,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
update_event_t *event = NULL;
isc_task_t *zonetask = NULL;
+ result = isc_quota_attach(&client->manager->sctx->updquota,
+ &(isc_quota_t *){ NULL });
+ if (result != ISC_R_SUCCESS) {
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
+ "update failed: too many DNS UPDATEs queued (%s)",
+ isc_result_totext(result));
+ ns_stats_increment(client->manager->sctx->nsstats,
+ ns_statscounter_updatequota);
+ return (DNS_R_DROP);
+ }
+
event = (update_event_t *)isc_event_allocate(
client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
sizeof(*event));
--
2.39.2

266
SOURCES/bind-9.16-CVE-2022-3094-2.patch
Unescape View File

@ -1,266 +0,0 @@
From 7fe2204a2e8952bf892e4a70fea2ef5167e1f509 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 1 Sep 2022 16:22:46 -0700
Subject: [PATCH] add a configuration option for the update quota
add an "update-quota" option to configure the update quota.
(cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19)
---
bin/named/config.c | 1 +
bin/named/named.conf.rst | 9 +++++----
bin/named/server.c | 1 +
bin/tests/system/checkconf/good.conf | 1 +
doc/arm/reference.rst | 7 ++++++-
doc/man/named.conf.5in | 9 +++++----
doc/misc/master.zoneopt.rst | 2 +-
doc/misc/options | 1 +
doc/misc/options.active | 1 +
doc/misc/options.grammar.rst | 3 ++-
doc/misc/slave.zoneopt.rst | 2 +-
lib/isccfg/namedconf.c | 1 +
12 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/bin/named/config.c b/bin/named/config.c
index 5fedee84d9..494147015f 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -130,6 +130,7 @@ options {\n\
transfers-out 10;\n\
transfers-per-ns 2;\n\
trust-anchor-telemetry yes;\n\
+ update-quota 100;\n\
\n\
/* view */\n\
allow-new-zones no;\n\
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index 27eed5ca3e..4c9f9a7370 100644
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -179,7 +179,7 @@ OPTIONS
answer-cookie boolean;
attach-cache string;
auth-nxdomain boolean; // default changed
- auto-dnssec ( allow | maintain | off );
+ auto-dnssec ( allow | maintain | off );// deprecated
automatic-interface-scan boolean;
avoid-v4-udp-ports { portrange; ... };
avoid-v6-udp-ports { portrange; ... };
@@ -446,6 +446,7 @@ OPTIONS
trust-anchor-telemetry boolean; // experimental
try-tcp-refresh boolean;
update-check-ksk boolean;
+ update-quota integer;
use-alt-transfer-source boolean;
use-v4-udp-ports { portrange; ... };
use-v6-udp-ports { portrange; ... };
@@ -584,7 +585,7 @@ VIEW
* ) ] [ dscp integer ];
attach-cache string;
auth-nxdomain boolean; // default changed
- auto-dnssec ( allow | maintain | off );
+ auto-dnssec ( allow | maintain | off );// deprecated
cache-file quoted_string;// deprecated
catalog-zones { zone string [ default-masters [ port integer ]
[ dscp integer ] { ( remote-servers | ipv4_address [ port
@@ -859,7 +860,7 @@ VIEW
integer | * ) ] [ dscp integer ];
alt-transfer-source-v6 ( ipv6_address | * ) [ port (
integer | * ) ] [ dscp integer ];
- auto-dnssec ( allow | maintain | off );
+ auto-dnssec ( allow | maintain | off );// deprecated
check-dup-records ( fail | warn | ignore );
check-integrity boolean;
check-mx ( fail | warn | ignore );
@@ -977,7 +978,7 @@ ZONE
] [ dscp integer ];
alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
* ) ] [ dscp integer ];
- auto-dnssec ( allow | maintain | off );
+ auto-dnssec ( allow | maintain | off );// deprecated
check-dup-records ( fail | warn | ignore );
check-integrity boolean;
check-mx ( fail | warn | ignore );
diff --git a/bin/named/server.c b/bin/named/server.c
index 20443ff8a9..78a21d62a2 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8542,6 +8542,7 @@ load_configuration(const char *filename, named_server_t *server,
configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota);
configure_server_quota(maps, "recursive-clients",
&server->sctx->recursionquota);
+ configure_server_quota(maps, "update-quota", &server->sctx->updquota);
max = isc_quota_getmax(&server->sctx->recursionquota);
if (max > 1000) {
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index b1f7059acf..0ecdb68e95 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -75,6 +75,7 @@ options {
recursive-clients 3000;
serial-query-rate 100;
server-id none;
+ update-quota 200;
check-names primary warn;
check-names secondary ignore;
max-cache-size 20000000000000;
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 2603d60251..703663d0ba 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3151,6 +3151,11 @@ system.
value as ``tcp-keepalive-timeout``. This value can be updated at
runtime by using ``rndc tcp-timeouts``.
+``update-quota``
+ This is the maximum number of simultaneous DNS UPDATE messages that
+ the server will accept for updating local authoritiative zones or
+ forwarding to a primary server. The default is ``100``.
+
.. _intervals:
Periodic Task Intervals
@@ -6840,7 +6845,7 @@ Name Server Statistics Counters
``UpdateQuota``
This indicates the number of times a dynamic update or update
forwarding request was rejected because the number of pending
- requests exceeded the update quota.
+ requests exceeded ``update-quota``.
``RateDropped``
This indicates the number of responses dropped due to rate limits.
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index 4c46f47592..c87afa2881 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -231,7 +231,7 @@ options {
answer\-cookie boolean;
attach\-cache string;
auth\-nxdomain boolean; // default changed
- auto\-dnssec ( allow | maintain | off );
+ auto\-dnssec ( allow | maintain | off );// deprecated
automatic\-interface\-scan boolean;
avoid\-v4\-udp\-ports { portrange; ... };
avoid\-v6\-udp\-ports { portrange; ... };
@@ -498,6 +498,7 @@ options {
trust\-anchor\-telemetry boolean; // experimental
try\-tcp\-refresh boolean;
update\-check\-ksk boolean;
+ update\-quota integer;
use\-alt\-transfer\-source boolean;
use\-v4\-udp\-ports { portrange; ... };
use\-v6\-udp\-ports { portrange; ... };
@@ -668,7 +669,7 @@ view string [ class ] {
* ) ] [ dscp integer ];
attach\-cache string;
auth\-nxdomain boolean; // default changed
- auto\-dnssec ( allow | maintain | off );
+ auto\-dnssec ( allow | maintain | off );// deprecated
cache\-file quoted_string;// deprecated
catalog\-zones { zone string [ default\-masters [ port integer ]
[ dscp integer ] { ( remote\-servers | ipv4_address [ port
@@ -943,7 +944,7 @@ view string [ class ] {
integer | * ) ] [ dscp integer ];
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port (
integer | * ) ] [ dscp integer ];
- auto\-dnssec ( allow | maintain | off );
+ auto\-dnssec ( allow | maintain | off );// deprecated
check\-dup\-records ( fail | warn | ignore );
check\-integrity boolean;
check\-mx ( fail | warn | ignore );
@@ -1065,7 +1066,7 @@ zone string [ class ] {
] [ dscp integer ];
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
* ) ] [ dscp integer ];
- auto\-dnssec ( allow | maintain | off );
+ auto\-dnssec ( allow | maintain | off );// deprecated
check\-dup\-records ( fail | warn | ignore );
check\-integrity boolean;
check\-mx ( fail | warn | ignore );
diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst
index 8fc7e1b4f0..346d59813e 100644
--- a/doc/misc/master.zoneopt.rst
+++ b/doc/misc/master.zoneopt.rst
@@ -20,7 +20,7 @@
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
- auto-dnssec ( allow | maintain | off );
+ auto-dnssec ( allow | maintain | off ); // deprecated
check-dup-records ( fail | warn | ignore );
check-integrity <boolean>;
check-mx ( fail | warn | ignore );
diff --git a/doc/misc/options b/doc/misc/options
index f57399499a..0dbcf101e1 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -404,6 +404,7 @@ options {
trust-anchor-telemetry <boolean>; // experimental
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
+ update-quota <integer>;
use-alt-transfer-source <boolean>;
use-id-pool <boolean>; // ancient
use-ixfr <boolean>; // obsolete
diff --git a/doc/misc/options.active b/doc/misc/options.active
index 5fc1ab29f4..eb75a86eae 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -363,6 +363,7 @@ options {
trust-anchor-telemetry <boolean>; // experimental
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
+ update-quota <integer>;
use-alt-transfer-source <boolean>;
use-v4-udp-ports { <portrange>; ... };
use-v6-udp-ports { <portrange>; ... };
diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst
index 438072c95c..beef35341a 100644
--- a/doc/misc/options.grammar.rst
+++ b/doc/misc/options.grammar.rst
@@ -33,7 +33,7 @@
answer-cookie <boolean>;
attach-cache <string>;
auth-nxdomain <boolean>; // default changed
- auto-dnssec ( allow | maintain | off );
+ auto-dnssec ( allow | maintain | off ); // deprecated
automatic-interface-scan <boolean>;
avoid-v4-udp-ports { <portrange>; ... };
avoid-v6-udp-ports { <portrange>; ... };
@@ -300,6 +300,7 @@
trust-anchor-telemetry <boolean>; // experimental
try-tcp-refresh <boolean>;
update-check-ksk <boolean>;
+ update-quota <integer>;
use-alt-transfer-source <boolean>;
use-v4-udp-ports { <portrange>; ... };
use-v6-udp-ports { <portrange>; ... };
diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst
index cc72dcbf67..468a7f4d9a 100644
--- a/doc/misc/slave.zoneopt.rst
+++ b/doc/misc/slave.zoneopt.rst
@@ -21,7 +21,7 @@
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
- auto-dnssec ( allow | maintain | off );
+ auto-dnssec ( allow | maintain | off ); // deprecated
check-names ( fail | warn | ignore );
database <string>;
dialup ( notify | notify-passive | passive | refresh | <boolean> );
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 45de0196bf..6e63d86816 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1267,6 +1267,7 @@ static cfg_clausedef_t options_clauses[] = {
{ "transfers-out", &cfg_type_uint32, 0 },
{ "transfers-per-ns", &cfg_type_uint32, 0 },
{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+ { "update-quota", &cfg_type_uint32, 0 },
{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
--
2.39.1

470
SOURCES/bind-9.16-CVE-2022-3094-3.patch
Unescape View File

@ -1,470 +0,0 @@
From 93b8bd39145566053ad8b22cef597146e9175ea4 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 8 Nov 2022 17:32:41 -0800
Subject: [PATCH] move update ACL and update-policy checks before quota
check allow-update, update-policy, and allow-update-forwarding before
consuming quota slots, so that unauthorized clients can't fill the
quota.
(this moves the access check before the prerequisite check, which
violates the precise wording of RFC 2136. however, RFC co-author Paul
Vixie has stated that the RFC is mistaken on this point; it should have
said that access checking must happen *no later than* the completion of
prerequisite checks, not that it must happen exactly then.)
(cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d)
---
lib/ns/update.c | 335 ++++++++++++++++++++++++++----------------------
1 file changed, 181 insertions(+), 154 deletions(-)
diff --git a/lib/ns/update.c b/lib/ns/update.c
index 9a8c309..036184b 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -261,6 +261,9 @@ static void
forward_done(isc_task_t *task, isc_event_t *event);
static isc_result_t
add_rr_prepare_action(void *data, rr_t *rr);
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+ const dns_rdata_t *rdata, bool *flag);
/**************************************************************************/
@@ -333,25 +336,26 @@ inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) {
static isc_result_t
checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
dns_acl_t *updateacl, dns_ssutable_t *ssutable) {
+ isc_result_t result;
char namebuf[DNS_NAME_FORMATSIZE];
char classbuf[DNS_RDATACLASS_FORMATSIZE];
- int level;
- isc_result_t result;
+ bool update_possible =
+ ((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
+ ssutable != NULL);
result = ns_client_checkaclsilent(client, NULL, queryacl, true);
if (result != ISC_R_SUCCESS) {
+ int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
+
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
sizeof(classbuf));
- level = (updateacl == NULL && ssutable == NULL) ? ISC_LOG_INFO
- : ISC_LOG_ERROR;
-
ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
NS_LOGMODULE_UPDATE, level,
"update '%s/%s' denied due to allow-query",
namebuf, classbuf);
- } else if (updateacl == NULL && ssutable == NULL) {
+ } else if (!update_possible) {
dns_name_format(zonename, namebuf, sizeof(namebuf));
dns_rdataclass_format(client->view->rdclass, classbuf,
sizeof(classbuf));
@@ -1543,6 +1547,156 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
isc_result_t result = ISC_R_SUCCESS;
update_event_t *event = NULL;
isc_task_t *zonetask = NULL;
+ dns_ssutable_t *ssutable = NULL;
+ dns_message_t *request = client->message;
+ dns_aclenv_t *env =
+ ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+ dns_rdataclass_t zoneclass;
+ dns_rdatatype_t covers;
+ dns_name_t *zonename = NULL;
+ dns_db_t *db = NULL;
+ dns_dbversion_t *ver = NULL;
+
+ CHECK(dns_zone_getdb(zone, &db));
+ zonename = dns_db_origin(db);
+ zoneclass = dns_db_class(db);
+ dns_zone_getssutable(zone, &ssutable);
+ dns_db_currentversion(db, &ver);
+
+ /*
+ * Update message processing can leak record existence information
+ * so check that we are allowed to query this zone. Additionally,
+ * if we would refuse all updates for this zone, we bail out here.
+ */
+ CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
+ dns_zone_getorigin(zone),
+ dns_zone_getupdateacl(zone), ssutable));
+
+ /*
+ * Check requestor's permissions.
+ */
+ if (ssutable == NULL) {
+ CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
+ "update", dns_zone_getorigin(zone), false,
+ false));
+ } else if (client->signer == NULL && !TCPCLIENT(client)) {
+ CHECK(checkupdateacl(client, NULL, "update",
+ dns_zone_getorigin(zone), false, true));
+ }
+
+ if (dns_zone_getupdatedisabled(zone)) {
+ FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
+ "because the zone is frozen. Use "
+ "'rndc thaw' to re-enable updates.");
+ }
+
+ /*
+ * Prescan the update section, checking for updates that
+ * are illegal or violate policy.
+ */
+ for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
+ result == ISC_R_SUCCESS;
+ result = dns_message_nextname(request, DNS_SECTION_UPDATE))
+ {
+ dns_name_t *name = NULL;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_ttl_t ttl;
+ dns_rdataclass_t update_class;
+
+ get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
+ &rdata, &covers, &ttl, &update_class);
+
+ if (!dns_name_issubdomain(name, zonename)) {
+ FAILC(DNS_R_NOTZONE, "update RR is outside zone");
+ }
+ if (update_class == zoneclass) {
+ /*
+ * Check for meta-RRs. The RFC2136 pseudocode says
+ * check for ANY|AXFR|MAILA|MAILB, but the text adds
+ * "or any other QUERY metatype"
+ */
+ if (dns_rdatatype_ismeta(rdata.type)) {
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
+ }
+ result = dns_zone_checknames(zone, name, &rdata);
+ if (result != ISC_R_SUCCESS) {
+ FAIL(DNS_R_REFUSED);
+ }
+ } else if (update_class == dns_rdataclass_any) {
+ if (ttl != 0 || rdata.length != 0 ||
+ (dns_rdatatype_ismeta(rdata.type) &&
+ rdata.type != dns_rdatatype_any))
+ {
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
+ }
+ } else if (update_class == dns_rdataclass_none) {
+ if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
+ }
+ } else {
+ update_log(client, zone, ISC_LOG_WARNING,
+ "update RR has incorrect class %d",
+ update_class);
+ FAIL(DNS_R_FORMERR);
+ }
+
+ /*
+ * draft-ietf-dnsind-simple-secure-update-01 says
+ * "Unlike traditional dynamic update, the client
+ * is forbidden from updating NSEC records."
+ */
+ if (rdata.type == dns_rdatatype_nsec3) {
+ FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
+ "allowed "
+ "in secure zones");
+ } else if (rdata.type == dns_rdatatype_nsec) {
+ FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
+ "allowed "
+ "in secure zones");
+ } else if (rdata.type == dns_rdatatype_rrsig &&
+ !dns_name_equal(name, zonename))
+ {
+ FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
+ "currently "
+ "not supported in secure zones "
+ "except "
+ "at the apex");
+ }
+
+ if (ssutable != NULL) {
+ isc_netaddr_t netaddr;
+ dst_key_t *tsigkey = NULL;
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+ if (client->message->tsigkey != NULL) {
+ tsigkey = client->message->tsigkey->key;
+ }
+
+ if (rdata.type != dns_rdatatype_any) {
+ if (!dns_ssutable_checkrules(
+ ssutable, client->signer, name,
+ &netaddr, TCPCLIENT(client), env,
+ rdata.type, tsigkey))
+ {
+ FAILC(DNS_R_REFUSED, "rejected by "
+ "secure update");
+ }
+ } else {
+ if (!ssu_checkall(db, ver, name, ssutable,
+ client->signer, &netaddr, env,
+ TCPCLIENT(client), tsigkey))
+ {
+ FAILC(DNS_R_REFUSED, "rejected by "
+ "secure update");
+ }
+ }
+ }
+ }
+ if (result != ISC_R_NOMORE) {
+ FAIL(result);
+ }
+
+ update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
result = isc_quota_attach(&client->manager->sctx->updquota,
&(isc_quota_t *){ NULL });
@@ -1552,9 +1706,7 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
isc_result_totext(result));
ns_stats_increment(client->manager->sctx->nsstats,
ns_statscounter_updatequota);
- ns_client_drop(client, result);
- isc_nmhandle_detach(&client->reqhandle);
- return (DNS_R_DROP);
+ CHECK(DNS_R_DROP);
}
event = (update_event_t *)isc_event_allocate(
@@ -1571,6 +1723,16 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
dns_zone_gettask(zone, &zonetask);
isc_task_send(zonetask, ISC_EVENT_PTR(&event));
+failure:
+ if (db != NULL) {
+ dns_db_closeversion(db, &ver, false);
+ dns_db_detach(&db);
+ }
+
+ if (ssutable != NULL) {
+ dns_ssutable_detach(&ssutable);
+ }
+
return (result);
}
@@ -1671,9 +1833,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
break;
case dns_zone_secondary:
case dns_zone_mirror:
- CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
- "update forwarding", zonename, true,
- false));
CHECK(send_forward_event(client, zone));
break;
default:
@@ -1685,8 +1844,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
failure:
if (result == DNS_R_REFUSED) {
- INSIST(dns_zone_gettype(zone) == dns_zone_secondary ||
- dns_zone_gettype(zone) == dns_zone_mirror);
inc_stats(client, zone, ns_statscounter_updaterej);
}
@@ -2578,7 +2735,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
dns_rdatatype_t covers;
dns_message_t *request = client->message;
dns_rdataclass_t zoneclass;
- dns_name_t *zonename;
+ dns_name_t *zonename = NULL;
dns_ssutable_t *ssutable = NULL;
dns_fixedname_t tmpnamefixed;
dns_name_t *tmpname = NULL;
@@ -2590,8 +2747,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
dns_ttl_t maxttl = 0;
uint32_t maxrecords;
uint64_t records;
- dns_aclenv_t *env =
- ns_interfacemgr_getaclenv(client->manager->interface->mgr);
INSIST(event->ev_type == DNS_EVENT_UPDATE);
@@ -2602,14 +2757,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
zonename = dns_db_origin(db);
zoneclass = dns_db_class(db);
dns_zone_getssutable(zone, &ssutable);
-
- /*
- * Update message processing can leak record existence information
- * so check that we are allowed to query this zone. Additionally
- * if we would refuse all updates for this zone we bail out here.
- */
- CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
- dns_zone_getupdateacl(zone), ssutable));
+ options = dns_zone_getoptions(zone);
/*
* Get old and new versions now that queryacl has been checked.
@@ -2745,135 +2893,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK");
- /*
- * Check Requestor's Permissions. It seems a bit silly to do this
- * only after prerequisite testing, but that is what RFC2136 says.
- */
- if (ssutable == NULL) {
- CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
- "update", zonename, false, false));
- } else if (client->signer == NULL && !TCPCLIENT(client)) {
- CHECK(checkupdateacl(client, NULL, "update", zonename, false,
- true));
- }
-
- if (dns_zone_getupdatedisabled(zone)) {
- FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
- "because the zone is frozen. Use "
- "'rndc thaw' to re-enable updates.");
- }
-
- /*
- * Perform the Update Section Prescan.
- */
-
- for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
- result == ISC_R_SUCCESS;
- result = dns_message_nextname(request, DNS_SECTION_UPDATE))
- {
- dns_name_t *name = NULL;
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_ttl_t ttl;
- dns_rdataclass_t update_class;
- get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
- &rdata, &covers, &ttl, &update_class);
-
- if (!dns_name_issubdomain(name, zonename)) {
- FAILC(DNS_R_NOTZONE, "update RR is outside zone");
- }
- if (update_class == zoneclass) {
- /*
- * Check for meta-RRs. The RFC2136 pseudocode says
- * check for ANY|AXFR|MAILA|MAILB, but the text adds
- * "or any other QUERY metatype"
- */
- if (dns_rdatatype_ismeta(rdata.type)) {
- FAILC(DNS_R_FORMERR, "meta-RR in update");
- }
- result = dns_zone_checknames(zone, name, &rdata);
- if (result != ISC_R_SUCCESS) {
- FAIL(DNS_R_REFUSED);
- }
- } else if (update_class == dns_rdataclass_any) {
- if (ttl != 0 || rdata.length != 0 ||
- (dns_rdatatype_ismeta(rdata.type) &&
- rdata.type != dns_rdatatype_any))
- {
- FAILC(DNS_R_FORMERR, "meta-RR in update");
- }
- } else if (update_class == dns_rdataclass_none) {
- if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
- FAILC(DNS_R_FORMERR, "meta-RR in update");
- }
- } else {
- update_log(client, zone, ISC_LOG_WARNING,
- "update RR has incorrect class %d",
- update_class);
- FAIL(DNS_R_FORMERR);
- }
-
- /*
- * draft-ietf-dnsind-simple-secure-update-01 says
- * "Unlike traditional dynamic update, the client
- * is forbidden from updating NSEC records."
- */
- if (rdata.type == dns_rdatatype_nsec3) {
- FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
- "allowed "
- "in secure zones");
- } else if (rdata.type == dns_rdatatype_nsec) {
- FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
- "allowed "
- "in secure zones");
- } else if (rdata.type == dns_rdatatype_rrsig &&
- !dns_name_equal(name, zonename)) {
- FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
- "currently "
- "not supported in secure zones "
- "except "
- "at the apex");
- }
-
- if (ssutable != NULL) {
- isc_netaddr_t netaddr;
- dst_key_t *tsigkey = NULL;
- isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
- if (client->message->tsigkey != NULL) {
- tsigkey = client->message->tsigkey->key;
- }
-
- if (rdata.type != dns_rdatatype_any) {
- if (!dns_ssutable_checkrules(
- ssutable, client->signer, name,
- &netaddr, TCPCLIENT(client), env,
- rdata.type, tsigkey))
- {
- FAILC(DNS_R_REFUSED, "rejected by "
- "secure update");
- }
- } else {
- if (!ssu_checkall(db, ver, name, ssutable,
- client->signer, &netaddr, env,
- TCPCLIENT(client), tsigkey))
- {
- FAILC(DNS_R_REFUSED, "rejected by "
- "secure update");
- }
- }
- }
- }
- if (result != ISC_R_NOMORE) {
- FAIL(result);
- }
-
- update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
-
/*
* Process the Update Section.
*/
- options = dns_zone_getoptions(zone);
for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
result == ISC_R_SUCCESS;
result = dns_message_nextname(request, DNS_SECTION_UPDATE))
@@ -3307,10 +3330,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
if (result == ISC_R_SUCCESS && records > maxrecords) {
update_log(client, zone, ISC_LOG_ERROR,
"records in zone (%" PRIu64 ") "
- "exceeds"
- " max-"
- "records"
- " (%u)",
+ "exceeds max-records (%u)",
records, maxrecords);
result = DNS_R_TOOMANYRECORDS;
goto failure;
@@ -3601,6 +3621,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
update_event_t *event = NULL;
isc_task_t *zonetask = NULL;
+ result = checkupdateacl(client, dns_zone_getforwardacl(zone),
+ "update forwarding", dns_zone_getorigin(zone),
+ true, false);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+
result = isc_quota_attach(&client->manager->sctx->updquota,
&(isc_quota_t *){ NULL });
if (result != ISC_R_SUCCESS) {
--
2.39.1

272
SOURCES/bind-9.16-CVE-2022-3094-test.patch
Unescape View File

@ -1,272 +0,0 @@
From 54e281c11ee13eabc3c51d6391a58fc90836000c Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 9 Nov 2022 21:56:16 -0800
Subject: [PATCH] test failure conditions
verify that updates are refused when the client is disallowed by
allow-query, and update forwarding is refused when the client is
is disallowed by update-forwarding.
verify that "too many DNS UPDATEs" appears in the log file when too
many simultaneous updates are processing.
(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
---
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +
bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++
bin/tests/system/upforwd/clean.sh | 2 +
.../ns3/{named.conf.in => named1.conf.in} | 13 ++++--
bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++
bin/tests/system/upforwd/setup.sh | 2 +-
bin/tests/system/upforwd/tests.sh | 39 ++++++++++++++++++
7 files changed, 123 insertions(+), 4 deletions(-)
rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (78%)
create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 436c97d..83fe884 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -21,6 +21,7 @@ options {
recursion no;
notify yes;
minimal-responses no;
+ update-quota 1;
};
acl named-acl {
@@ -81,6 +82,7 @@ zone "other.nil" {
check-integrity no;
check-mx warn;
update-policy local;
+ allow-query { !10.53.0.2; any; };
allow-query-on { 10.53.0.1; 127.0.0.1; };
allow-transfer { any; };
};
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b5f562f..13ba577 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1268,6 +1268,34 @@ END
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+ $NSUPDATE -d <<END
+ local 10.53.0.2
+ server 10.53.0.1 ${PORT}
+ update add reject.other.nil 3600 IN TXT Whatever
+ send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if quota is exceeded ($n)"
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+ $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
+ send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
if ! $FEATURETEST --gssapi ; then
echo_i "SKIPPED: GSSAPI tests"
else
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
index 2025252..12311df 100644
--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
@@ -29,3 +29,5 @@ rm -f keyname keyname.err
rm -f ns*/named.lock
rm -f ns1/example2.db
rm -f ns*/managed-keys.bind*
+rm -f nsupdate.out.*
+rm -f ns*/named.run.prev
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
similarity index 78%
rename from bin/tests/system/upforwd/ns3/named.conf.in
rename to bin/tests/system/upforwd/ns3/named1.conf.in
index 7bd13d3..2f690ff 100644
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -28,20 +28,27 @@ key rndc_key {
};
controls {
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "example" {
type secondary;
file "example.bk";
- allow-update-forwarding { any; };
+ allow-update-forwarding { 10.53.0.1; };
primaries { 10.53.0.1; };
};
zone "example2" {
type secondary;
file "example2.bk";
- allow-update-forwarding { any; };
+ allow-update-forwarding { 10.53.0.1; };
+ primaries { 10.53.0.1; };
+};
+
+zone "example3" {
+ type secondary;
+ file "example3.bk";
+ allow-update-forwarding { 10.53.0.1; };
primaries { 10.53.0.1; };
};
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
new file mode 100644
index 0000000..e15459a
--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ update-quota 1;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+ type secondary;
+ file "example.bk";
+ allow-update-forwarding { any; };
+ primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index e748078..88ab28d 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
if $FEATURETEST --enable-dnstap
then
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 8062d68..20fc46f 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -80,6 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
echo_i "updating zone (signed) ($n)"
ret=0
$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+local 10.53.0.1
server 10.53.0.3 ${PORT}
update add updated.example. 600 A 10.10.10.1
update add updated.example. 600 TXT Foo
@@ -138,6 +139,7 @@ fi
echo_i "updating zone (unsigned) ($n)"
ret=0
$NSUPDATE -- - <<EOF || ret=1
+local 10.53.0.1
server 10.53.0.3 ${PORT}
update add unsigned.example. 600 A 10.10.10.1
update add unsigned.example. 600 TXT Foo
@@ -194,6 +196,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
do
(
$NSUPDATE -- - <<EOF
+local 10.53.0.1
server 10.53.0.3 ${PORT}
zone nomaster
update add unsigned.nomaster. 600 A 10.10.10.1
@@ -225,6 +228,7 @@ then
ret=0
keyname=`cat keyname`
$NSUPDATE -k $keyname.private -- - <<EOF
+ local 10.53.0.1
server 10.53.0.3 ${PORT}
zone example2
update add unsigned.example2. 600 A 10.10.10.1
@@ -249,5 +253,40 @@ EOF
fi
fi
+echo_i "attempting an update that should be rejected by ACL ($n)"
+ret=0
+{
+ $NSUPDATE -- - << EOF
+ local 10.53.0.2
+ server 10.53.0.3 ${PORT}
+ update add another.unsigned.example. 600 A 10.10.10.2
+ update add another.unsigned.example. 600 TXT Bar
+ send
+EOF
+} > nsupdate.out.$n 2>&1
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+n=$((n + 1))
+ret=0
+echo_i "attempting updates that should exceed quota ($n)"
+# lower the update quota to 1.
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+nextpart ns3/named.run > /dev/null
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+ $NSUPDATE -- - > /dev/null 2>&1 <<END
+ local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
+ send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--
2.39.2

53
SOURCES/bind-9.16-CVE-2022-3736.patch
Unescape View File

@ -1,53 +0,0 @@
From 1b6590eafce064cbf70f5afc2fe4d6f1bfdc3804 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 27 Oct 2022 13:22:11 +1100
Subject: [PATCH] Move the mapping of SIG and RRSIG to ANY
dns_db_findext() asserts if RRSIG is passed to it and
query_lookup_stale() failed to map RRSIG to ANY to prevent this. To
avoid cases like this in the future, move the mapping of SIG and RRSIG
to ANY for qctx->type to qctx_init().
(cherry picked from commit 56eae064183488bcf7ff08c3edf59f2e1742c1b6)
---
lib/ns/query.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index a450cb7..f66bab4 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5103,6 +5103,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
qctx->result = ISC_R_SUCCESS;
qctx->findcoveringnsec = qctx->view->synthfromdnssec;
+ /*
+ * If it's an RRSIG or SIG query, we'll iterate the node.
+ */
+ if (qctx->qtype == dns_rdatatype_rrsig ||
+ qctx->qtype == dns_rdatatype_sig)
+ {
+ qctx->type = dns_rdatatype_any;
+ }
+
CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx);
}
@@ -5243,14 +5252,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) {
CALL_HOOK(NS_QUERY_SETUP, &qctx);
- /*
- * If it's a SIG query, we'll iterate the node.
- */
- if (qctx.qtype == dns_rdatatype_rrsig ||
- qctx.qtype == dns_rdatatype_sig) {
- qctx.type = dns_rdatatype_any;
- }
-
/*
* Check SERVFAIL cache
*/
--
2.39.1

27
SOURCES/bind-9.16-CVE-2022-38177.patch
Unescape View File

@ -1,27 +0,0 @@
From df8222fb189708199a185f73543b6e0602c1c72f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 20 Sep 2022 11:21:45 +0200
Subject: [PATCH 3/4] Fix CVE-2022-38177
5961. [security] Fix memory leak in ECDSA verify processing.
(CVE-2022-38177) [GL #3487]
---
lib/dns/opensslecdsa_link.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index ce4c8c4..3847896 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -228,7 +228,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
}
if (sig->length != siglen) {
- return (DST_R_VERIFYFAILURE);
+ DST_RET(DST_R_VERIFYFAILURE);
}
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) {
--
2.37.3

32
SOURCES/bind-9.16-CVE-2022-38178.patch
Unescape View File

@ -1,32 +0,0 @@
From 132ef295b8407f91e6922f4dfc4f30f1790b61c5 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 20 Sep 2022 11:22:47 +0200
Subject: [PATCH 4/4] Fix CVE-2022-38178
5962. [security] Fix memory leak in EdDSA verify processing.
(CVE-2022-38178) [GL #3487]
---
lib/dns/openssleddsa_link.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
index 6a6a74d..3157011 100644
--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
@@ -234,11 +234,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
}
#endif /* if HAVE_OPENSSL_ED448 */
if (siglen == 0) {
- return (ISC_R_NOTIMPLEMENTED);
+ DST_RET(ISC_R_NOTIMPLEMENTED);
}
if (sig->length != siglen) {
- return (DST_R_VERIFYFAILURE);
+ DST_RET(DST_R_VERIFYFAILURE);
}
isc_buffer_usedregion(buf, &tbsreg);
--
2.37.3

128
SOURCES/bind-9.16-CVE-2022-3924.patch
Unescape View File

@ -1,128 +0,0 @@
From 20424b3bfe8d3fae92c11a30e79aeffd26dc2891 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 14 Nov 2022 12:18:06 +0000
Subject: [PATCH] Cancel all fetch events in dns_resolver_cancelfetch()
Although 'dns_fetch_t' fetch can have two associated events, one for
each of 'DNS_EVENT_FETCHDONE' and 'DNS_EVENT_TRYSTALE' types, the
dns_resolver_cancelfetch() function is designed in a way that it
expects only one existing event, which it must cancel, and when it
happens so that 'stale-answer-client-timeout' is enabled and there
are two events, only one of them is canceled, and it results in an
assertion in dns_resolver_destroyfetch(), when it finds a dangling
event.
Change the logic of dns_resolver_cancelfetch() function so that it
cancels both the events (if they exist), and in the right order.
(cherry picked from commit ec2098ca35039e4f81fd0aa7c525eb960b8f47bf)
---
lib/dns/resolver.c | 53 +++++++++++++++++++++++++++++++++++-----------
lib/ns/query.c | 4 +++-
2 files changed, 44 insertions(+), 13 deletions(-)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 18585b5..7cbfbb2 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -11254,8 +11254,9 @@ void
dns_resolver_cancelfetch(dns_fetch_t *fetch) {
fetchctx_t *fctx;
dns_resolver_t *res;
- dns_fetchevent_t *event, *next_event;
- isc_task_t *etask;
+ dns_fetchevent_t *event = NULL;
+ dns_fetchevent_t *event_trystale = NULL;
+ dns_fetchevent_t *event_fetchdone = NULL;
REQUIRE(DNS_FETCH_VALID(fetch));
fctx = fetch->private;
@@ -11267,32 +11268,60 @@ dns_resolver_cancelfetch(dns_fetch_t *fetch) {
LOCK(&res->buckets[fctx->bucketnum].lock);
/*
- * Find the completion event for this fetch (as opposed
+ * Find the events for this fetch (as opposed
* to those for other fetches that have joined the same
- * fctx) and send it with result = ISC_R_CANCELED.
+ * fctx) and send them with result = ISC_R_CANCELED.
*/
- event = NULL;
if (fctx->state != fetchstate_done) {
+ dns_fetchevent_t *next_event = NULL;
for (event = ISC_LIST_HEAD(fctx->events); event != NULL;
event = next_event) {
next_event = ISC_LIST_NEXT(event, ev_link);
if (event->fetch == fetch) {
ISC_LIST_UNLINK(fctx->events, event, ev_link);
- break;
+ switch (event->ev_type) {
+ case DNS_EVENT_TRYSTALE:
+ INSIST(event_trystale == NULL);
+ event_trystale = event;
+ break;
+ case DNS_EVENT_FETCHDONE:
+ INSIST(event_fetchdone == NULL);
+ event_fetchdone = event;
+ break;
+ default:
+ ISC_UNREACHABLE();
+ }
+ if (event_trystale != NULL &&
+ event_fetchdone != NULL)
+ {
+ break;
+ }
}
}
}
- if (event != NULL) {
- etask = event->ev_sender;
- event->ev_sender = fctx;
- event->result = ISC_R_CANCELED;
- isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
+
+ /*
+ * The "trystale" event must be sent before the "fetchdone" event,
+ * because the latter clears the "recursing" query attribute, which is
+ * required by both events (handled by the same callback function).
+ */
+ if (event_trystale != NULL) {
+ isc_task_t *etask = event_trystale->ev_sender;
+ event_trystale->ev_sender = fctx;
+ event_trystale->result = ISC_R_CANCELED;
+ isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_trystale));
}
+ if (event_fetchdone != NULL) {
+ isc_task_t *etask = event_fetchdone->ev_sender;
+ event_fetchdone->ev_sender = fctx;
+ event_fetchdone->result = ISC_R_CANCELED;
+ isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_fetchdone));
+ }
+
/*
* The fctx continues running even if no fetches remain;
* the answer is still cached.
*/
-
UNLOCK(&res->buckets[fctx->bucketnum].lock);
}
diff --git a/lib/ns/query.c b/lib/ns/query.c
index f66bab4..4f61374 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -6021,7 +6021,9 @@ fetch_callback(isc_task_t *task, isc_event_t *event) {
CTRACE(ISC_LOG_DEBUG(3), "fetch_callback");
if (event->ev_type == DNS_EVENT_TRYSTALE) {
- query_lookup_stale(client);
+ if (devent->result != ISC_R_CANCELED) {
+ query_lookup_stale(client);
+ }
isc_event_free(ISC_EVENT_PTR(&event));
return;
}
--
2.39.1

192
SOURCES/bind-9.16-CVE-2023-2828.patch
Unescape View File

@ -1,192 +0,0 @@
From ed920ea2ae1cc1214b42b82a5149758dbec941a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 30 May 2023 08:46:17 +0200
Subject: [PATCH] Improve RBT overmem cache cleaning
When cache memory usage is over the configured cache size (overmem) and
we are cleaning unused entries, it might not be enough to clean just two
entries if the entries to be expired are smaller than the newly added
rdata. This could be abused by an attacker to cause a remote Denial of
Service by possibly running out of the operating system memory.
Currently, the addrdataset() tries to do a single TTL-based cleaning
considering the serve-stale TTL and then optionally moves to overmem
cleaning if we are in that condition. Then the overmem_purge() tries to
do another single TTL based cleaning from the TTL heap and then continue
with LRU-based cleaning up to 2 entries cleaned.
Squash the TTL-cleaning mechanism into single call from addrdataset(),
but ignore the serve-stale TTL if we are currently overmem.
Then instead of having a fixed number of entries to clean, pass the size
of newly added rdatasetheader to the overmem_purge() function and
cleanup at least the size of the newly added data. This prevents the
cache going over the configured memory limit (`max-cache-size`).
Additionally, refactor the overmem_purge() function to reduce for-loop
nesting for readability.
(cherry picked from commit f1d9e9ee3859976f403914d20ad2a10855343702)
---
lib/dns/rbtdb.c | 105 ++++++++++++++++++++++++++++++------------------
1 file changed, 65 insertions(+), 40 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 51178cc877..75f97f5550 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -599,7 +599,7 @@ static void
expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked,
expire_t reason);
static void
-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now,
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
bool tree_locked);
static isc_result_t
resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader);
@@ -6802,6 +6802,16 @@ cleanup:
static dns_dbmethods_t zone_methods;
+static size_t
+rdataset_size(rdatasetheader_t *header) {
+ if (!NONEXISTENT(header)) {
+ return (dns_rdataslab_size((unsigned char *)header,
+ sizeof(*header)));
+ }
+
+ return (sizeof(*header));
+}
+
static isc_result_t
addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
@@ -6965,7 +6975,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
}
if (cache_is_overmem) {
- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
+ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
+ tree_locked);
}
NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
@@ -6984,10 +6995,18 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
}
header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
- if (header != NULL && header->rdh_ttl + rbtdb->serve_stale_ttl <
- now - RBTDB_VIRTUAL)
- {
- expire_header(rbtdb, header, tree_locked, expire_ttl);
+ if (header != NULL) {
+ dns_ttl_t rdh_ttl = header->rdh_ttl;
+
+ /* Only account for stale TTL if cache is not overmem */
+ if (!cache_is_overmem) {
+ rdh_ttl += rbtdb->serve_stale_ttl;
+ }
+
+ if (rdh_ttl < now - RBTDB_VIRTUAL) {
+ expire_header(rbtdb, header, tree_locked,
+ expire_ttl);
+ }
}
/*
@@ -10531,52 +10550,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now) {
ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
}
+static size_t
+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
+ bool tree_locked) {
+ rdatasetheader_t *header, *header_prev;
+ size_t purged = 0;
+
+ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+ header != NULL && purged <= purgesize; header = header_prev)
+ {
+ header_prev = ISC_LIST_PREV(header, link);
+ /*
+ * Unlink the entry at this point to avoid checking it
+ * again even if it's currently used someone else and
+ * cannot be purged at this moment. This entry won't be
+ * referenced any more (so unlinking is safe) since the
+ * TTL was reset to 0.
+ */
+ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
+ size_t header_size = rdataset_size(header);
+ expire_header(rbtdb, header, tree_locked, expire_lru);
+ purged += header_size;
+ }
+
+ return (purged);
+}
+
/*%
- * Purge some expired and/or stale (i.e. unused for some period) cache entries
- * under an overmem condition. To recover from this condition quickly, up to
- * 2 entries will be purged. This process is triggered while adding a new
- * entry, and we specifically avoid purging entries in the same LRU bucket as
- * the one to which the new entry will belong. Otherwise, we might purge
- * entries of the same name of different RR types while adding RRsets from a
- * single response (consider the case where we're adding A and AAAA glue records
- * of the same NS name).
+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
+ * entries under the overmem condition. To recover from this condition quickly,
+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
+ *
+ * This process is triggered while adding a new entry, and we specifically avoid
+ * purging entries in the same LRU bucket as the one to which the new entry will
+ * belong. Otherwise, we might purge entries of the same name of different RR
+ * types while adding RRsets from a single response (consider the case where
+ * we're adding A and AAAA glue records of the same NS name).
*/
static void
-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now,
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
bool tree_locked) {
- rdatasetheader_t *header, *header_prev;
unsigned int locknum;
- int purgecount = 2;
+ size_t purged = 0;
for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
- locknum != locknum_start && purgecount > 0;
+ locknum != locknum_start && purged <= purgesize;
locknum = (locknum + 1) % rbtdb->node_lock_count)
{
NODE_LOCK(&rbtdb->node_locks[locknum].lock,
isc_rwlocktype_write);
- header = isc_heap_element(rbtdb->heaps[locknum], 1);
- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
- expire_header(rbtdb, header, tree_locked, expire_ttl);
- purgecount--;
- }
-
- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
- header != NULL && purgecount > 0; header = header_prev)
- {
- header_prev = ISC_LIST_PREV(header, link);
- /*
- * Unlink the entry at this point to avoid checking it
- * again even if it's currently used someone else and
- * cannot be purged at this moment. This entry won't be
- * referenced any more (so unlinking is safe) since the
- * TTL was reset to 0.
- */
- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
- link);
- expire_header(rbtdb, header, tree_locked, expire_lru);
- purgecount--;
- }
+ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
+ tree_locked);
NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
isc_rwlocktype_write);
--
2.40.1

37
SOURCES/bind-9.16-CVE-2023-2911-1.patch
Unescape View File

@ -1,37 +0,0 @@
From e73ecbf039c3b2cd33dd2926691a8a346c9ca574 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 2 Aug 2022 14:21:40 +0200
Subject: [PATCH 1/3] Don't enable serve-stale on duplicate queries
When checking if we should enable serve-stale, add an early out case
when the result is an error signalling a duplicate query or a query
that would be dropped.
(cherry picked from commit 059a4c2f4d9d3cff371842f43208d021509314fa)
(cherry picked from commit dd7dde5743715dc0dec2defbb92b1a8637977bf9)
---
lib/ns/query.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 4f61374e2c..c169e22bf4 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -7205,6 +7205,14 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
return (false);
}
+ if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) {
+ /*
+ * Don't enable serve-stale if the result signals a duplicate
+ * query or query that is being dropped.
+ */
+ return (false);
+ }
+
qctx_clean(qctx);
qctx_freedata(qctx);
--
2.40.1

72
SOURCES/bind-9.16-CVE-2023-2911-2.patch
Unescape View File

@ -1,72 +0,0 @@
From 589c06568e3036bfe713d42b53c8e88005ce17e4 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 25 May 2023 23:53:50 -0700
Subject: [PATCH 2/3] Stale answer lookups could loop when over recursion quota
When a query was aborted because of the recursion quota being exceeded,
but triggered a stale answer response and a stale data refresh query,
it could cause named to loop back where we are iterating and following
a delegation. Having no good answer in cache, we would fall back to
using serve-stale again, use the stale data, try to refresh the RRset,
and loop back again, without ever terminating until crashing due to
stack overflow.
This happens because in the functions 'query_notfound()' and
'query_delegation_recurse()', we check whether we can fall back to
serving stale data. We shouldn't do so if we are already refreshing
an RRset due to having prioritized stale data in cache.
In other words, we need to add an extra check to 'query_usestale()' to
disallow serving stale data if we are currently refreshing a stale
RRset.
As an additional mitigation to prevent looping, we now use the result
code ISC_R_ALREADYRUNNING rather than ISC_R_FAILURE when a recursion
loop is encountered, and we check for that condition in
'query_usestale()' as well.
(cherry picked from commit 0101e28f91fb36b6a16a0049d3b3e2b7846f23f0)
---
lib/ns/query.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index c169e22bf4..1eb662ea4d 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -6229,7 +6229,7 @@ ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) {
ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
ISC_LOG_INFO, "recursion loop detected");
- return (ISC_R_FAILURE);
+ return (ISC_R_ALREADYRUNNING);
}
recparam_update(&client->query.recparam, qtype, qname, qdomain);
@@ -7205,10 +7205,21 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
return (false);
}
- if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) {
+ if (qctx->refresh_rrset) {
+ /*
+ * This is a refreshing query, we have already prioritized
+ * stale data, so don't enable serve-stale again.
+ */
+ return (false);
+ }
+
+ if (result == DNS_R_DUPLICATE || result == DNS_R_DROP ||
+ result == ISC_R_ALREADYRUNNING)
+ {
/*
* Don't enable serve-stale if the result signals a duplicate
- * query or query that is being dropped.
+ * query or a query that is being dropped or can't proceed
+ * because of a recursion loop.
*/
return (false);
}
--
2.40.1

60
SOURCES/bind-9.16-CVE-2023-2911-3.patch
Unescape View File

@ -1,60 +0,0 @@
From c20e9d30bae58d3120aa7c6a0e5dcae0e7e93dbd Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 1 Jun 2023 10:03:48 +0200
Subject: [PATCH 3/3] Fix serve-stale hang at shutdown
The 'refresh_rrset' variable is used to determine if we can detach from
the client. This can cause a hang on shutdown. To fix this, move setting
of the 'nodetach' variable up to where 'refresh_rrset' is set (in
query_lookup(), and thus not in ns_query_done()), and set it to false
when actually refreshing the RRset, so that when this lookup is
completed, the client will be detached.
(cherry picked from commit c003c5bc3c68f3e513654b6689e1f60280d14844)
---
lib/ns/query.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 1eb662ea4d..4fe3e30f45 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5644,6 +5644,7 @@ query_refresh_rrset(query_ctx_t *orig_qctx) {
qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
DNS_DBFIND_STALEOK |
DNS_DBFIND_STALEENABLED);
+ qctx.client->nodetach = false;
/*
* We'll need some resources...
@@ -5868,7 +5869,14 @@ query_lookup(query_ctx_t *qctx) {
"%s stale answer used, an attempt to "
"refresh the RRset will still be made",
namebuf);
+
qctx->refresh_rrset = STALE(qctx->rdataset);
+
+ /*
+ * If we are refreshing the RRSet, we must not
+ * detach from the client in query_send().
+ */
+ qctx->client->nodetach = qctx->refresh_rrset;
}
} else {
/*
@@ -11469,12 +11477,7 @@ ns_query_done(query_ctx_t *qctx) {
/*
* Client may have been detached after query_send(), so
* we test and store the flag state here, for safety.
- * If we are refreshing the RRSet, we must not detach from the client
- * in the query_send(), so we need to override the flag.
*/
- if (qctx->refresh_rrset) {
- qctx->client->nodetach = true;
- }
nodetach = qctx->client->nodetach;
query_send(qctx->client);
--
2.40.1

168
SOURCES/bind-9.16-CVE-2023-3341.patch
Unescape View File

@ -1,168 +0,0 @@
From b137e12dc8118cddee20e372e480a495585e72b6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 19 Sep 2023 12:44:31 +0200
Subject: [PATCH] Fix CVE-2023-3341
6245. [security] Limit the amount of recursion that can be performed
by isccc_cc_fromwire. (CVE-2023-3341) [GL #4152]
---
lib/isccc/cc.c | 39 ++++++++++++++++++++++++--------
lib/isccc/include/isccc/result.h | 4 +++-
lib/isccc/result.c | 4 +++-
3 files changed, 35 insertions(+), 12 deletions(-)
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index 0be28b9057..3744d0f037 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -50,6 +50,10 @@
#define MAX_TAGS 256
#define DUP_LIFETIME 900
+#ifndef ISCCC_MAXDEPTH
+#define ISCCC_MAXDEPTH \
+ 10 /* Big enough for rndc which just sends a string each way. */
+#endif
typedef isccc_sexpr_t *sexpr_ptr;
@@ -480,19 +484,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- uint32_t algorithm, isccc_sexpr_t **alistp);
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+list_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **listp);
static isc_result_t
-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+value_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **valuep) {
unsigned int msgtype;
uint32_t len;
isccc_sexpr_t *value;
isccc_region_t active;
isc_result_t result;
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
if (REGION_SIZE(*source) < 1 + 4) {
return (ISC_R_UNEXPECTEDEND);
}
@@ -513,9 +523,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
result = ISC_R_NOMEMORY;
}
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE) {
- result = table_fromwire(&active, NULL, 0, valuep);
+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
} else if (msgtype == ISCCC_CCMSGTYPE_LIST) {
- result = list_fromwire(&active, valuep);
+ result = list_fromwire(&active, depth + 1, valuep);
} else {
result = ISCCC_R_SYNTAX;
}
@@ -525,7 +535,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
static isc_result_t
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
- uint32_t algorithm, isccc_sexpr_t **alistp) {
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) {
char key[256];
uint32_t len;
isc_result_t result;
@@ -535,6 +545,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
REQUIRE(alistp != NULL && *alistp == NULL);
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
checksum_rstart = NULL;
first_tag = true;
alist = isccc_alist_create();
@@ -551,7 +565,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
GET_MEM(key, len, source->rstart);
key[len] = '\0'; /* Ensure NUL termination. */
value = NULL;
- result = value_fromwire(source, &value);
+ result = value_fromwire(source, depth + 1, &value);
if (result != ISC_R_SUCCESS) {
goto bad;
}
@@ -589,14 +603,19 @@ bad:
}
static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
+list_fromwire(isccc_region_t *source, unsigned int depth,
+ isccc_sexpr_t **listp) {
isccc_sexpr_t *list, *value;
isc_result_t result;
+ if (depth > ISCCC_MAXDEPTH) {
+ return (ISCCC_R_MAXDEPTH);
+ }
+
list = NULL;
while (!REGION_EMPTY(*source)) {
value = NULL;
- result = value_fromwire(source, &value);
+ result = value_fromwire(source, depth + 1, &value);
if (result != ISC_R_SUCCESS) {
isccc_sexpr_free(&list);
return (result);
@@ -628,7 +647,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
return (ISCCC_R_UNKNOWNVERSION);
}
- return (table_fromwire(source, secret, algorithm, alistp));
+ return (table_fromwire(source, secret, algorithm, 0, alistp));
}
static isc_result_t
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
index 5346babefc..5b6a876d1c 100644
--- a/lib/isccc/include/isccc/result.h
+++ b/lib/isccc/include/isccc/result.h
@@ -46,8 +46,10 @@
#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
/*% Duplicate */
#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
+/*% Maximum recursion depth */
+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
-#define ISCCC_R_NRESULTS 6 /*%< Number of results */
+#define ISCCC_R_NRESULTS 7 /*%< Number of results */
ISC_LANG_BEGINDECLS
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
index 9285435209..1956cb1655 100644
--- a/lib/isccc/result.c
+++ b/lib/isccc/result.c
@@ -36,12 +36,14 @@ static const char *text[ISCCC_R_NRESULTS] = {
"bad auth", /* 3 */
"expired", /* 4 */
"clock skew", /* 5 */
- "duplicate" /* 6 */
+ "duplicate", /* 6 */
+ "max depth" /* 7 */
};
static const char *ids[ISCCC_R_NRESULTS] = {
"ISCCC_R_UNKNOWNVERSION", "ISCCC_R_SYNTAX", "ISCCC_R_BADAUTH",
"ISCCC_R_EXPIRED", "ISCCC_R_CLOCKSKEW", "ISCCC_R_DUPLICATE",
+ "ISCCC_R_MAXDEPTH"
};
#define ISCCC_RESULT_RESULTSET 2
--
2.41.0

88
SOURCES/bind-9.16-CVE-2023-4408-test1.patch
Unescape View File

@ -1,88 +0,0 @@
From d258422d3e653621ce6340ba9af0153f8d4e8c07 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sun, 11 Feb 2024 00:49:32 +0100
Subject: [PATCH] Test case insensitive matching in isc_ht hash table
implementation
The case insensitive matching in isc_ht was basically completely broken
as only the hashvalue computation was case insensitive, but the key
comparison was always case sensitive.
Import only test part from upstream.
(cherry picked from commit 175655b771fd17b06dfb8cfb29eaadf0f3b6a8b5)
(cherry picked from upstream commit f493a8394102b0aeb101d5dc2f963004c8741175)
---
lib/isc/tests/ht_test.c | 53 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/lib/isc/tests/ht_test.c b/lib/isc/tests/ht_test.c
index 74d95c1..65502b5 100644
--- a/lib/isc/tests/ht_test.c
+++ b/lib/isc/tests/ht_test.c
@@ -334,9 +334,62 @@ isc_ht_iterator_test(void **state) {
test_ht_iterator();
}
+static void
+isc_ht_case(void **state) {
+ UNUSED(state);
+
+ isc_ht_t *ht = NULL;
+ void *f = NULL;
+ isc_result_t result = ISC_R_UNSET;
+
+ unsigned char lower[16] = { "test case" };
+ unsigned char same[16] = { "test case" };
+ unsigned char upper[16] = { "TEST CASE" };
+ unsigned char mixed[16] = { "tEsT CaSe" };
+
+ isc_ht_init(&ht, test_mctx, 8, ISC_HT_CASE_SENSITIVE);
+ assert_non_null(ht);
+
+ result = isc_ht_add(ht, lower, 16, (void *)lower);
+ assert_int_equal(result, ISC_R_SUCCESS);
+
+ result = isc_ht_add(ht, same, 16, (void *)same);
+ assert_int_equal(result, ISC_R_EXISTS);
+
+ result = isc_ht_add(ht, upper, 16, (void *)upper);
+ assert_int_equal(result, ISC_R_SUCCESS);
+
+ result = isc_ht_find(ht, mixed, 16, &f);
+ assert_int_equal(result, ISC_R_NOTFOUND);
+ assert_null(f);
+
+ isc_ht_destroy(&ht);
+ assert_null(ht);
+
+ isc_ht_init(&ht, test_mctx, 8, ISC_HT_CASE_INSENSITIVE);
+ assert_non_null(ht);
+
+ result = isc_ht_add(ht, lower, 16, (void *)lower);
+ assert_int_equal(result, ISC_R_SUCCESS);
+
+ result = isc_ht_add(ht, same, 16, (void *)same);
+ assert_int_equal(result, ISC_R_EXISTS);
+
+ result = isc_ht_add(ht, upper, 16, (void *)upper);
+ assert_int_equal(result, ISC_R_EXISTS);
+
+ result = isc_ht_find(ht, mixed, 16, &f);
+ assert_int_equal(result, ISC_R_SUCCESS);
+ assert_ptr_equal(f, &lower);
+
+ isc_ht_destroy(&ht);
+ assert_null(ht);
+}
+
int
main(void) {
const struct CMUnitTest tests[] = {
+ cmocka_unit_test(isc_ht_case),
cmocka_unit_test(isc_ht_20),
cmocka_unit_test(isc_ht_8),
cmocka_unit_test(isc_ht_1),
--
2.43.0

75
SOURCES/bind-9.16-CVE-2023-4408-test2.patch
Unescape View File

@ -1,75 +0,0 @@
From aa1b0fc4b24d26233db30c85ae3609e54e9fa6d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sun, 11 Feb 2024 09:13:43 +0100
Subject: [PATCH] Add a system test for mixed-case data for the same owner
We were missing a test where a single owner name would have multiple
types with a different case. The generated RRSIGs and NSEC records will
then have different case than the signed records and message parser have
to cope with that and treat everything as the same owner.
(cherry picked from commit a114042059ecbbc94ae0f604ca681323a75af480)
(cherry picked from upstream commit b9c10a194da3358204f5ba7d91e55332db435614)
---
bin/tests/system/dnssec/ns3/secure.example.db.in | 5 +++++
bin/tests/system/dnssec/ns3/sign.sh | 4 +++-
bin/tests/system/dnssec/tests.sh | 15 +++++++++++++++
3 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in
index 27f2b24..599566e 100644
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -45,3 +45,8 @@ rrsigonly A 10.0.0.29
cnameandkey CNAME @
cnamenokey CNAME @
dnameandkey DNAME @
+
+mixedcase A 10.0.0.30
+mixedCASE TXT "mixed case"
+MIXEDcase AAAA 2002::
+mIxEdCaSe LOC 37 52 56.788 N 121 54 55.02 W 1120m 10m 100m 10m
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 80d412e..d94f382 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -86,7 +86,9 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
-"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
+"$SIGNER" -P -D -o "$zone" "$zonefile" >/dev/null
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
+mv "$zonefile".tmp "$zonefile".signed
zone=bogus.example.
infile=bogus.example.db.in
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index fe95c8d..0c03970 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -762,6 +762,21 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
+echo_i "checking mixed-case positive validation ($n)"
+ret=0
+for type in a txt aaaa loc; do
+ dig_with_opts +noauth mixedcase.secure.example. \
+ @10.53.0.3 $type >dig.out.$type.ns3.test$n || ret=1
+ dig_with_opts +noauth mixedcase.secure.example. \
+ @10.53.0.4 $type >dig.out.$type.ns4.test$n || ret=1
+ digcomp --lc dig.out.$type.ns3.test$n dig.out.$type.ns4.test$n || ret=1
+ grep "status: NOERROR" dig.out.$type.ns4.test$n >/dev/null || ret=1
+ grep "flags:.*ad.*QUERY" dig.out.$type.ns4.test$n >/dev/null || ret=1
+done
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
echo_i "checking multi-stage positive validation NSEC/NSEC3 ($n)"
ret=0
dig_with_opts +noauth a.nsec3.example. \
--
2.43.0

1735
SOURCES/bind-9.16-CVE-2023-4408.patch
View File

File diff suppressed because it is too large Load Diff

478
SOURCES/bind-9.16-CVE-2023-50387.patch
Unescape View File

@ -1,478 +0,0 @@
From c6e05ffc5fb784514ab54938867abaab41126c65 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 12 Feb 2024 21:09:51 +0100
Subject: [PATCH] Prevent increased CPU consumption in DNSSEC validator
KeyTrap - Extreme CPU consumption in DNSSEC validator. Preparing an
NSEC3 closest encloser proof can exhaust CPU resources.
6322. [security] Specific DNS answers could cause a denial-of-service
condition due to DNS validation taking a long time.
(CVE-2023-50387) [GL #4424]
Resolves: CVE-2023-50387 CVE-2023-50868
---
lib/dns/dst_api.c | 27 +++++++++----
lib/dns/include/dns/validator.h | 1 +
lib/dns/include/dst/dst.h | 4 ++
lib/dns/resolver.c | 4 +-
lib/dns/validator.c | 67 +++++++++++++++------------------
lib/isc/include/isc/netmgr.h | 3 ++
lib/isc/netmgr/netmgr-int.h | 1 +
lib/isc/netmgr/netmgr.c | 36 +++++++++++-------
lib/isc/netmgr/tcp.c | 6 +--
lib/isc/netmgr/tcpdns.c | 4 +-
lib/isc/netmgr/udp.c | 6 +--
11 files changed, 91 insertions(+), 68 deletions(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 62600dd..3aafd7c 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -160,7 +160,8 @@ computeid(dst_key_t *key);
static isc_result_t
frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp);
static isc_result_t
algorithm_status(unsigned int alg);
@@ -745,6 +746,13 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
isc_result_t
dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+ return (dst_key_fromdns_ex(name, rdclass, source, mctx, false, keyp));
+}
+
+isc_result_t
+dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass,
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp) {
uint8_t alg, proto;
uint32_t flags, extflags;
dst_key_t *key = NULL;
@@ -775,7 +783,7 @@ dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
}
result = frombuffer(name, alg, flags, proto, rdclass, source, mctx,
- &key);
+ no_rdata, &key);
if (result != ISC_R_SUCCESS) {
return (result);
}
@@ -796,7 +804,7 @@ dst_key_frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
REQUIRE(dst_initialized);
result = frombuffer(name, alg, flags, protocol, rdclass, source, mctx,
- &key);
+ false, &key);
if (result != ISC_R_SUCCESS) {
return (result);
}
@@ -2288,7 +2296,8 @@ computeid(dst_key_t *key) {
static isc_result_t
frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp) {
dst_key_t *key;
isc_result_t ret;
@@ -2313,10 +2322,12 @@ frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
return (DST_R_UNSUPPORTEDALG);
}
- ret = key->func->fromdns(key, source);
- if (ret != ISC_R_SUCCESS) {
- dst_key_free(&key);
- return (ret);
+ if (!no_rdata) {
+ ret = key->func->fromdns(key, source);
+ if (ret != ISC_R_SUCCESS) {
+ dst_key_free(&key);
+ return (ret);
+ }
}
}
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index 4744014..fe97e41 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -148,6 +148,7 @@ struct dns_validator {
unsigned int authcount;
unsigned int authfail;
isc_stdtime_t start;
+ bool failed;
};
/*%
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index f454ebb..36770b5 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -469,6 +469,10 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory);
*/
isc_result_t
+dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass,
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp);
+isc_result_t
dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
/*%<
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 7cbfbb2..be1d735 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -10613,8 +10613,8 @@ dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr,
* Since we have a pool of tasks we bind them to task queues
* to spread the load evenly
*/
- result = isc_task_create_bound(taskmgr, 0,
- &res->buckets[i].task, i);
+ result = isc_task_create_bound(
+ taskmgr, 0, &res->buckets[i].task, ISC_NM_TASK_SLOW(i));
if (result != ISC_R_SUCCESS) {
isc_mutex_destroy(&res->buckets[i].lock);
goto cleanup_buckets;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index e54fc70..e416cc9 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1098,8 +1098,8 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
* 'rdataset'. If found, build a dst_key_t for it and point val->key at
* it.
*
- * If val->key is already non-NULL, locate it in the rdataset and then
- * search past it for the *next* key that could have signed 'siginfo', then
+ * If val->key is already non-NULL, start searching from the next position in
+ * 'rdataset' to find the *next* key that could have signed 'siginfo', then
* set val->key to that.
*
* Returns ISC_R_SUCCESS if a possible matching key has been found,
@@ -1112,59 +1112,59 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
isc_buffer_t b;
dns_rdata_t rdata = DNS_RDATA_INIT;
dst_key_t *oldkey = val->key;
- bool foundold;
+ bool no_rdata = false;
if (oldkey == NULL) {
- foundold = true;
+ result = dns_rdataset_first(rdataset);
} else {
- foundold = false;
+ dst_key_free(&oldkey);
val->key = NULL;
+ result = dns_rdataset_next(rdataset);
}
-
- result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS) {
- goto failure;
+ goto done;
}
+
do {
dns_rdataset_current(rdataset, &rdata);
isc_buffer_init(&b, rdata.data, rdata.length);
isc_buffer_add(&b, rdata.length);
INSIST(val->key == NULL);
- result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
- val->view->mctx, &val->key);
+ result = dst_key_fromdns_ex(&siginfo->signer, rdata.rdclass, &b,
+ val->view->mctx, no_rdata,
+ &val->key);
if (result == ISC_R_SUCCESS) {
if (siginfo->algorithm ==
(dns_secalg_t)dst_key_alg(val->key) &&
siginfo->keyid ==
(dns_keytag_t)dst_key_id(val->key) &&
+ (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
+ 0 &&
dst_key_iszonekey(val->key))
{
- if (foundold) {
- /*
- * This is the key we're looking for.
- */
- return (ISC_R_SUCCESS);
- } else if (dst_key_compare(oldkey, val->key)) {
- foundold = true;
- dst_key_free(&oldkey);
+ if (no_rdata) {
+ /* Retry with full key */
+ dns_rdata_reset(&rdata);
+ dst_key_free(&val->key);
+ no_rdata = false;
+ continue;
}
+ /* This is the key we're looking for. */
+ goto done;
}
dst_key_free(&val->key);
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
+ no_rdata = true;
} while (result == ISC_R_SUCCESS);
+done:
if (result == ISC_R_NOMORE) {
result = ISC_R_NOTFOUND;
}
-failure:
- if (oldkey != NULL) {
- dst_key_free(&oldkey);
- }
-
return (result);
}
@@ -1557,20 +1557,9 @@ validate_answer(dns_validator_t *val, bool resume) {
continue;
}
- do {
- isc_result_t tresult;
- vresult = verify(val, val->key, &rdata,
- val->siginfo->keyid);
- if (vresult == ISC_R_SUCCESS) {
- break;
- }
-
- tresult = select_signing_key(val, val->keyset);
- if (tresult != ISC_R_SUCCESS) {
- break;
- }
- } while (1);
+ vresult = verify(val, val->key, &rdata, val->siginfo->keyid);
if (vresult != ISC_R_SUCCESS) {
+ val->failed = true;
validator_log(val, ISC_LOG_DEBUG(3),
"failed to verify rdataset");
} else {
@@ -1607,9 +1596,13 @@ validate_answer(dns_validator_t *val, bool resume) {
} else {
validator_log(val, ISC_LOG_DEBUG(3),
"verify failure: %s",
- isc_result_totext(result));
+ isc_result_totext(vresult));
resume = false;
}
+ if (val->failed) {
+ result = ISC_R_NOMORE;
+ break;
+ }
}
if (result != ISC_R_NOMORE) {
validator_log(val, ISC_LOG_DEBUG(3),
diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h
index be9fd56..dfabdc8 100644
--- a/lib/isc/include/isc/netmgr.h
+++ b/lib/isc/include/isc/netmgr.h
@@ -455,6 +455,9 @@ isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
* 'cb'.
*/
+#define ISC_NM_TASK_SLOW_OFFSET -2
+#define ISC_NM_TASK_SLOW(i) (ISC_NM_TASK_SLOW_OFFSET - 1 - i)
+
void
isc_nm_task_enqueue(isc_nm_t *mgr, isc_task_t *task, int threadid);
/*%<
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index f7b54f9..70bb32d 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -673,6 +673,7 @@ struct isc_nm {
#ifdef NETMGR_TRACE
ISC_LIST(isc_nmsocket_t) active_sockets;
#endif
+ int nlisteners;
};
typedef enum isc_nmsocket_type {
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index 0ed3182..898de41 100644
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -269,31 +269,34 @@ isc__nm_winsock_destroy(void) {
#endif /* WIN32 */
static void
-isc__nm_threadpool_initialize(uint32_t workers) {
+isc__nm_threadpool_initialize(uint32_t nworkers) {
char buf[11];
int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf,
&(size_t){ sizeof(buf) });
if (r == UV_ENOENT) {
- snprintf(buf, sizeof(buf), "%" PRIu32, workers);
+ snprintf(buf, sizeof(buf), "%" PRIu32, nworkers);
uv_os_setenv("UV_THREADPOOL_SIZE", buf);
}
}
void
-isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
+isc__netmgr_create(isc_mem_t *mctx, uint32_t nworkers, isc_nm_t **netmgrp) {
isc_nm_t *mgr = NULL;
char name[32];
- REQUIRE(workers > 0);
+ REQUIRE(nworkers > 0);
#ifdef WIN32
isc__nm_winsock_initialize();
#endif /* WIN32 */
- isc__nm_threadpool_initialize(workers);
+ isc__nm_threadpool_initialize(nworkers);
mgr = isc_mem_get(mctx, sizeof(*mgr));
- *mgr = (isc_nm_t){ .nworkers = workers };
+ *mgr = (isc_nm_t){
+ .nworkers = nworkers * 2,
+ .nlisteners = nworkers,
+ };
isc_mem_attach(mctx, &mgr->mctx);
isc_mutex_init(&mgr->lock);
@@ -334,11 +337,12 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
isc_mempool_associatelock(mgr->evpool, &mgr->evlock);
isc_mempool_setfillcount(mgr->evpool, 32);
- isc_barrier_init(&mgr->pausing, workers);
- isc_barrier_init(&mgr->resuming, workers);
+ isc_barrier_init(&mgr->pausing, mgr->nworkers);
+ isc_barrier_init(&mgr->resuming, mgr->nworkers);
- mgr->workers = isc_mem_get(mctx, workers * sizeof(isc__networker_t));
- for (size_t i = 0; i < workers; i++) {
+ mgr->workers = isc_mem_get(mctx,
+ mgr->nworkers * sizeof(isc__networker_t));
+ for (int i = 0; i < mgr->nworkers; i++) {
int r;
isc__networker_t *worker = &mgr->workers[i];
*worker = (isc__networker_t){
@@ -373,7 +377,7 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
mgr->workers_running++;
isc_thread_create(nm_thread, &mgr->workers[i], &worker->thread);
- snprintf(name, sizeof(name), "isc-net-%04zu", i);
+ snprintf(name, sizeof(name), "isc-net-%04d", i);
isc_thread_setname(worker->thread, name);
}
@@ -848,9 +852,15 @@ isc_nm_task_enqueue(isc_nm_t *nm, isc_task_t *task, int threadid) {
isc__networker_t *worker = NULL;
if (threadid == -1) {
- tid = (int)isc_random_uniform(nm->nworkers);
+ tid = (int)isc_random_uniform(nm->nlisteners);
+ } else if (threadid == ISC_NM_TASK_SLOW_OFFSET) {
+ tid = nm->nlisteners +
+ (int)isc_random_uniform(nm->nworkers - nm->nlisteners);
+ } else if (threadid < ISC_NM_TASK_SLOW_OFFSET) {
+ tid = nm->nlisteners + (ISC_NM_TASK_SLOW(threadid) %
+ (nm->nworkers - nm->nlisteners));
} else {
- tid = threadid % nm->nworkers;
+ tid = threadid % nm->nlisteners;
}
worker = &nm->workers[tid];
diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
index 5cca9f5..83bd2e2 100644
--- a/lib/isc/netmgr/tcp.c
+++ b/lib/isc/netmgr/tcp.c
@@ -321,7 +321,7 @@ isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_connectcb(sock, req, result, false);
} else {
isc__nmsocket_clearcb(sock);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_connectcb(sock, req, result, true);
}
atomic_store(&sock->closed, true);
@@ -339,7 +339,7 @@ isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_tcpconnect(mgr, ievent);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)ievent);
}
@@ -435,7 +435,7 @@ isc_nm_listentcp(isc_nm_t *mgr, isc_sockaddr_t *iface,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
sock->children = isc_mem_get(mgr->mctx, children_size);
diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
index 188790c..7f13ab2 100644
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@@ -305,7 +305,7 @@ isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_tcpdnsconnect(mgr, ievent);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)ievent);
}
@@ -404,7 +404,7 @@ isc_nm_listentcpdns(isc_nm_t *mgr, isc_sockaddr_t *iface,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
sock->children = isc_mem_get(mgr->mctx, children_size);
diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
index a91c425..f2e161c 100644
--- a/lib/isc/netmgr/udp.c
+++ b/lib/isc/netmgr/udp.c
@@ -126,7 +126,7 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
uv_os_sock_t fd = -1;
/*
- * We are creating mgr->nworkers duplicated sockets, one
+ * We are creating mgr->nlisteners duplicated sockets, one
* socket for each worker thread.
*/
sock = isc_mem_get(mgr->mctx, sizeof(isc_nmsocket_t));
@@ -136,7 +136,7 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
@@ -795,7 +795,7 @@ isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_udpconnect(mgr, event);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)event);
}
--
2.43.0

111
SOURCES/bind-9.16-CVE-2023-5517.patch
Unescape View File

@ -1,111 +0,0 @@
From bef141d5795429cab745f29f7d080d1e2ea8f164 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 12 Feb 2024 20:33:41 +0100
Subject: [PATCH] Prevent assertion failure when nxdomain-redirect is used with
RFC 1918 reverse zones
6316. [security] Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
---
lib/ns/query.c | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 4fe3e30..cc1d179 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -453,10 +453,10 @@ static void
query_addnxrrsetnsec(query_ctx_t *qctx);
static isc_result_t
-query_nxdomain(query_ctx_t *qctx, bool empty_wild);
+query_nxdomain(query_ctx_t *qctx, isc_result_t result);
static isc_result_t
-query_redirect(query_ctx_t *qctx);
+query_redirect(query_ctx_t *qctx, isc_result_t result);
static isc_result_t
query_ncache(query_ctx_t *qctx, isc_result_t result);
@@ -7262,8 +7262,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
* result from the search.
*/
static isc_result_t
-query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
- isc_result_t result = res;
+query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
char errmsg[256];
CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
@@ -7333,16 +7332,16 @@ root_key_sentinel:
return (query_nodata(qctx, DNS_R_NXRRSET));
case DNS_R_EMPTYWILD:
- return (query_nxdomain(qctx, true));
+ return (query_nxdomain(qctx, DNS_R_EMPTYWILD));
case DNS_R_NXDOMAIN:
- return (query_nxdomain(qctx, false));
+ return (query_nxdomain(qctx, DNS_R_NXDOMAIN));
case DNS_R_COVERINGNSEC:
return (query_coveringnsec(qctx));
case DNS_R_NCACHENXDOMAIN:
- result = query_redirect(qctx);
+ result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) {
return (result);
}
@@ -9155,10 +9154,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) {
* Handle NXDOMAIN and empty wildcard responses.
*/
static isc_result_t
-query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
+query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
dns_section_t section;
uint32_t ttl;
- isc_result_t result;
+ bool empty_wild = (result == DNS_R_EMPTYWILD);
CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
@@ -9167,7 +9166,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
INSIST(qctx->is_zone || REDIRECT(qctx->client));
if (!empty_wild) {
- result = query_redirect(qctx);
+ result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) {
return (result);
}
@@ -9253,7 +9252,7 @@ cleanup:
* redirecting, so query processing should continue past it.
*/
static isc_result_t
-query_redirect(query_ctx_t *qctx) {
+query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
isc_result_t result;
CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
@@ -9294,7 +9293,7 @@ query_redirect(query_ctx_t *qctx) {
SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
SAVE(qctx->client->query.redirect.sigrdataset,
qctx->sigrdataset);
- qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
+ qctx->client->query.redirect.result = saved_result;
dns_name_copynf(qctx->fname,
qctx->client->query.redirect.fname);
qctx->client->query.redirect.authoritative =
@@ -9908,7 +9907,7 @@ query_coveringnsec(query_ctx_t *qctx) {
* We now have the proof that we have an NXDOMAIN. Apply
* NXDOMAIN redirection if configured.
*/
- result = query_redirect(qctx);
+ result = query_redirect(qctx, DNS_R_COVERINGNSEC);
if (result != ISC_R_COMPLETE) {
redirected = true;
goto cleanup;
--
2.43.0

37
SOURCES/bind-9.16-CVE-2023-5679.patch
Unescape View File

@ -1,37 +0,0 @@
From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 12 Feb 2024 20:41:43 +0100
Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used
Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
(CVE-2023-5679) [GL #4334]
Resolves: CVE-2023-5679
---
lib/ns/query.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index cc1d179..1993800 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) {
query_ctx_t qctx;
qctx_init(client, NULL, client->query.qtype, &qctx);
+ if (DNS64(client)) {
+ qctx.qtype = qctx.type = dns_rdatatype_a;
+ qctx.dns64 = true;
+ }
+ if (DNS64EXCLUDE(client)) {
+ qctx.dns64_exclude = true;
+ }
dns_db_attach(client->view->cachedb, &qctx.db);
client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
--
2.43.0

52
SOURCES/bind-9.16-CVE-2023-6516-test.patch
Unescape View File

@ -1,52 +0,0 @@
From e91ab7758bed0cf3dcf8ed745f91063d7ec4011c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 4 Jan 2024 13:39:27 +0100
Subject: [PATCH] Fix map offsets in the "masterformat" system test
The "masterformat" system test attempts to check named-checkzone
behavior when it is fed corrupt map-format zone files. However, despite
the RBTDB and RBT structures having evolved over the years, the offsets
at which a valid map-format zone file is malformed by the "masterformat"
test have not been updated accordingly, causing the relevant checks to
introduce a different type of corruption than they were originally meant
to cause:
- the "bad node header" check originally mangled the 'type' member of
the rdatasetheader_t structure for cname.example.nil,
- the "bad node data" check originally mangled the 'serial' and
'rdh_ttl' members of the rdatasetheader_t structure for
aaaa.example.nil.
Update the offsets at which the map-format zone file is malformed at by
the "masterformat" system test so that the relevant checks fulfill their
original purpose again.
---
bin/tests/system/masterformat/tests.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh
index 364a0d2..bb4e6ec 100755
--- a/bin/tests/system/masterformat/tests.sh
+++ b/bin/tests/system/masterformat/tests.sh
@@ -295,7 +295,7 @@ status=$((status+ret))
echo_i "checking corrupt map files fail to load (bad node header) ($n)"
ret=0
cp map.5 badmap
-stomp badmap 2754 2 99
+stomp badmap 3706 2 99
$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null
[ $? = 1 ] || ret=1
n=$((n+1))
@@ -305,7 +305,7 @@ status=$((status+ret))
echo_i "checking corrupt map files fail to load (bad node data) ($n)"
ret=0
cp map.5 badmap
-stomp badmap 2897 5 127
+stomp badmap 3137 5 127
$CHECKZONE -D -f map -F text -o text.5 example.nil badmap > /dev/null
[ $? = 1 ] || ret=1
n=$((n+1))
--
2.44.0

283
SOURCES/bind-9.16-CVE-2023-6516.patch
Unescape View File

@ -1,283 +0,0 @@
From 6e08fef24d7ba491228a4083ea0f0e33253a1043 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 12 Feb 2024 20:48:57 +0100
Subject: [PATCH] Specific recursive query patterns may lead to an
out-of-memory condition
6319. [security] Query patterns that continuously triggered cache
database maintenance could exhaust all available memory
on the host running named. (CVE-2023-6516) [GL #4383]
Resolves: CVE-2023-6516
---
lib/dns/include/dns/rbt.h | 6 ++
lib/dns/mapapi | 2 +-
lib/dns/rbt.c | 1 +
lib/dns/rbtdb.c | 149 +++++++++++++++++++++++++-------------
4 files changed, 107 insertions(+), 51 deletions(-)
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index b67e602..69655b0 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -164,6 +164,12 @@ struct dns_rbtnode {
uint16_t locknum; /* note that this is not in the bitfield */
isc_refcount_t references;
/*@}*/
+
+ /*%
+ * This linked list is used to store nodes from which tree pruning can
+ * be started.
+ */
+ ISC_LINK(dns_rbtnode_t) prunelink;
};
typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
diff --git a/lib/dns/mapapi b/lib/dns/mapapi
index 1b502d3..a46e190 100644
--- a/lib/dns/mapapi
+++ b/lib/dns/mapapi
@@ -13,4 +13,4 @@
# Whenever releasing a new major release of BIND9, set this value
# back to 1.0 when releasing the first alpha. Map files are *never*
# compatible across major releases.
-MAPAPI=3.0
+MAPAPI=4.0
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 7f2c2d2..a220368 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -2283,6 +2283,7 @@ create_node(isc_mem_t *mctx, const dns_name_t *name, dns_rbtnode_t **nodep) {
HASHVAL(node) = 0;
ISC_LINK_INIT(node, deadlink);
+ ISC_LINK_INIT(node, prunelink);
LOCKNUM(node) = 0;
WILD(node) = 0;
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 75f97f5..2707507 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -515,6 +515,10 @@ struct dns_rbtdb {
*/
rbtnodelist_t *deadnodes;
+ /* List of nodes from which recursive tree pruning can be started from.
+ * Locked by tree_lock. */
+ rbtnodelist_t prunenodes;
+
/*
* Heaps. These are used for TTL based expiry in a cache,
* or for zone resigning in a zone DB. hmctx is the memory
@@ -1060,6 +1064,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
unsigned int i;
isc_result_t result;
char buf[DNS_NAME_FORMATSIZE];
+ dns_rbtnode_t *node = NULL;
dns_rbt_t **treep;
isc_time_t start;
dns_dbonupdatelistener_t *listener, *listener_next;
@@ -1086,8 +1091,6 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
* the overhead of unlinking all nodes here should be negligible.
*/
for (i = 0; i < rbtdb->node_lock_count; i++) {
- dns_rbtnode_t *node;
-
node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
while (node != NULL) {
ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink);
@@ -1095,6 +1098,12 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
}
}
+ node = ISC_LIST_HEAD(rbtdb->prunenodes);
+ while (node != NULL) {
+ ISC_LIST_UNLINK(rbtdb->prunenodes, node, prunelink);
+ node = ISC_LIST_HEAD(rbtdb->prunenodes);
+ }
+
if (event == NULL) {
rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
}
@@ -1934,19 +1943,32 @@ is_leaf(dns_rbtnode_t *node) {
node->left == NULL && node->right == NULL);
}
+/*%
+ * The tree lock must be held when this function is called as it reads and
+ * updates rbtdb->prunenodes.
+ */
static inline void
send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
isc_rwlocktype_t locktype) {
- isc_event_t *ev;
- dns_db_t *db;
+ bool pruning_queued = (ISC_LIST_HEAD(rbtdb->prunenodes) != NULL);
+
+ INSIST(locktype == isc_rwlocktype_write);
- ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE,
- prune_tree, node, sizeof(isc_event_t));
new_reference(rbtdb, node, locktype);
- db = NULL;
- attach((dns_db_t *)rbtdb, &db);
- ev->ev_sender = db;
- isc_task_send(rbtdb->task, &ev);
+ INSIST(!ISC_LINK_LINKED(node, prunelink));
+ ISC_LIST_APPEND(rbtdb->prunenodes, node, prunelink);
+
+ if (!pruning_queued) {
+ isc_event_t *ev = NULL;
+ dns_db_t *db = NULL;
+
+ attach((dns_db_t *)rbtdb, &db);
+
+ ev = isc_event_allocate(rbtdb->common.mctx, NULL,
+ DNS_EVENT_RBTPRUNE, prune_tree, db,
+ sizeof(isc_event_t));
+ isc_task_send(rbtdb->task, &ev);
+ }
}
/*%
@@ -2220,17 +2242,26 @@ restore_locks:
}
/*
- * Prune the tree by recursively cleaning-up single leaves. In the worst
- * case, the number of iteration is the number of tree levels, which is at
- * most the maximum number of domain name labels, i.e, 127. In practice, this
- * should be much smaller (only a few times), and even the worst case would be
- * acceptable for a single event.
+ * Prune the tree by recursively cleaning up single leaves. Go through all
+ * nodes stored in the rbtdb->prunenodes list; for each of them, in the worst
+ * case, it will be necessary to traverse a number of tree levels equal to the
+ * maximum legal number of domain name labels (127); in practice, the number of
+ * tree levels to traverse will virtually always be much smaller (a few levels
+ * at most). While holding the tree lock throughout this entire operation is
+ * less than ideal, so is splitting the latter up by queueing a separate
+ * prune_tree() run for each node to start pruning from (as queueing requires
+ * allocating memory and can therefore potentially be exploited to exhaust
+ * available memory). Also note that actually freeing up the memory used by
+ * RBTDB nodes (which is what this function does) is essential to keeping cache
+ * memory use in check, so since the tree lock needs to be acquired anyway,
+ * freeing as many nodes as possible before the tree lock gets released is
+ * prudent.
*/
static void
prune_tree(isc_task_t *task, isc_event_t *event) {
- dns_rbtdb_t *rbtdb = event->ev_sender;
- dns_rbtnode_t *node = event->ev_arg;
- dns_rbtnode_t *parent;
+ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)event->ev_arg;
+ dns_rbtnode_t *node = NULL;
+ dns_rbtnode_t *parent = NULL;
unsigned int locknum;
UNUSED(task);
@@ -2238,44 +2269,60 @@ prune_tree(isc_task_t *task, isc_event_t *event) {
isc_event_free(&event);
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
- locknum = node->locknum;
- NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
- do {
- parent = node->parent;
- decrement_reference(rbtdb, node, 0, isc_rwlocktype_write,
- isc_rwlocktype_write, true);
- if (parent != NULL && parent->down == NULL) {
- /*
- * node was the only down child of the parent and has
- * just been removed. We'll then need to examine the
- * parent. Keep the lock if possible; otherwise,
- * release the old lock and acquire one for the parent.
- */
- if (parent->locknum != locknum) {
- NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
- isc_rwlocktype_write);
- locknum = parent->locknum;
- NODE_LOCK(&rbtdb->node_locks[locknum].lock,
- isc_rwlocktype_write);
+ while ((node = ISC_LIST_HEAD(rbtdb->prunenodes)) != NULL) {
+ locknum = node->locknum;
+ NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ do {
+ if (ISC_LINK_LINKED(node, prunelink)) {
+ ISC_LIST_UNLINK(rbtdb->prunenodes, node,
+ prunelink);
}
- /*
- * We need to gain a reference to the node before
- * decrementing it in the next iteration.
- */
- if (ISC_LINK_LINKED(parent, deadlink)) {
- ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
+ parent = node->parent;
+ decrement_reference(rbtdb, node, 0,
+ isc_rwlocktype_write,
+ isc_rwlocktype_write, true);
+
+ if (parent != NULL && parent->down == NULL) {
+ /*
+ * node was the only down child of the parent
+ * and has just been removed. We'll then need
+ * to examine the parent. Keep the lock if
+ * possible; otherwise, release the old lock and
+ * acquire one for the parent.
+ */
+ if (parent->locknum != locknum) {
+ NODE_UNLOCK(
+ &rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ locknum = parent->locknum;
+ NODE_LOCK(
+ &rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ }
+
+ /*
+ * We need to gain a reference to the node
+ * before decrementing it in the next iteration.
+ */
+ if (ISC_LINK_LINKED(parent, deadlink)) {
+ ISC_LIST_UNLINK(
+ rbtdb->deadnodes[locknum],
parent, deadlink);
+ }
+ new_reference(rbtdb, parent,
+ isc_rwlocktype_write);
+ } else {
+ parent = NULL;
}
- new_reference(rbtdb, parent, isc_rwlocktype_write);
- } else {
- parent = NULL;
- }
- node = parent;
- } while (node != NULL);
- NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+ node = parent;
+ } while (node != NULL);
+ NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ }
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
detach((dns_db_t **)&rbtdb);
@@ -8726,6 +8773,8 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
ISC_LIST_INIT(rbtdb->deadnodes[i]);
}
+ ISC_LIST_INIT(rbtdb->prunenodes);
+
rbtdb->active = rbtdb->node_lock_count;
for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
--
2.43.0

2947
SOURCES/bind-9.16-CVE-2024-1737-records-test.patch
View File

File diff suppressed because it is too large Load Diff

27
SOURCES/bind-9.16-CVE-2024-1737-records-test2.patch
Unescape View File

@ -1,27 +0,0 @@
From 7bc5e5abf5a3cd66f11cc649b6ecf4c39c92bd9e Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 9 Aug 2024 12:32:20 +0200
Subject: [PATCH] fixup! Add test for not-loading and not-transfering huge
RRSets
---
bin/tests/system/conf.sh.common | 3 +++
1 file changed, 3 insertions(+)
diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common
index 9fab00f..e617595 100644
--- a/bin/tests/system/conf.sh.common
+++ b/bin/tests/system/conf.sh.common
@@ -301,6 +301,9 @@ DISABLED_ALGORITHM=ECDSAP384SHA384
DISABLED_ALGORITHM_NUMBER=14
DISABLED_BITS=384
+# Default HMAC algorithm.
+export DEFAULT_HMAC=hmac-sha256
+
#
# Useful functions in test scripts
#
--
2.45.2

1152
SOURCES/bind-9.16-CVE-2024-1737-records.patch
View File

File diff suppressed because it is too large Load Diff

6323
SOURCES/bind-9.16-CVE-2024-1737-types-test.patch
View File

File diff suppressed because it is too large Load Diff

582
SOURCES/bind-9.16-CVE-2024-1737-types.patch
Unescape View File

@ -1,582 +0,0 @@
From a1c95d5fa479ac722f0cf758c494a37ffe1508c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sat, 25 May 2024 11:46:56 +0200
Subject: [PATCH] Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k). As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).
Add a configurable limit to cap the number of the RR types for a single
owner. This is enforced at the database (rbtdb, qpzone, qpcache) level
and configured with new max-types-per-name configuration option that
can be configured globally, per-view and per-zone.
(cherry picked from commit 00d16211d6368b99f070c1182d8c76b3798ca1db)
(cherry picked from commit 89f1779bc28b27adbd00325b974ede7a683f8632)
fix a memory leak that could occur when signing
when signatures were not added because of too many types already
existing at a node, the diff was not being cleaned up; this led to
a memory leak being reported at shutdown.
(cherry picked from commit 2825bdb1ae5be801e7ed603ba2455ed9a308f1f7)
(cherry picked from commit a080317de0efb7f6ffa12415a863729d416007d5)
Be smarter about refusing to add many RR types to the database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:
1. If the new header type is in our priority list, we always add either
positive or negative entry at the beginning of the list.
2. If the new header type is negative entry, and we are over the limit,
we mark it as ancient immediately, so it gets evicted from the cache
as soon as possible.
3. Otherwise add the new header after the priority headers (or at the
head of the list).
4. If we are over the limit, evict the last entry on the normal header
list.
(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
(cherry picked from commit 92a680a3ef708281267e4fd7b1e62b57c929447b)
Log error when update fails
The new "too many records" error can make an update fail without the
error being logged. This commit fixes that.
(cherry picked from commit 558923e5405894cf976d102f0d246a28bdbb400c)
(cherry picked from commit d72adf4b927d83a2a0ff8e431b911ec1df7aeb88)
---
bin/named/config.c | 1 +
bin/named/server.c | 9 +++++++++
bin/named/zoneconf.c | 8 ++++++++
bin/tests/system/dyndb/driver/db.c | 3 ++-
doc/arm/reference.rst | 12 ++++++++++++
lib/dns/cache.c | 12 ++++++++++++
lib/dns/db.c | 9 +++++++++
lib/dns/dnsrps.c | 3 ++-
lib/dns/ecdb.c | 3 ++-
lib/dns/include/dns/cache.h | 6 ++++++
lib/dns/include/dns/db.h | 11 +++++++++++
lib/dns/include/dns/view.h | 7 +++++++
lib/dns/include/dns/zone.h | 13 +++++++++++++
lib/dns/rbtdb.c | 28 +++++++++++++++++-----------
lib/dns/sdb.c | 3 ++-
lib/dns/sdlz.c | 3 ++-
lib/dns/view.c | 10 ++++++++++
lib/dns/zone.c | 16 ++++++++++++++++
lib/isccfg/namedconf.c | 3 +++
lib/ns/update.c | 15 ++++++++++++---
20 files changed, 156 insertions(+), 19 deletions(-)
diff --git a/bin/named/config.c b/bin/named/config.c
index 9cba6f588b..c9888ada65 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -218,6 +218,7 @@ options {\n\
max-records-per-type 100;\n\
max-refresh-time 2419200; /* 4 weeks */\n\
max-retry-time 1209600; /* 2 weeks */\n\
+ max-types-per-name 100;\n\
max-transfer-idle-in 60;\n\
max-transfer-idle-out 60;\n\
max-transfer-time-in 120;\n\
diff --git a/bin/named/server.c b/bin/named/server.c
index 7bf5f2664d..4cc69b54a1 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -5427,6 +5427,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
INSIST(result == ISC_R_SUCCESS);
dns_view_setmaxrrperset(view, cfg_obj_asuint32(obj));
+ /*
+ * This is used for the cache and also as a default value
+ * for zone databases.
+ */
+ obj = NULL;
+ result = named_config_get(maps, "max-types-per-name", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_view_setmaxtypepername(view, cfg_obj_asuint32(obj));
+
obj = NULL;
result = named_config_get(maps, "max-recursion-depth", &obj);
INSIST(result == ISC_R_SUCCESS);
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index ae5cc656ee..f6e8c64866 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1100,6 +1100,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setmaxrrperset(zone, 0);
}
+ obj = NULL;
+ result = named_config_get(maps, "max-types-per-name", &obj);
+ INSIST(result == ISC_R_SUCCESS && obj != NULL);
+ dns_zone_setmaxtypepername(mayberaw, cfg_obj_asuint32(obj));
+ if (zone != mayberaw) {
+ dns_zone_setmaxtypepername(zone, 0);
+ }
+
if (raw != NULL && filename != NULL) {
#define SIGNED ".signed"
size_t signedlen = strlen(filename) + sizeof(SIGNED);
diff --git a/bin/tests/system/dyndb/driver/db.c b/bin/tests/system/dyndb/driver/db.c
index 6725a3bacd..c95fc8212b 100644
--- a/bin/tests/system/dyndb/driver/db.c
+++ b/bin/tests/system/dyndb/driver/db.c
@@ -593,7 +593,8 @@ static dns_dbmethods_t sampledb_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
/* Auxiliary driver functions. */
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index b1983ef30d..a8a3c7911d 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2902,6 +2902,18 @@ system.
a failure. If set to 0, there is no cap on RRset size. The default is
100.
+``max-types-per-name``
+ This sets the maximum number of resource record types that can be stored
+ for a single owner name in a database. When configured in ``options``
+ or ``view``, it controls the cache database, and also sets
+ the default value for zone databases, which can be overridden by setting
+ it at the ``zone`` level
+
+ If set to a positive value, any attempt to cache or to add to a zone an owner
+ name with more than the specified number of resource record types will result
+ in a failure. If set to 0, there is no cap on RR types number. The default is
+ 100.
+
``recursive-clients``
This sets the maximum number (a "hard quota") of simultaneous recursive lookups
the server performs on behalf of clients. The default is
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 9f0412dbe7..0b474fc313 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -150,6 +150,7 @@ struct dns_cache {
/* Access to the on-disk cache file is also locked by 'filelock'. */
uint32_t maxrrperset;
+ uint32_t maxtypepername;
};
/***
@@ -178,6 +179,7 @@ cache_create_db(dns_cache_t *cache, dns_db_t **db) {
if (result == ISC_R_SUCCESS) {
dns_db_setservestalettl(*db, cache->serve_stale_ttl);
dns_db_setmaxrrperset(*db, cache->maxrrperset);
+ dns_db_setmaxtypepername(*db, cache->maxtypepername);
}
return (result);
}
@@ -1290,6 +1292,16 @@ dns_cache_setmaxrrperset(dns_cache_t *cache, uint32_t value) {
}
}
+void
+dns_cache_setmaxtypepername(dns_cache_t *cache, uint32_t value) {
+ REQUIRE(VALID_CACHE(cache));
+
+ cache->maxtypepername = value;
+ if (cache->db != NULL) {
+ dns_db_setmaxtypepername(cache->db, value);
+ }
+}
+
/*
* XXX: Much of the following code has been copied in from statschannel.c.
* We should refactor this into a generic function in stats.c that can be
diff --git a/lib/dns/db.c b/lib/dns/db.c
index 8439265a7f..18583d41c2 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -1131,3 +1131,12 @@ dns_db_setmaxrrperset(dns_db_t *db, uint32_t value) {
(db->methods->setmaxrrperset)(db, value);
}
}
+
+void
+dns_db_setmaxtypepername(dns_db_t *db, uint32_t value) {
+ REQUIRE(DNS_DB_VALID(db));
+
+ if (db->methods->setmaxtypepername != NULL) {
+ (db->methods->setmaxtypepername)(db, value);
+ }
+}
diff --git a/lib/dns/dnsrps.c b/lib/dns/dnsrps.c
index 539090d1bd..e1a1b21a8b 100644
--- a/lib/dns/dnsrps.c
+++ b/lib/dns/dnsrps.c
@@ -971,7 +971,8 @@ static dns_dbmethods_t rpsdb_db_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
static dns_rdatasetmethods_t rpsdb_rdataset_methods = {
diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
index bab5da5503..27d03b4e3a 100644
--- a/lib/dns/ecdb.c
+++ b/lib/dns/ecdb.c
@@ -560,7 +560,8 @@ static dns_dbmethods_t ecdb_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
static isc_result_t
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index 3fa2a891e0..72de21600a 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -343,6 +343,12 @@ dns_cache_setmaxrrperset(dns_cache_t *cache, uint32_t value);
* Set the maximum resource records per RRSet that can be cached.
*/
+void
+dns_cache_setmaxtypepername(dns_cache_t *cache, uint32_t value);
+/*%<
+ * Set the maximum resource record types per owner name that can be cached.
+ */
+
#ifdef HAVE_LIBXML2
int
dns_cache_renderxml(dns_cache_t *cache, void *writer0);
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index 732bfe473d..411881d48a 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -183,6 +183,7 @@ typedef struct dns_dbmethods {
isc_result_t (*setgluecachestats)(dns_db_t *db, isc_stats_t *stats);
isc_result_t (*adjusthashsize)(dns_db_t *db, size_t size);
void (*setmaxrrperset)(dns_db_t *db, uint32_t value);
+ void (*setmaxtypepername)(dns_db_t *db, uint32_t value);
} dns_dbmethods_t;
typedef isc_result_t (*dns_dbcreatefunc_t)(isc_mem_t *mctx,
@@ -1791,6 +1792,16 @@ dns_db_setmaxrrperset(dns_db_t *db, uint32_t value);
* is nonzero, then any subsequent attempt to add an rdataset with
* more than 'value' RRs will return ISC_R_NOSPACE.
*/
+
+void
+dns_db_setmaxtypepername(dns_db_t *db, uint32_t value);
+/*%<
+ * Set the maximum permissible number of RR types per owner name.
+ *
+ * If 'value' is nonzero, then any subsequent attempt to add an rdataset with a
+ * RR type that would exceed the number of already stored RR types will return
+ * ISC_R_NOSPACE.
+ */
ISC_LANG_ENDDECLS
#endif /* DNS_DB_H */
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index 0d502f4dd2..0a72f58e98 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -187,6 +187,7 @@ struct dns_view {
uint32_t fail_ttl;
dns_badcache_t *failcache;
uint32_t maxrrperset;
+ uint32_t maxtypepername;
/*
* Configurable data for server use only,
@@ -1346,6 +1347,12 @@ dns_view_setmaxrrperset(dns_view_t *view, uint32_t value);
* Set the maximum resource records per RRSet that can be cached.
*/
+void
+dns_view_setmaxtypepername(dns_view_t *view, uint32_t value);
+/*%<
+ * Set the maximum resource record types per owner name that can be cached.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_VIEW_H */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index e902043357..6fca11f3fd 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -356,6 +356,19 @@ dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t maxrrperset);
*\li void
*/
+void
+dns_zone_setmaxtypepername(dns_zone_t *zone, uint32_t maxtypepername);
+/*%<
+ * Sets the maximum number of resource record types per owner name
+ * permitted in a zone. 0 implies unlimited.
+ *
+ * Requires:
+ *\li 'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li void
+ */
+
void
dns_zone_setmaxttl(dns_zone_t *zone, uint32_t maxttl);
/*%<
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index ca71bb9c03..ed5015c2d4 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -483,6 +483,7 @@ struct dns_rbtdb {
rbtdb_serial_t least_serial;
rbtdb_serial_t next_serial;
uint32_t maxrrperset;
+ uint32_t maxtypepername;
rbtdb_version_t *current_version;
rbtdb_version_t *future_version;
rbtdb_versionlist_t open_versions;
@@ -6222,19 +6223,13 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
}
-#ifndef DNS_RBTDB_MAX_RTYPES
-#define DNS_RBTDB_MAX_RTYPES 100
-#endif /* DNS_RBTDB_MAX_RTYPES */
-
static bool
overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
- UNUSED(rbtdb);
-
- if (DNS_RBTDB_MAX_RTYPES == 0) {
+ if (rbtdb->maxtypepername == 0) {
return (false);
}
- return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+ return (ntypes >= rbtdb->maxtypepername);
}
static bool
@@ -6794,7 +6789,7 @@ find_header:
if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
free_rdataset(rbtdb, rbtdb->common.mctx,
newheader);
- return (ISC_R_QUOTA);
+ return (DNS_R_TOOMANYRECORDS);
}
newheader->down = NULL;
@@ -8623,6 +8618,15 @@ setmaxrrperset(dns_db_t *db, uint32_t maxrrperset) {
rbtdb->maxrrperset = maxrrperset;
}
+static void
+setmaxtypepername(dns_db_t *db, uint32_t maxtypepername) {
+ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+ REQUIRE(VALID_RBTDB(rbtdb));
+
+ rbtdb->maxtypepername = maxtypepername;
+}
+
static dns_stats_t *
getrrsetstats(dns_db_t *db) {
dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
@@ -8747,7 +8751,8 @@ static dns_dbmethods_t zone_methods = { attach,
NULL, /* getservestalerefresh */
setgluecachestats,
adjusthashsize,
- setmaxrrperset };
+ setmaxrrperset,
+ setmaxtypepername };
static dns_dbmethods_t cache_methods = { attach,
detach,
@@ -8800,7 +8805,8 @@ static dns_dbmethods_t cache_methods = { attach,
getservestalerefresh,
NULL,
adjusthashsize,
- setmaxrrperset };
+ setmaxrrperset,
+ setmaxtypepername };
isc_result_t
dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index 84cd324fb4..77a5834b76 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -1313,7 +1313,8 @@ static dns_dbmethods_t sdb_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
static isc_result_t
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index 60a1d23b3b..418a4a14ee 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -1285,7 +1285,8 @@ static dns_dbmethods_t sdlzdb_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
/*
diff --git a/lib/dns/view.c b/lib/dns/view.c
index a672aa8bc8..98579f03d9 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -871,6 +871,7 @@ dns_view_setcache(dns_view_t *view, dns_cache_t *cache, bool shared) {
INSIST(DNS_DB_VALID(view->cachedb));
dns_cache_setmaxrrperset(view->cache, view->maxrrperset);
+ dns_cache_setmaxtypepername(view->cache, view->maxtypepername);
}
bool
@@ -2555,3 +2556,12 @@ dns_view_setmaxrrperset(dns_view_t *view, uint32_t value) {
dns_cache_setmaxrrperset(view->cache, value);
}
}
+
+void
+dns_view_setmaxtypepername(dns_view_t *view, uint32_t value) {
+ REQUIRE(DNS_VIEW_VALID(view));
+ view->maxtypepername = value;
+ if (view->cache != NULL) {
+ dns_cache_setmaxtypepername(view->cache, value);
+ }
+}
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 5c8d97ed18..e1fb9ab50b 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -277,6 +277,7 @@ struct dns_zone {
uint32_t maxrecords;
uint32_t maxrrperset;
+ uint32_t maxtypepername;
isc_sockaddr_t *masters;
isc_dscp_t *masterdscps;
@@ -9959,6 +9960,7 @@ cleanup:
}
dns_diff_clear(&_sig_diff);
+ dns_diff_clear(&post_diff);
for (i = 0; i < nkeys; i++) {
dst_key_free(&zone_keys[i]);
@@ -12168,6 +12170,16 @@ dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t val) {
}
}
+void
+dns_zone_setmaxtypepername(dns_zone_t *zone, uint32_t val) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ zone->maxtypepername = val;
+ if (zone->db != NULL) {
+ dns_db_setmaxtypepername(zone->db, val);
+ }
+}
+
static bool
notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
isc_sockaddr_t *addr, dns_tsigkey_t *key) {
@@ -14573,6 +14585,8 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
}
dns_db_settask(stub->db, zone->task);
dns_db_setmaxrrperset(stub->db, zone->maxrrperset);
+ dns_db_setmaxtypepername(stub->db,
+ zone->maxtypepername);
}
result = dns_db_newversion(stub->db, &stub->version);
@@ -17295,6 +17309,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
zone_attachdb(zone, db);
dns_db_settask(zone->db, zone->task);
dns_db_setmaxrrperset(zone->db, zone->maxrrperset);
+ dns_db_setmaxtypepername(zone->db, zone->maxtypepername);
DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY);
return (ISC_R_SUCCESS);
@@ -23444,6 +23459,7 @@ dns_zone_makedb(dns_zone_t *zone, dns_db_t **dbp) {
dns_db_settask(db, zone->task);
dns_db_setmaxrrperset(db, zone->maxrrperset);
+ dns_db_setmaxtypepername(db, zone->maxtypepername);
*dbp = db;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index dce30537dd..ac9fc2af5e 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2239,6 +2239,9 @@ static cfg_clausedef_t zone_clauses[] = {
{ "max-records-per-type", &cfg_type_uint32,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT },
+ { "max-types-per-name", &cfg_type_uint32,
+ CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+ CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT },
{ "max-refresh-time", &cfg_type_uint32,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
{ "max-retry-time", &cfg_type_uint32,
diff --git a/lib/ns/update.c b/lib/ns/update.c
index c5ce1eaf09..0e0bdc9c03 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -3112,9 +3112,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
dns_diff_clear(&ctx.add_diff);
goto failure;
}
- CHECK(update_one_rr(db, ver, &diff,
- DNS_DIFFOP_ADD,
- name, ttl, &rdata));
+ result = update_one_rr(
+ db, ver, &diff, DNS_DIFFOP_ADD,
+ name, ttl, &rdata);
+ if (result != ISC_R_SUCCESS) {
+ update_log(client, zone,
+ LOGLEVEL_PROTOCOL,
+ "adding an RR "
+ "failed: %s",
+ isc_result_totext(
+ result));
+ goto failure;
+ }
}
}
} else if (update_class == dns_rdataclass_any) {
--
2.45.2

364
SOURCES/bind-9.16-CVE-2024-1737.patch
Unescape View File

@ -1,364 +0,0 @@
From c5357835c98b7b028f8a041b6976bb335c9a4056 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 1 Mar 2024 08:26:07 +0100
Subject: [PATCH] Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.
The fix for end-of-life branches make the limit compile-time only for
simplicity and the limit can be changed at the compile time by adding
following define to CFLAGS:
-DDNS_RDATASET_MAX_RECORDS=<limit>
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
(cherry picked from commit fdabf4b9570a60688f9f7d1e88d885f7a3718bca)
Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k). As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).
Add a hard-coded limit (100) to cap the number of the RR types for a single
owner. The limit can be changed at the compile time by adding following
define to CFLAGS:
-DDNS_RBTDB_MAX_RTYPES=<limit>
(cherry picked from commit dfcadc2085c8844b5836aff2b5ea51fb60c34868)
Optimize the slabheader placement for certain RRTypes
Mark the infrastructure RRTypes as "priority" types and place them at
the beginning of the rdataslab header data graph. The non-priority
types either go right after the priority types (if any).
(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
(cherry picked from commit 8ef414a7f38a04cfc11df44adaedaf3126fa3878)
Expand the list of the priority types
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
the priority types that are put at the beginning of the slabheader list
for faster access and to avoid eviction when there are more types than
the max-types-per-name limit.
(cherry picked from commit b27c6bcce894786a8e082eafd59eccbf6f2731cb)
(cherry picked from commit d56d2a32b861e81c2aaaabd309c4c58b629ede32)
Make the resolver qtype ANY test order agnostic
Instead of relying on a specific order of the RR types in the databases
pick the first RR type as returned from the cache.
(cherry picked from commit 58f660cf2b800963fa649bc9823a626009db3a7e)
(cherry picked from commit c5ebda6deb0997dc520b26fa0639891459de5cb6)
Be smarter about refusing to add many RR types to the database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:
1. If the new header type is in our priority list, we always add either
positive or negative entry at the beginning of the list.
2. If the new header type is negative entry, and we are over the limit,
we mark it as ancient immediately, so it gets evicted from the cache
as soon as possible.
3. Otherwise add the new header after the priority headers (or at the
head of the list).
4. If we are over the limit, evict the last entry on the normal header
list.
(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
(cherry picked from commit 26c9da5f2857b72077c17e06ac79f068c63782cc)
---
bin/tests/system/resolver/tests.sh | 9 ++-
configure | 2 +-
configure.ac | 2 +-
lib/dns/rbtdb.c | 125 ++++++++++++++++++++++++++++-
lib/dns/rdataslab.c | 12 +++
5 files changed, 144 insertions(+), 6 deletions(-)
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 6c69c1104e..bd997a61a4 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -553,15 +553,20 @@ n=`expr $n + 1`
echo_i "check prefetch qtype * (${n})"
ret=0
$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.1.${n} || ret=1
-ttl1=`awk '/"A" "short" "ttl"/ { print $2 - 3 }' dig.out.1.${n}`
+ttl1=$(awk '/^fetchall.tld/ { print $2 - 3; exit }' dig.out.1.${n})
# sleep so we are in prefetch range
sleep ${ttl1:-0}
# trigger prefetch
$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.2.${n} || ret=1
-ttl2=`awk '/"A" "short" "ttl"/ { print $2 }' dig.out.2.${n}`
+ttl2=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.2.${n})
sleep 1
# check that the nameserver is still alive
$DIG $DIGOPTS @10.53.0.5 fetchall.tld any > dig.out.3.${n} || ret=1
+# note that only the first record is prefetched,
+# because of the order of the records in the cache
+$DIG $DIGOPTS @10.53.0.5 fetchall.tld any >dig.out.3.${n} || ret=1
+ttl3=$(awk '/^fetchall.tld/ { print $2; exit }' dig.out.3.${n})
+test "${ttl3:-0}" -gt "${ttl2:-1}" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
diff --git a/configure b/configure
index ed2d4869e5..be0f60eaba 100755
--- a/configure
+++ b/configure
@@ -12295,7 +12295,7 @@ fi
XTARGETS=
if test "$enable_developer" = "yes"; then :
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/configure.ac b/configure.ac
index 287de41369..3ff4bdd135 100644
--- a/configure.ac
+++ b/configure.ac
@@ -94,7 +94,7 @@ AC_ARG_ENABLE([developer],
XTARGETS=
AS_IF([test "$enable_developer" = "yes"],
- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 2707507bd7..e840c0665d 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -967,6 +967,48 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
}
}
+static bool
+prio_type(rbtdb_rdatatype_t type) {
+ switch (type) {
+ case dns_rdatatype_soa:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
+ case dns_rdatatype_a:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
+ case dns_rdatatype_mx:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
+ case dns_rdatatype_aaaa:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
+ case dns_rdatatype_nsec:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
+ case dns_rdatatype_nsec3:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
+ case dns_rdatatype_ns:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
+ case dns_rdatatype_ds:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
+ case dns_rdatatype_cname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
+ case dns_rdatatype_dname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
+ case dns_rdatatype_svcb:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_svcb):
+ case dns_rdatatype_https:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_https):
+ case dns_rdatatype_dnskey:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
+ case dns_rdatatype_srv:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
+ case dns_rdatatype_txt:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
+ case dns_rdatatype_ptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
+ case dns_rdatatype_naptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
+ return (true);
+ }
+ return (false);
+}
+
/*%
* These functions allow the heap code to rank the priority of each
* element. It returns true if v1 happens "sooner" than v2.
@@ -6179,6 +6221,30 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
}
+#ifndef DNS_RBTDB_MAX_RTYPES
+#define DNS_RBTDB_MAX_RTYPES 100
+#endif /* DNS_RBTDB_MAX_RTYPES */
+
+static bool
+overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
+ UNUSED(rbtdb);
+
+ if (DNS_RBTDB_MAX_RTYPES == 0) {
+ return (false);
+ }
+
+ return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+}
+
+static bool
+prio_header(rdatasetheader_t *header) {
+ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
+ return (true);
+ }
+
+ return (prio_type(header->type));
+}
+
/*
* write lock on rbtnode must be held.
*/
@@ -6190,6 +6256,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader = NULL, *topheader_prev = NULL;
rdatasetheader_t *header = NULL, *sigheader = NULL;
+ rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
unsigned char *merged = NULL;
isc_result_t result;
bool header_nx;
@@ -6199,6 +6266,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
+ uint32_t ntypes = 0;
/*
* Add an rdatasetheader_t to a node.
@@ -6272,6 +6340,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
topheader = topheader->next) {
if (topheader->type == sigtype) {
sigheader = topheader;
+ break;
}
}
negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
@@ -6331,6 +6400,15 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next) {
+ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
+ ++ntypes;
+ expireheader = topheader;
+ } else if (!IS_CACHE(rbtdb)) {
+ ++ntypes;
+ }
+ if (prio_header(topheader)) {
+ prioheader = topheader;
+ }
if (topheader->type == newheader->type ||
topheader->type == negtype) {
break;
@@ -6712,9 +6790,52 @@ find_header:
/*
* No rdatasets of the given type exist at the node.
*/
- newheader->next = rbtnode->data;
+ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ free_rdataset(rbtdb, rbtdb->common.mctx,
+ newheader);
+ return (ISC_R_QUOTA);
+ }
+
newheader->down = NULL;
- rbtnode->data = newheader;
+
+ if (prio_header(newheader)) {
+ /* This is a priority type, prepend it */
+ newheader->next = rbtnode->data;
+ rbtnode->data = newheader;
+ } else if (prioheader != NULL) {
+ /* Append after the priority headers */
+ newheader->next = prioheader->next;
+ prioheader->next = newheader;
+ } else {
+ /* There were no priority headers */
+ newheader->next = rbtnode->data;
+ rbtnode->data = newheader;
+ }
+
+ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ if (expireheader == NULL) {
+ expireheader = newheader;
+ }
+ if (NEGATIVE(newheader) &&
+ !prio_header(newheader))
+ {
+ /*
+ * Add the new non-priority negative
+ * header to the database only
+ * temporarily.
+ */
+ expireheader = newheader;
+ }
+
+ set_ttl(rbtdb, expireheader, 0);
+ mark_header_ancient(rbtdb, expireheader);
+ /*
+ * FIXME: In theory, we should mark the RRSIG
+ * and the header at the same time, but there is
+ * no direct link between those two header, so
+ * we would have to check the whole list again.
+ */
+ }
}
}
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index 1d5e88f745..dda903819a 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -110,6 +110,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
}
#endif /* if DNS_RDATASET_FIXED */
+#ifndef DNS_RDATASET_MAX_RECORDS
+#define DNS_RDATASET_MAX_RECORDS 100
+#endif /* DNS_RDATASET_MAX_RECORDS */
+
isc_result_t
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
isc_region_t *region, unsigned int reservelen) {
@@ -154,6 +158,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
return (ISC_R_SUCCESS);
}
+ if (nitems > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
if (nitems > 0xffff) {
return (ISC_R_NOSPACE);
}
@@ -520,6 +528,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
#endif /* if DNS_RDATASET_FIXED */
INSIST(ocount > 0 && ncount > 0);
+ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
#if DNS_RDATASET_FIXED
oncount = ncount;
#endif /* if DNS_RDATASET_FIXED */
--
2.45.2

318
SOURCES/bind-9.16-CVE-2024-1975.patch
Unescape View File

@ -1,318 +0,0 @@
From 34e92fc88943beeba76aa4e408951cb46d8cdb53 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 16 Jul 2024 19:49:09 +0200
Subject: [PATCH] Resolve CVE-2024-1975
6404. [security] Remove SIG(0) support from named as a countermeasure
for CVE-2024-1975. [GL #4480]
Resolves: CVE-2024-1975
---
bin/tests/system/tsiggss/authsock.pl | 5 ++
bin/tests/system/tsiggss/tests.sh | 12 ++--
bin/tests/system/upforwd/tests.sh | 21 +++---
doc/arm/general.rst | 6 +-
doc/arm/reference.rst | 4 +-
doc/arm/security.rst | 4 +-
lib/dns/message.c | 97 ++--------------------------
lib/ns/client.c | 7 ++
8 files changed, 43 insertions(+), 113 deletions(-)
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
index ab3833d..0b231ee 100644
--- a/bin/tests/system/tsiggss/authsock.pl
+++ b/bin/tests/system/tsiggss/authsock.pl
@@ -31,6 +31,10 @@ if (!defined($path)) {
exit(1);
}
+# Enable output autoflush so that it's not lost when the parent sends TERM.
+select STDOUT;
+$| = 1;
+
unlink($path);
my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
die "unable to create socket $path";
@@ -53,6 +57,7 @@ if ($timeout != 0) {
}
while (my $client = $server->accept()) {
+ printf("accept()\n");
$client->recv(my $buf, 8, 0);
my ($version, $req_len) = unpack('N N', $buf);
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
index 632bb87..7977e49 100644
--- a/bin/tests/system/tsiggss/tests.sh
+++ b/bin/tests/system/tsiggss/tests.sh
@@ -116,7 +116,7 @@ status=$((status+ret))
echo_i "testing external update policy (CNAME) with auth sock ($n)"
ret=0
-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 >authsock.log 2>&1 &
sleep 1
test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
n=$((n+1))
@@ -130,17 +130,19 @@ n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
-echo_i "testing external policy with SIG(0) key ($n)"
+echo_i "testing external policy with unsupported SIG(0) key ($n)"
ret=0
-$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
+$NSUPDATE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
+debug
server 10.53.0.1 ${PORT}
zone example.nil
update add fred.example.nil 120 cname foo.bar.
send
END
output=`$DIG $DIGOPTS +short cname fred.example.nil.`
-[ -n "$output" ] || ret=1
-[ $ret -eq 0 ] || echo_i "failed"
+# update must have failed - SIG(0) signer is not supported
+[ -n "$output" ] && ret=1
+grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 20fc46f..c8fd54b 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -224,19 +224,22 @@ fi
if test -f keyname
then
- echo_i "checking update forwarding to with sig0 ($n)"
+ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
ret=0
keyname=`cat keyname`
- $NSUPDATE -k $keyname.private -- - <<EOF
- local 10.53.0.1
- server 10.53.0.3 ${PORT}
- zone example2
- update add unsigned.example2. 600 A 10.10.10.1
- update add unsigned.example2. 600 TXT Foo
- send
+ # SIG(0) is removed, update is expected to fail.
+ {
+ $NSUPDATE -k $keyname.private -- - <<EOF
+ local 10.53.0.1
+ server 10.53.0.3 ${PORT}
+ zone example2
+ update add unsigned.example2. 600 A 10.10.10.1
+ update add unsigned.example2. 600 TXT Foo
+ send
EOF
+ } >nsupdate.out.$n 2>&1 && ret=1
$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
- grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+ grep "status: NOERROR" dig.out.ns1.test$n >/dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index 225576b..0766dfe 100644
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -534,10 +534,8 @@ than a non-authoritative response. This is considered a feature.
[2] CLASS ANY queries are not supported. This is considered a
feature.
-[3] When receiving a query signed with a SIG(0), the server is
-only able to verify the signature if it has the key in its local
-authoritative data; it cannot do recursion or validation to
-retrieve unknown keys.
+[3] Support for SIG(0) message verification was removed
+as part of the mitigation of CVE-2024-1975.
[4] Compliance is with loading and serving of A6 records only. A6 records were moved
to the experimental category by :rfc:`3363`.
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index d4ee9d2..ad7ff27 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -5789,7 +5789,7 @@ The ``update-policy`` clause allows more fine-grained control over which
updates are allowed. It specifies a set of rules, in which each rule
either grants or denies permission for one or more names in the zone to
be updated by one or more identities. Identity is determined by the key
-that signed the update request, using either TSIG or SIG(0). In most
+that signed the update request, using either TSIG. In most
cases, ``update-policy`` rules only apply to key-based identities. There
is no way to specify update permissions based on the client source address.
@@ -5846,7 +5846,7 @@ field), and the type of the record to be updated matches the ``types``
field. Details for each rule type are described below.
The ``identity`` field must be set to a fully qualified domain name. In
-most cases, this represents the name of the TSIG or SIG(0) key that
+most cases, this represents the name of the TSIG key that
must be used to sign the update request. If the specified name is a
wildcard, it is subject to DNS wildcard expansion, and the rule may
apply to multiple identities. When a TKEY exchange has been used to
diff --git a/doc/arm/security.rst b/doc/arm/security.rst
index f7c8bd3..e3abfd1 100644
--- a/doc/arm/security.rst
+++ b/doc/arm/security.rst
@@ -32,7 +32,7 @@ Limiting access to the server by outside parties can help prevent
spoofing and denial of service (DoS) attacks against the server.
ACLs match clients on the basis of up to three characteristics: 1) The
-client's IP address; 2) the TSIG or SIG(0) key that was used to sign the
+client's IP address; 2) the TSIG key that was used to sign the
request, if any; and 3) an address prefix encoded in an EDNS
Client-Subnet option, if any.
@@ -73,7 +73,7 @@ and no queries at all from the networks specified in ``bogusnets``.
In addition to network addresses and prefixes, which are matched against
the source address of the DNS request, ACLs may include ``key``
-elements, which specify the name of a TSIG or SIG(0) key.
+elements, which specify the name of a TSIG key.
When BIND 9 is built with GeoIP support, ACLs can also be used for
geographic access restrictions. This is done by specifying an ACL
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 1993b2e..04315bc 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3287,109 +3287,24 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
isc_result_t
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
- isc_buffer_t b, msgb;
+ isc_buffer_t msgb;
REQUIRE(DNS_MESSAGE_VALID(msg));
- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL) {
+ if (msg->tsigkey == NULL && msg->tsig == NULL) {
return (ISC_R_SUCCESS);
}
INSIST(msg->saved.base != NULL);
isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
isc_buffer_add(&msgb, msg->saved.length);
- if (msg->tsigkey != NULL || msg->tsig != NULL) {
#ifdef SKAN_MSG_DEBUG
- dns_message_dumpsig(msg, "dns_message_checksig#1");
+ dns_message_dumpsig(msg, "dns_message_checksig#1");
#endif /* ifdef SKAN_MSG_DEBUG */
- if (view != NULL) {
- return (dns_view_checksig(view, &msgb, msg));
- } else {
- return (dns_tsig_verify(&msgb, msg, NULL, NULL));
- }
+ if (view != NULL) {
+ return (dns_view_checksig(view, &msgb, msg));
} else {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_sig_t sig;
- dns_rdataset_t keyset;
- isc_result_t result;
-
- result = dns_rdataset_first(msg->sig0);
- INSIST(result == ISC_R_SUCCESS);
- dns_rdataset_current(msg->sig0, &rdata);
-
- /*
- * This can occur when the message is a dynamic update, since
- * the rdata length checking is relaxed. This should not
- * happen in a well-formed message, since the SIG(0) is only
- * looked for in the additional section, and the dynamic update
- * meta-records are in the prerequisite and update sections.
- */
- if (rdata.length == 0) {
- return (ISC_R_UNEXPECTEDEND);
- }
-
- result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
-
- dns_rdataset_init(&keyset);
- if (view == NULL) {
- return (DNS_R_KEYUNAUTHORIZED);
- }
- result = dns_view_simplefind(view, &sig.signer,
- dns_rdatatype_key /* SIG(0) */, 0,
- 0, false, &keyset, NULL);
-
- if (result != ISC_R_SUCCESS) {
- /* XXXBEW Should possibly create a fetch here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- } else if (keyset.trust < dns_trust_secure) {
- /* XXXBEW Should call a validator here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- }
- result = dns_rdataset_first(&keyset);
- INSIST(result == ISC_R_SUCCESS);
- for (; result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&keyset)) {
- dst_key_t *key = NULL;
-
- dns_rdata_reset(&rdata);
- dns_rdataset_current(&keyset, &rdata);
- isc_buffer_init(&b, rdata.data, rdata.length);
- isc_buffer_add(&b, rdata.length);
-
- result = dst_key_fromdns(&sig.signer, rdata.rdclass, &b,
- view->mctx, &key);
- if (result != ISC_R_SUCCESS) {
- continue;
- }
- if (dst_key_alg(key) != sig.algorithm ||
- dst_key_id(key) != sig.keyid ||
- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
- dst_key_proto(key) == DNS_KEYPROTO_ANY))
- {
- dst_key_free(&key);
- continue;
- }
- result = dns_dnssec_verifymessage(&msgb, msg, key);
- dst_key_free(&key);
- if (result == ISC_R_SUCCESS) {
- break;
- }
- }
- if (result == ISC_R_NOMORE) {
- result = DNS_R_KEYUNAUTHORIZED;
- }
-
- freesig:
- if (dns_rdataset_isassociated(&keyset)) {
- dns_rdataset_disassociate(&keyset);
- }
- dns_rdata_freestruct(&sig);
- return (result);
+ return (dns_tsig_verify(&msgb, msg, NULL, NULL));
}
}
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 967e21b..87b8a18 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -2060,6 +2060,13 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request is signed by a nonauthoritative key");
+ } else if (result == DNS_R_NOTVERIFIEDYET &&
+ client->message->sig0 != NULL)
+ {
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ "request has a SIG(0) signature but its support "
+ "was removed (CVE-2024-1975)");
} else {
char tsigrcode[64];
isc_buffer_t b;
--
2.45.2

40
SOURCES/bind-9.16-isc-mempool-attach.patch
Unescape View File

@ -1,40 +0,0 @@
From d249889a9c18df7792ca3cd8d97897e4fb5824b5 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 31 Aug 2022 12:30:38 +0000
Subject: [PATCH] Add mctx attach/detach when creating/destroying a memory pool
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.
(cherry picked from commit e97c3eea954e055634b72c21325d2611e960ee94)
---
lib/isc/mem.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index f84d300..33ece7a 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1656,7 +1656,8 @@ isc_mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
mpctx->common.impmagic = MEMPOOL_MAGIC;
mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
mpctx->lock = NULL;
- mpctx->mctx = mctx;
+ mpctx->mctx = NULL;
+ isc_mem_attach((isc_mem_t *)mctx, (isc_mem_t **)&mpctx->mctx);
/*
* Mempools are stored as a linked list of element.
*/
@@ -1765,7 +1766,8 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
mpctx->common.impmagic = 0;
mpctx->common.magic = 0;
- isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t));
+ isc_mem_putanddetach((isc_mem_t **)&mpctx->mctx, mpctx,
+ sizeof(isc__mempool_t));
if (lock != NULL) {
UNLOCK(lock);
--
2.43.2

66
SOURCES/bind-9.16-isc_hp-CVE-2023-50387.patch
Unescape View File

@ -1,66 +0,0 @@
From 103b09187466b2afbff7e204d166d21e2fbb057c Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 21 Feb 2024 11:54:27 +0100
Subject: [PATCH] Downstream specific changes related to KeyTrap
Fix for CVE-2023-50387 introduced new additional thread. But because
isc_hp functions were removed from later bind 9.16 release, their
changes did not contain increase of hazard pointers max thread limit.
To prevent obscure memory corruption increase thread max size.
In addition place at least few INSISTs to check this is catched before
random memory overwrites begins. It would be quite difficult to track
without any check.
---
lib/isc/hp.c | 3 +++
lib/isc/managers.c | 5 +++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/isc/hp.c b/lib/isc/hp.c
index 92d160b..5f9bbf7 100644
--- a/lib/isc/hp.c
+++ b/lib/isc/hp.c
@@ -138,6 +138,7 @@ isc_hp_destroy(isc_hp_t *hp) {
void
isc_hp_clear(isc_hp_t *hp) {
+ INSIST(tid() < isc__hp_max_threads);
for (int i = 0; i < hp->max_hps; i++) {
atomic_store_release(&hp->hp[tid()][i], 0);
}
@@ -152,6 +153,7 @@ uintptr_t
isc_hp_protect(isc_hp_t *hp, int ihp, atomic_uintptr_t *atom) {
uintptr_t n = 0;
uintptr_t ret;
+ INSIST(tid() < isc__hp_max_threads);
while ((ret = atomic_load(atom)) != n) {
atomic_store(&hp->hp[tid()][ihp], ret);
n = ret;
@@ -173,6 +175,7 @@ isc_hp_protect_release(isc_hp_t *hp, int ihp, atomic_uintptr_t ptr) {
void
isc_hp_retire(isc_hp_t *hp, uintptr_t ptr) {
+ INSIST(tid() < isc__hp_max_threads);
hp->rl[tid()]->list[hp->rl[tid()]->size++] = ptr;
INSIST(hp->rl[tid()]->size < isc__hp_max_retired);
diff --git a/lib/isc/managers.c b/lib/isc/managers.c
index c39a650..3bdca99 100644
--- a/lib/isc/managers.c
+++ b/lib/isc/managers.c
@@ -25,9 +25,10 @@ isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
/*
* We have ncpus network threads, ncpus old network threads - make
- * it 4x just to be on the safe side.
+ * it 4x just to be on the safe side. One additional for slow netmgr
+ * thread.
*/
- isc_hp_init(4 * workers);
+ isc_hp_init(5 * workers);
REQUIRE(netmgrp != NULL && *netmgrp == NULL);
isc__netmgr_create(mctx, workers, &netmgr);
--
2.43.2

34
SOURCES/bind-9.16-isc_hp-additional.patch
Unescape View File

@ -1,34 +0,0 @@
From beeb4527b25c8d48842bbc78f100b716df118699 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 9 Jul 2024 16:06:02 +0200
Subject: [PATCH] Increase even further hazard pointers after KeyTrap
Extends even more change Downstream specific changes related to KeyTrap,
which added safety guards into hazard pointers. Because it seems they
are not still enough. Add fixed base to accomodate common threads like
main app thread and ldap worker threads. Multiply one more, just to be
sure. We do not want to hit maximal limit again.
---
lib/isc/managers.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/isc/managers.c b/lib/isc/managers.c
index 3bdca99..fffff78 100644
--- a/lib/isc/managers.c
+++ b/lib/isc/managers.c
@@ -26,9 +26,10 @@ isc_managers_create(isc_mem_t *mctx, size_t workers, size_t quantum,
/*
* We have ncpus network threads, ncpus old network threads - make
* it 4x just to be on the safe side. One additional for slow netmgr
- * thread.
+ * thread. One extra to be safe. Add base for main application thread
+ * or bind-dyndb-ldap worker threads.
*/
- isc_hp_init(5 * workers);
+ isc_hp_init(6 + 6 * workers);
REQUIRE(netmgrp != NULL && *netmgrp == NULL);
isc__netmgr_create(mctx, workers, &netmgr);
--
2.45.2

40
SOURCES/bind-9.16-redhat_doc.patch
Unescape View File

@ -1,4 +1,4 @@
From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001 From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com> From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 17 Jun 2020 23:17:13 +0200 Date: Wed, 17 Jun 2020 23:17:13 +0200
Subject: [PATCH] Update man named with Red Hat specifics Subject: [PATCH] Update man named with Red Hat specifics
@ -6,15 +6,15 @@ Subject: [PATCH] Update man named with Red Hat specifics
This is almost unmodified text and requires revalidation. Some of those This is almost unmodified text and requires revalidation. Some of those
statements are no longer correct. statements are no longer correct.
--- ---
bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++ bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+) 1 file changed, 41 insertions(+)
diff --git a/bin/named/named.rst b/bin/named/named.rst diff --git a/bin/named/named.rst b/bin/named/named.rst
index 6fd8f87..3cd6350 100644 index ea440b2..fa51984 100644
--- a/bin/named/named.rst --- a/bin/named/named.rst
+++ b/bin/named/named.rst +++ b/bin/named/named.rst
@@ -228,6 +228,41 @@ Files @@ -212,6 +212,47 @@ Files
``/var/run/named/named.pid`` |named_pid|
The default process-id file. The default process-id file.
+Notes +Notes
@ -24,7 +24,7 @@ index 6fd8f87..3cd6350 100644
+ +
+By default, Red Hat ships BIND with the most secure SELinux policy +By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation +that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities. See the selinux(8) man page +of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux. +for information about SElinux.
+ +
+It is not necessary to run named in a chroot environment if the Red Hat +It is not necessary to run named in a chroot environment if the Red Hat
@ -34,27 +34,33 @@ index 6fd8f87..3cd6350 100644
+ +
+*With this extra security comes some restrictions:* +*With this extra security comes some restrictions:*
+ +
+By default, the SELinux policy does not allow named to write outside directory +By default, the SELinux policy does not allow named to write any master
+/var/named. That directory used to be read-only for named, but write access is +zone database files. Only the root user may create files in the $ROOTDIR/var/named
+enabled by default now. +zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+ +
+The "named" group must be granted read privelege to +The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them. +these files in order for named to be enabled to read them.
+Any file updated by named must be writeable by named user or named group.
+ +
+Any file created in the zone database file directory is automatically assigned +Any file created in the zone database file directory is automatically assigned
+the SELinux file context *named_zone_t* . +the SELinux file context *named_zone_t* .
+ +
+By default, SELinux prevents any role from modifying *named_zone_t* files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+
+The Red Hat BIND distribution and SELinux policy creates three directories where +The Red Hat BIND distribution and SELinux policy creates three directories where
+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic* +named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
+*/var/named/data*. The service is able to write and file under */var/named* with appropriate +*/var/named/data*. By placing files you want named to modify, such as
+permissions. They are used for better organisation of zones and backward compatibility. +slave or DDNS updateable zone files and database / statistics dump files in
+Files in these directories are automatically assigned the '*named_cache_t*' +these directories, named will work normally and no further operator action is
+file context, which SELinux always allows named to write. +required. Files in these directories are automatically assigned the '*named_cache_t*'
+file context, which SELinux allows named to write.
+
+ +
See Also See Also
~~~~~~~~ ~~~~~~~~
-- --
2.26.2 2.34.1

216
SOURCES/bind-9.16-rh2101712.patch
Unescape View File

@ -1,216 +0,0 @@
From b1871274cd2c97b63f3b90d608b7f8936d4ff3c5 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 24 Aug 2022 12:21:50 +1000
Subject: [PATCH] Have dns_zt_apply lock the zone table
There where a number of places where the zone table should have
been locked, but wasn't, when dns_zt_apply was called.
Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
all calls to using it. Removed locks in callers.
Modified upstream commit for v9_16
---
bin/named/server.c | 12 +++++++-----
bin/named/statschannel.c | 12 +++++++-----
lib/dns/include/dns/zt.h | 3 ++-
lib/dns/tests/zt_test.c | 4 ++--
lib/dns/view.c | 3 ++-
lib/dns/zt.c | 29 ++++++++++++++++++-----------
6 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 860ccae..c2a5887 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9458,7 +9458,8 @@ cleanup:
if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0)
{
dns_view_setviewrevert(view);
- (void)dns_zt_apply(view->zonetable, false, NULL,
+ (void)dns_zt_apply(view->zonetable,
+ isc_rwlocktype_read, false, NULL,
removed, view);
}
dns_view_detach(&view);
@@ -10901,8 +10902,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
ISC_LIST_INIT(vle->zonelist);
ISC_LIST_APPEND(dctx->viewlist, vle, link);
if (dctx->dumpzones) {
- result = dns_zt_apply(view->zonetable, true, NULL,
- add_zone_tolist, dctx);
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
+ true, NULL, add_zone_tolist, dctx);
}
return (result);
}
@@ -12248,8 +12249,9 @@ named_server_sync(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
view = ISC_LIST_NEXT(view, link))
{
- result = dns_zt_apply(view->zonetable, false, NULL,
- synczone, &cleanup);
+ result = dns_zt_apply(view->zonetable,
+ isc_rwlocktype_none, false,
+ NULL, synczone, &cleanup);
if (result != ISC_R_SUCCESS && tresult == ISC_R_SUCCESS)
{
tresult = result;
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 8ff2567..832ce93 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -2296,8 +2296,9 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
if ((flags & STATS_XML_ZONES) != 0) {
TRY0(xmlTextWriterStartElement(writer,
ISC_XMLCHAR "zones"));
- result = dns_zt_apply(view->zonetable, true, NULL,
- zone_xmlrender, writer);
+ result = dns_zt_apply(view->zonetable,
+ isc_rwlocktype_read, true,
+ NULL, zone_xmlrender, writer);
if (result != ISC_R_SUCCESS) {
goto error;
}
@@ -3069,9 +3070,10 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
CHECKMEM(za);
if ((flags & STATS_JSON_ZONES) != 0) {
- result = dns_zt_apply(view->zonetable, true,
- NULL, zone_jsonrender,
- za);
+ result = dns_zt_apply(view->zonetable,
+ isc_rwlocktype_read,
+ true, NULL,
+ zone_jsonrender, za);
if (result != ISC_R_SUCCESS) {
goto error;
}
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
index 4a1b263..1c6c789 100644
--- a/lib/dns/include/dns/zt.h
+++ b/lib/dns/include/dns/zt.h
@@ -168,7 +168,8 @@ dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze);
*/
isc_result_t
-dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
+ isc_result_t *sub,
isc_result_t (*action)(dns_zone_t *, void *), void *uap);
/*%<
* Apply a given 'action' to all zone zones in the table.
diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
index 7945a0b..bfacb94 100644
--- a/lib/dns/tests/zt_test.c
+++ b/lib/dns/tests/zt_test.c
@@ -136,8 +136,8 @@ apply(void **state) {
assert_non_null(view->zonetable);
assert_int_equal(nzones, 0);
- result = dns_zt_apply(view->zonetable, false, NULL, count_zone,
- &nzones);
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, false,
+ NULL, count_zone, &nzones);
assert_int_equal(result, ISC_R_SUCCESS);
assert_int_equal(nzones, 1);
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 8c7e40a..dcb0f18 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -704,7 +704,8 @@ dns_view_dialup(dns_view_t *view) {
REQUIRE(DNS_VIEW_VALID(view));
REQUIRE(view->zonetable != NULL);
- (void)dns_zt_apply(view->zonetable, false, NULL, dialup, NULL);
+ (void)dns_zt_apply(view->zonetable, isc_rwlocktype_read, false,
+ NULL, dialup, NULL);
}
void
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
index 8ca9cd6..1bfc308 100644
--- a/lib/dns/zt.c
+++ b/lib/dns/zt.c
@@ -223,7 +223,8 @@ flush(dns_zone_t *zone, void *uap) {
static void
zt_destroy(dns_zt_t *zt) {
if (atomic_load_acquire(&zt->flush)) {
- (void)dns_zt_apply(zt, false, NULL, flush, NULL);
+ (void)dns_zt_apply(zt, isc_rwlocktype_none, false, NULL,
+ flush, NULL);
}
dns_rbt_destroy(&zt->table);
isc_rwlock_destroy(&zt->rwlock);
@@ -265,9 +266,8 @@ dns_zt_load(dns_zt_t *zt, bool stop, bool newonly) {
struct zt_load_params params;
REQUIRE(VALID_ZT(zt));
params.newonly = newonly;
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
- result = dns_zt_apply(zt, stop, NULL, load, &params);
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+ result = dns_zt_apply(zt, isc_rwlocktype_read, stop, NULL, load,
+ &params);
return (result);
}
@@ -338,9 +338,8 @@ dns_zt_asyncload(dns_zt_t *zt, bool newonly, dns_zt_allloaded_t alldone,
zt->loaddone = alldone;
zt->loaddone_arg = arg;
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
- result = dns_zt_apply(zt, false, NULL, asyncload, zt);
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+ result = dns_zt_apply(zt, isc_rwlocktype_read, false, NULL,
+ asyncload, zt);
/*
* Have all the loads completed?
@@ -386,9 +385,8 @@ dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze) {
REQUIRE(VALID_ZT(zt));
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
- result = dns_zt_apply(zt, false, &tresult, freezezones, &params);
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+ result = dns_zt_apply(zt, isc_rwlocktype_read, false, &tresult,
+ freezezones, &params);
if (tresult == ISC_R_NOTFOUND) {
tresult = ISC_R_SUCCESS;
}
@@ -522,7 +520,8 @@ dns_zt_setviewrevert(dns_zt_t *zt) {
}
isc_result_t
-dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
+ isc_result_t *sub,
isc_result_t (*action)(dns_zone_t *, void *), void *uap) {
dns_rbtnode_t *node;
dns_rbtnodechain_t chain;
@@ -532,6 +531,10 @@ dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
REQUIRE(VALID_ZT(zt));
REQUIRE(action != NULL);
+ if (lock != isc_rwlocktype_none) {
+ RWLOCK(&zt->rwlock, lock);
+ }
+
dns_rbtnodechain_init(&chain);
result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
if (result == ISC_R_NOTFOUND) {
@@ -568,6 +571,10 @@ cleanup:
*sub = tresult;
}
+ if (lock != isc_rwlocktype_none) {
+ RWUNLOCK(&zt->rwlock, lock);
+ }
+
return (result);
}
--
2.39.2

31
SOURCES/bind-9.16-rh2133889.patch
Unescape View File

@ -1,31 +0,0 @@
From 606fc6d4aa8e8884f53f53e72dc1bd7babf37a47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 16 Jan 2023 11:06:48 +0000
Subject: [PATCH] Merge branch 'feature/main/zt-rwlock.h' into 'main'
Include isc_rwlocktype_t type definition in zt.h
See merge request isc-projects/bind9!7376
(cherry picked from commit d7bcdf8bd6c5395726f708535120ce9a97eaa935)
395d6fca Include isc_rwlocktype_t type definition in zt.h
---
lib/dns/include/dns/zt.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
index 189092bc3b..2964fc971f 100644
--- a/lib/dns/include/dns/zt.h
+++ b/lib/dns/include/dns/zt.h
@@ -19,6 +19,7 @@
#include <stdbool.h>
#include <isc/lang.h>
+#include <isc/rwlock.h>
#include <dns/types.h>
--
2.39.0

33
SOURCES/bind-9.16-system-test-cds.patch
Unescape View File

@ -1,33 +0,0 @@
From 7cc9fd1870e5264abd885ed2c419034945121d0f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 19 Feb 2024 22:13:52 +0100
Subject: [PATCH] Define variants to empty values
DNSSEC_VARIANT and NAMED_VARIANT are special Red Hat modifications to
allow testing or alternative rebuilds, with support for pkcs11 or sdb.
But undefined value breaks some tests, so define them to empty values.
That means normal build variant.
Required to pass upstream test suite cds test correctly.
---
bin/tests/system/conf.sh.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 7b2b309..c2d6526 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -24,6 +24,10 @@ TMPDIR=${TMPDIR:-/tmp}
# This is not the windows build.
CYGWIN=""
+# RH specific, allow variants testing
+: ${DNSSEC_VARIANT:=}
+: ${NAMED_VARIANT:=}
+
# Load common values shared between windows and unix/linux.
. $TOP/bin/tests/system/conf.sh.common
--
2.43.2

53
SOURCES/bind-9.16-update-b.root-servers.net.patch
Unescape View File

@ -1,53 +0,0 @@
From c532af966a7328f0e518273bc1f6051bb9d9e995 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 12 Oct 2023 10:19:38 +1100
Subject: [PATCH] Update b.root-servers.net IP addresses
This covers both root hints and the default primaries for the root
zone mirror. The official change date is Nov 27, 2023.
(cherry picked from commit 2ca2f7e9852a3d6e93f065c01ea4679f723688f7)
---
bin/named/config.c | 4 ++--
lib/dns/rootns.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/bin/named/config.c b/bin/named/config.c
index 8c6f90c..c37015f 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -292,14 +292,14 @@ view \"_bind\" chaos {\n\
"# END MANAGED KEYS\n\
\n\
primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\
- 2001:500:200::b; # b.root-servers.net\n\
+ 2801:1b8:10::b; # b.root-servers.net\n\
2001:500:2::c; # c.root-servers.net\n\
2001:500:2f::f; # f.root-servers.net\n\
2001:500:12::d0d; # g.root-servers.net\n\
2001:7fd::1; # k.root-servers.net\n\
2620:0:2830:202::132; # xfr.cjr.dns.icann.org\n\
2620:0:2d0:202::132; # xfr.lax.dns.icann.org\n\
- 199.9.14.201; # b.root-servers.net\n\
+ 170.247.170.2; # b.root-servers.net\n\
192.33.4.12; # c.root-servers.net\n\
192.5.5.241; # f.root-servers.net\n\
192.112.36.4; # g.root-servers.net\n\
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
index 885c2fb..b06d247 100644
--- a/lib/dns/rootns.c
+++ b/lib/dns/rootns.c
@@ -52,8 +52,8 @@ static char root_ns[] =
". 518400 IN NS M.ROOT-SERVERS.NET.\n"
"A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4\n"
"A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:BA3E::2:30\n"
- "B.ROOT-SERVERS.NET. 3600000 IN A 199.9.14.201\n"
- "B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:200::b\n"
+ "B.ROOT-SERVERS.NET. 3600000 IN A 170.247.170.2\n"
+ "B.ROOT-SERVERS.NET. 3600000 IN AAAA 2801:1b8:10::b\n"
"C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12\n"
"C.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2::c\n"
"D.ROOT-SERVERS.NET. 3600000 IN A 199.7.91.13\n"
--
2.43.0

17
SOURCES/bind-9.16.23.tar.xz.asc
Unescape View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIzBAABAgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMcACgkQxbTukxqf
nf1EbQ//YXsBbMtyI3c0MoleSi5zwzcpCTZTWTFHqH5WUiruLMDF453j/Fn2zaSC
WuaUnhN61dR+BVtX+D2Y8GiVQFICo5X1nJj0jb/TcflXFq7YLWUAO0NPwPkBL1J4
/PA0YCp1zYcvBXIxTKaU7AcBxlKmcGLdZcgCyGU6NSKaOJSxHOWXM460uD/crskB
iSPEbMevN9TTJs9webztJNKH/3BuNkOD9SFb6JlUIQqwKx1v8rosgdI7BvgGMZqy
s+10+GlIRFFvsX2XkX8BnjDlQ1QdzDOAoyCU+Se9rXDqu+zZf1VN4ReUCSDuPYf9
z+GW1EbMxuZzEKrEIJvhnVNNiHqtKVaK6IIUX5bHqgPLEx87HxJMOPmbyBc1kDAe
0WCmsITaq62WvKOG8Ho8wLrlG4AAO5+A7xit4bJ4XUtLiqyt+9FUIeEFY9nZb/6O
OXK9eBMZHZ++r52RtA+GYZllkNRpzwnULOdR/9svVQuc10/MjnRoFqInzLlqwfwm
2q6r372oWn8+MUvjQVBgzprn5BvY+HDo2gNEYEi5QyR3ql2dX/Qz7iUdUfhRvMNL
FdPt3B3kktfOV98p/imrIwLwVVWwKBlphntkRxLtSZBs3nbo27F/ND54fixC2eCa
epB6FF5IquzQ/MOiz4uql3YexNDQQ+7N2IGPJVMwO2ILAyZDNOQ=
=pVtf
-----END PGP SIGNATURE-----

29
SOURCES/bind-9.18-CVE-2024-4076.patch
Unescape View File

@ -1,29 +0,0 @@
From 274463c5b71db87a615694889da23837ba48db9a Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 16 Jul 2024 19:49:26 +0200
Subject: [PATCH] Resolve CVE-2024-4076
6403. [security] qctx-zversion was not being cleared when it should have
been leading to an assertion failure if it needed to be
reused. (CVE-2024-4076) [GL #4507]
Resolves: CVE-2024-4076
---
lib/ns/query.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 537d332..be4cbb6 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5325,6 +5325,7 @@ qctx_freedata(query_ctx_t *qctx) {
ns_client_releasename(qctx->client, &qctx->zfname);
dns_db_detachnode(qctx->zdb, &qctx->znode);
dns_db_detach(&qctx->zdb);
+ qctx->zversion = NULL;
}
if (qctx->event != NULL && !qctx->client->nodetach) {
--
2.45.2

75
SOURCES/bind-9.18-unittest-netmgr-unstable.patch
Unescape View File

@ -0,0 +1,75 @@
From 0f3a398fe813189c5dd56b0367a72c7b3f19504b Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 14 Sep 2022 13:06:24 +0200
Subject: [PATCH] Disable some often failing tests
Make those tests skipped in default build, when CI=true environment is
set. It is not clear why they fail mostly on COPR, but they do fail
often.
---
tests/isc/netmgr_test.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/tests/isc/netmgr_test.c b/tests/isc/netmgr_test.c
index 94e4bf7..7f9629c 100644
--- a/tests/isc/netmgr_test.c
+++ b/tests/isc/netmgr_test.c
@@ -1567,13 +1567,13 @@ stream_half_recv_half_send(void **state __attribute__((unused))) {
/* TCP */
ISC_RUN_TEST_IMPL(tcp_noop) { stream_noop(state); }
-ISC_RUN_TEST_IMPL(tcp_noresponse) { stream_noresponse(state); }
+ISC_RUN_TEST_IMPL(tcp_noresponse) { SKIP_IN_CI; stream_noresponse(state); }
ISC_RUN_TEST_IMPL(tcp_timeout_recovery) { stream_timeout_recovery(state); }
ISC_RUN_TEST_IMPL(tcp_recv_one) { stream_recv_one(state); }
-ISC_RUN_TEST_IMPL(tcp_recv_two) { stream_recv_two(state); }
+ISC_RUN_TEST_IMPL(tcp_recv_two) { SKIP_IN_CI; stream_recv_two(state); }
ISC_RUN_TEST_IMPL(tcp_recv_send) {
SKIP_IN_CI;
@@ -1623,6 +1623,7 @@ ISC_RUN_TEST_IMPL(tcp_recv_one_quota) {
}
ISC_RUN_TEST_IMPL(tcp_recv_two_quota) {
+ SKIP_IN_CI;
atomic_store(&check_listener_quota, true);
stream_recv_two(state);
}
@@ -1836,6 +1837,7 @@ ISC_RUN_TEST_IMPL(tcpdns_recv_two) {
isc_result_t result = ISC_R_SUCCESS;
isc_nmsocket_t *listen_sock = NULL;
+ SKIP_IN_CI;
atomic_store(&nsends, 2);
result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
@@ -2095,6 +2097,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one) {
}
ISC_RUN_TEST_IMPL(tls_recv_two) {
+ SKIP_IN_CI;
stream_use_TLS = true;
stream_recv_two(state);
}
@@ -2160,6 +2163,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one_quota) {
}
ISC_RUN_TEST_IMPL(tls_recv_two_quota) {
+ SKIP_IN_CI;
stream_use_TLS = true;
atomic_store(&check_listener_quota, true);
stream_recv_two(state);
@@ -2395,6 +2399,7 @@ ISC_RUN_TEST_IMPL(tlsdns_recv_two) {
isc_result_t result = ISC_R_SUCCESS;
isc_nmsocket_t *listen_sock = NULL;
+ SKIP_IN_CI;
atomic_store(&nsends, 2);
result = isc_nm_listentlsdns(listen_nm, &tcp_listen_addr,
--
2.37.2

16
SOURCES/bind-9.18.21.tar.xz.asc
Unescape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmV3BGsACgkQUQpkKgbF
LOwu9w/+JciqKqT0JieUDwPzEhhulBCWEhbZFrHK6dFM5UkPHkaV79QkZAQEhnq1
FXVEF99ZuTbz5s79wNAZ9I4AiU0al5RK1P5MwMBbjsQrfnkhmKnPIU1jx3FSVrCP
tC9l1xEjkLNi2vf28ZQ9KED2hUdqsgTZqDvgewEnrq1NtZ0K7ozz9nHQLfooDSJT
L5U9HDp3vf5BJWONjnKAPjJJdeRf7HPqokJVSjQcVxrT06VsMNUFFmyCbEJ0UTJm
mqDrRuEXhkAKf40DwMr0qGqiq5Q4m960yADEK1Aju/9cEf6Ag4FYyy70iyICe7Tj
T8qjVzzwboUJao3m/152+6qvzGXJKdUUZqCnNcCc2wmirmg/ES4DLLFyYYXBflj7
hWCOLXeghF/785te4fmiH3gqcEZBEVcc0wl1HCL5m3q9kGutGgLJVOZgM5D6zf2T
0Sa60qIr5r+cKCS9OYowTH1+NqEsW4XhCVIe/RYEuXa3FFczIUbdGlUQ5t9ILBxi
zbZ04Tj0tecqUVkhoEYZfQzhHEa43LzxATdQ4Zc01USaxhbSFSoyG1+WP1tPD+PL
wqZA9tEuvKtngr/UP+BeLG0lWv5zbtShzM1V1cEg7JuoiI2onWstaN7NYXShiUMZ
oVYXIBbmNbXVmm2TYzt4mw9TotGWHkSNjPZGvvAYw/0mtcw6NXs=
=bzR1
-----END PGP SIGNATURE-----

39
SOURCES/bind-9.5-PIE.patch
Unescape View File

@ -1,30 +1,17 @@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
index eb622d1..37053a7 100644 index 57a023b..085f2f7 100644
--- a/bin/named/Makefile.in --- a/bin/named/Makefile.am
+++ b/bin/named/Makefile.in +++ b/bin/named/Makefile.am
@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \ @@ -32,9 +32,12 @@ AM_CPPFLAGS += \
tkeyconf.c tsigconf.c zoneconf.c \ endif HAVE_LIBXML2
${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+EXT_CFLAGS = -fpie AM_CPPFLAGS += \
+ + -fpie \
@BIND9_MAKE_RULES@ -DNAMED_LOCALSTATEDIR=\"${localstatedir}\" \
-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
index fd9ca8d..f1c102c 100644
--- a/bin/named/unix/Makefile.in
+++ b/bin/named/unix/Makefile.in
@@ -11,6 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
+EXT_CFLAGS = -fpie +AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+ +
@BIND9_MAKE_INCLUDES@ sbin_PROGRAMS = named
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ nodist_named_SOURCES = xsl.c

53
SOURCES/bind-9.5-dlz-64bit.patch
Unescape View File

@ -1,53 +0,0 @@
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
index 47525af..eefe3c3 100644
--- a/contrib/dlz/config.dlz.in
+++ b/contrib/dlz/config.dlz.in
@@ -17,6 +17,13 @@
#
dlzdir='${DLZ_DRIVER_DIR}'
+AC_MSG_CHECKING([for target libdir])
+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
+ [target_lib=lib64],
+ [target_lib=lib],
+)
+AC_MSG_RESULT(["$target_lib"])
+
#
# Private autoconf macro to simplify configuring drivers:
#
@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
then
break
fi
- elif test -f "$dd/lib/lib${d}.so"
+ elif test -f "$dd/${target_lib}/lib${d}.so"
then
- dlz_bdb_libs="-L${dd}/lib -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
break
fi
done
@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
*)
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
[-I$use_dlz_ldap/include],
- [-L$use_dlz_ldap/lib -lldap -llber])
+ [-L$use_dlz_ldap/${target_lib} -lldap -llber])
AC_MSG_RESULT(
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
@@ -432,11 +439,11 @@ then
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
then
use_dlz_odbc=$d
dlz_odbc_include="-I$use_dlz_odbc/include"
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
break
fi
done

31
SOURCES/bind-9.9.1-P2-dlz-libdb.patch
Unescape View File

@ -1,31 +0,0 @@
diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200
+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200
@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
# Check other locations for includes.
# Order is important (sigh).
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
# include a blank element first
for d in "" $bdb_incdirs
do
@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
- if test "$dd" = "/usr"
+ if test -f "$dd/${target_lib}/lib${d}.so"
then
- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
- if test $dlz_bdb_libs != "yes"
- then
- break
- fi
- elif test -f "$dd/${target_lib}/lib${d}.so"
- then
- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
break
fi
done

34
SOURCES/bind93-rh490837.patch
Unescape View File

@ -1,34 +0,0 @@
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index cd44fe3..5b7c539 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -27,6 +27,8 @@
#include <isc/string.h>
#include <isc/util.h>
+#include "../errno2result.h"
+
typedef struct inputsource {
isc_result_t result;
bool is_file;
@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
#endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
if (c == EOF) {
if (ferror(stream)) {
- source->result = ISC_R_IOERROR;
+ source->result = isc__errno2result(errno);
result = source->result;
goto done;
}
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
index e3e2644..5e58600 100644
--- a/lib/isc/unix/errno2result.c
+++ b/lib/isc/unix/errno2result.c
@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
case EINVAL: /* XXX sometimes this is not for files */
case ENAMETOOLONG:
case EBADF:
+ case EISDIR:
return (ISC_R_INVALIDFILE);
case ENOENT:
return (ISC_R_FILENOTFOUND);

31
SOURCES/bind97-rh645544.patch
Unescape View File

@ -1,31 +0,0 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 31549c6..65a14b6 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1762,7 +1762,7 @@ log_edns(fetchctx_t *fctx) {
*/
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"success resolving '%s' (in '%s'?) after %s", fctx->info,
domainbuf, fctx->reason);
}
@@ -5298,7 +5298,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"lame server resolving '%s' (in '%s'?): %s", namebuf,
domainbuf, addrbuf);
}
@@ -5316,7 +5316,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"DNS format error from %s resolving %s for %s: %s", nsbuf,
fctx->info, fctx->clientstr, msgbuf);
}

534
SOURCES/codesign2021.txt
Unescape View File

@ -1,534 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr
gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF
FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki
33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I
LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X
gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa
7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A
5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu
8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN
bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo
p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus
HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF
CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW
f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi
wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I
u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY
0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87
RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP
NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD
6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL
llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0
85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x
zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF
1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0
wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH
/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo
dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON
LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA
Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj
cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE
tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak
a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX
THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4
EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n
ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ
A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY
BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf
5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv
29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx
Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh
nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS
odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87
y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk
Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr
FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk
7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv
O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k
IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V
Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/
2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o
NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT
+pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7
xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym
JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn
uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD
jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06
3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ
ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb
VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF
SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6
bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa
C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc
VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek
IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN
z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2
jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg
dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr
2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB
jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB
CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr
mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy
4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu
f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk
vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO
JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi
8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S
XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY
TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY
3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4
uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM
x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr
0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J
W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD
4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm
Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0
p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW
QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId
GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ
4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo
VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM
wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr
iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1
H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB
UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w
/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI
/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101
x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys
uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM
npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr
9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M
hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA
DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA
C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929
y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln
EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB
CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA
hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS
BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0
xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV
qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4
W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U
9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn
uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se
mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I
xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/
WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV
cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3
E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU
vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2
LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4
wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz
nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq
SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z
zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj
pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf
7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/
08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz
QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ
ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz
iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs
1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ
z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB
Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q
fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg
EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33
AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ
AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc
bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x
sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua
TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO
vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC
qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0
TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu
8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z
IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq
x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw
t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO
/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu
Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon
UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q
KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ
SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN
cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn
BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+
XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71
e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6
A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz
Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR
63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1
oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN
J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima
chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9
mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU
rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv
EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9
5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE
sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot
s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2
lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf
vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu
MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ
BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa
3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx
W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C
GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x
8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo
Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y
chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh
DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx
l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0
JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1
P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi
1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ
snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo
Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN
iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws
VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC
m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa
4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J
Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS
H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+
g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD
9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW
TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o
uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY
QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS
Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ==
=fX+D
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS
ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW
AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/
41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka
4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z
XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u
/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5
0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa
9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM
uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ
hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA
MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+
ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID
4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ
JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J
QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV
3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1
8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/
/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8
LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk
QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH
sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9
BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL
3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj
IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE
U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC
6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G
LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h
BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2
HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ
kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d
f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8
4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b
8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF
CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln
xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/
LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh
KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b
mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya
8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn
vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn
IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7
VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw
IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2
YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C
L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s
1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl
qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj
nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x
UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73
qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc
IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb
s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6
nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl
8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7
0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6
ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf
7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS
PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc
GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh
nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX
vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7
7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo
bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl
ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j
hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH
Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn
0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY
AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP
PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ
xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN
ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+
oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp
aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m
/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY
ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52
BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB
ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4
GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW
0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp
69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA
qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N
+tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w
uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql
yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc
TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv
XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f
yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7
zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf
dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V
XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d
iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK
W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY
UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit
BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV
M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I
EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr
6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo
Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb
HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX
ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT
+iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1
iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs
gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ
AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP
/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH
6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA
5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA
ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC
89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc
493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb
jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g
DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh
nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m
5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld
72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ
RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc
lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS
qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV
FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH
eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ
+gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh
uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN
5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D
IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag
CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL
ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR
2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k
IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n
D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/
X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm
mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v
zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv
YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a
88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id
pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2
Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu
MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88
h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa
YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL
XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4
MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7
eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz
rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy
5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid
CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/
zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6
Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU
a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2
ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+
GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14
MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL
hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe
16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2
isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7
Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW
NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc
qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M
bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt
zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX
DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk
XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu
ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4
zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY
JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi
qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ
zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS
y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh
qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx
QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww
QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH
X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn
vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi
AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ
aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY
VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+
flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p
NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ
Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w
lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q
se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc
RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy
MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE
RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71
PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3
K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT
Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP
dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+
qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe
MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc
wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ
7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC
PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj
rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4
b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g
dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5
Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS
CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+
96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/
ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy
a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT
YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs
KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp
bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ
la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u
Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3
Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ
BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA
CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7
AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu
9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK
dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH
fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II
XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK
yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz
HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv
SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN
eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp
jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv
DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR
Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p
hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0
rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV
Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt
ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ
i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb
rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637
CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD
LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l
Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp
dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF
+6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs
gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ
8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf
nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C
r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf
eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD
VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT
zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh
Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU
JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6
IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE
fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB
dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF
W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d
O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK
jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ
TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF
M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39
oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp
AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi
sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI
ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8
M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3
Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A
0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8
x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv
6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw
QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi
gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o
c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb
1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF
8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8
Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr
rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt
MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV
grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l
QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR
f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu
O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb
SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT
VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg
J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di
ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8
+SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH
SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5
8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76
uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE
JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4
ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ
Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c
eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E
dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0
9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3
d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526
tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4
lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT
KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz
iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR
bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL
d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r
aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6
X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5
vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV
4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC
7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5
UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa
8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588
7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90
l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ
4xcYgqlVpv15O7VrD+I=
=Uugw
-----END PGP PUBLIC KEY BLOCK-----

2
SOURCES/generate-rndc-key.sh
Unescape View File

@ -15,7 +15,7 @@ fi
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf # This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then if [ ! -s /etc/rndc.key ] && [ ! -s /etc/rndc.conf ]; then
echo -n $"Generating /etc/rndc.key:" echo -n $"Generating /etc/rndc.key:"
if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1 if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
then then

175
SOURCES/isc-keyblock.asc
Unescape View File

@ -0,0 +1,175 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGNjen4BEADDHiUVNbkFtiKPaMWjKxbKmF1nmv7XKjDhwSww6WFiGPbQyxNM
r8EHlEJx5kMT67rx0IYMhTLiXm/9C4dGYyUfFWc35CGetuzstzCNkwJs7vZAhEyk
+06CX4GFiHPOmWIupGCxFkNz1Qopz3ZePMlZRslVCHzW4dbg5NKLI0ojXlNaTDU5
mgUXpsPi/6l6QE6q3ouvmWPF4u71cZ1+W4UkIRAXOlbVsDzGaMaoHjJd8cOM8DrZ
gKHACNPjzqOvEujXDC2vyKw6XpxR+pHz0QcrRtlKnVhPNiKcDfw2mJJ5zxi9uSDc
dh5FomMn9sS4gy2Tub2urELnPf9xnURftRGG3VO6nZc81ufQB4s1BNT2ny0Uhx5V
mXUJwefMypMBfAvWCWBCeyWYtBeo7LT3NmtLq3oVGPfl7+a0ToFAYeghspK8/nOX
6/fqF1MEtzvWjXljz6K7FSDYSY9AoaESLHGwCo6dtff5S7f1+l6PCUNo6aM/B5Ke
SIAN9Lm6z2iVuy9Lukw+5IRoRKHHV4rJauPtDeYoWnNiSd7Q4vFtotUIjRpDARpm
xWS711Q2T+knHFLEiU8QzxjLhOnTzh4n9dDLHCkOY5WM5krldVeL5EuTyPKinuSn
oE01A7I4IGJp753CshibxjNYDiEOVeK93R38Y543edlIrYxnfyMVsiqPkwARAQAB
tDRNaWNoYcWCIEvEmXBpZcWEIChDb2RlLVNpZ25pbmcgS2V5KSA8bWljaGFsQGlz
Yy5vcmc+iQJOBBMBCgA4FiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmNjen4CGwMF
CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQUQpkKgbFLOwiLxAAjYuI4JQ8mPq7
YrV9m4tu+jOKvoKfpjct2Rh02n/X3ChOgrdcXU898eH56tRk8Mv/E+cBTPN9zQn6
rLprbYR2t2R+zgvuUZWA8In7aewoPIJw8OdlG0gTK9m3VHJIOhIX07qcFttSZw4m
4rEU5mdxi9FatBWBzqnVm4Pn577aqRXK908j+6TvgWbZ6Cq0tw3syVT4kGj+93+P
uIQQQkTYN8UDQPsAKzfzkbQC9I5YXBKUoB9CfhXig8V9N75R0gsWkJ8Vy/8wsPXT
9/EPIIzhnhSuUIjvvBPbLGrzDgbhrfUQ/QVuXDVN8xl3rAWM/tiNGOnmzoYORyM5
ftrnCDIaO4aVKR6rtEzfdQa5Kid1StfhFien/U8jYErxkEn2HRt2gVEX5nYq31T+
0jgVode2Dzkm4+HKHmfOYsQeC07Mu6wZw9raNYqFjTcfh0ajFpLIT3j2YqOJE2jy
KbcveJcy2NiOiUl13exIZuBkZm0wEVbvgVX1PlgL3GJqnbU/Q+maRTb8FBoQVsOd
GIm7U/phU91qR+00SkOcp2LgHCCNKrmHXgiBNYBbInNIp6ze3bFvfKTRFn8WdY9v
Z7vNfKar8rt90mpjYG9qMhmvh4E9icfp3wRUtOwyi7VVtVTTUq0iFTe2C0m0v6KW
XcDwwwaTbl79BOqOH3Gp1flS2ECBsyiZAg0EY2N8xQEQAMWcyZbpxEyefX4JTszG
ocpz8C8yqvZJQUfoDK5AecQWR7OegPkIqwJcHEH5cz+MduklXNQdra/snn6pxGig
At3xCwfzRTH/aYXdjcjnma1elzZSTgk6Maw4zR/W9wea2DcUtMCcsys0gviN/VUe
Aqt+5pmhy2PlEWfJG+Mzyrqgz3Q8hRyAJAKONAwNhs1A4ZqQX/6iuCkJbH1CBeoW
+c+5qJHYEXsx25qR1yiKOFo5b90QOcwaebUq+xKQRlnESn75FTgDjDfDm9BqrHcn
Tv79kOuIN5vhz4BCsuo5QbNu4RGrs/1VSTPvMf5AN7xs9pYNMAEde7pSF1Ps3B5p
CE6iUw9L53ytV4iJQKXpzG29LofUu65YQjIXPgK7NbBO7FUHA41YbSfoWiOAjfMh
iE025YM2+RPQh/Nrc3PqBj4h21ycT+d8eEXKfc/okbVFFE9dKS1hUwKgSrs7baOG
CBZdpiB+t3jWrr8UrteALab7v0rndco3QKOe9U3f+Gm3MdgLK1TGiRgpdyiIXEel
J7zhsdoYEvaKMgUOjhf+COdlf8b9ITg93mDKe8h0OcpirCXw4O2ma3sklabzZKZf
CPhhja6Ro5gmO5pxaLau+esQWNrjEikynNIs+GRphtcFsVVH+ww26mR0nI65Llgv
kb4+DrbDGSPP6R/C2q/LMLM1ABEBAAG0ME1pY2hhbCBOb3dhayAoQ29kZS1TaWdu
aW5nIEtleSkgPG1ub3dha0Bpc2Mub3JnPokCTgQTAQoAOBYhBNmczq+Hl0cBTwON
YxguI1eUYu+qBQJjY3zFAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBgu
I1eUYu+q9IAP/j/GGneuvjwbXdATiQAmkiFlOxjs+SsO/hgA/mmWcm+Kpg4cAlbP
C2xEDa6biJyZ8TmLZEqPNrRm/umiisC8JnIJpIbInn42n4aDCRDW35lrYGdnP1Ft
fexnEOWAJBDRVvh9OnfRfvf+HLFfLFl40b/15YzkTYGIfrMR9y8zalkzXxsVNsyr
9Eq2pmYR7BT2z8d/9SAVuh8D3qgUylIgcFcCFJodsrI4zJSpIMfMntwVsZxDlis8
JVFN8/pfhuBBe6vjqX/cGJnj6OL3T12jvvniv13W3rar2Ocm6XA9j1t5TZNhKqAy
azAKu52NtdJjh25B6C/H+haXAX1eduCCE74uSarqS3F1wf6JI3p8fnWzk4hZNzxp
nZjIk3vrHNjE4jXTZosXCf5DoVRfMpNbxj3YEnXV+kNZQRYPPatUPgFYbxz91hbN
tHyCiy0GmTyf0QId8LTc0y9mPtP9QureJJ6rL8lt7pvXyrYglqhxDgRhJIGKMKdw
0bQtTEF4tyNzC4/sg4/omAGH66clhXlqMmuUjHSUiQyA4LL1mJl63Q+bwqXX4B8t
898tSUmb4Jmg3jLZ3Z9Hl7H8Sp3yYPOLzb2YUF6w3xFsUrNNzVxHFo8tAtEhtEfX
D+ypkowZq8g41WqMlOBrrzQFuExUSXckH2Cn97lV6lkBoueqxP+Zv0bbmQINBGNj
qIkBEADDw/CKszyuFKpVp4Z26rKJ3ooOlp8p9a+fmfuknPtMjJMSX8xK8pOlK739
K83yvDRUidT4+R9IAUKM7TqGA0hoPZmZQLiK0YLlAAXufKxO9IsDZI/7DuF2d8fu
usKQfS4oJC/IbzOAVwgwodnvKhttLWutT09GxiHrnfVPu6Uf4A+GWtrcTIWhXuxE
m7+16ToxBOTLtQ3hh79/RndUuM0ldKRRzJUzASGIPmdQJDLCKgSSeaGjZAdq6gkl
qT/K/R8eoLWSOaBRq8lBE1k7Tq4nSwthMHtCQq4+vxFWH3VF9hwy6ixccROPqt9s
fNfJK3KF4KGhfejMuVn/Lxp1v+Ne2DsdnVofFakAbBMpMyauzAyXPncYSfFhzLBD
kkn7THkfRznmHD8ux89kV534EyqYLjAy8AAD6zNc3tSYgfC0UUw7yz05Sl/eV9Xc
pbezu2ipONlXko8jpCQiiHck599cy+StrjjYPwcHF5m8uUlNnzHoUj8qsoK5SA8u
RnTW2I4DFbL0+x8eL7gmNQYFdMaA4azogtaTFWgPL2jPJ3B+/bUfHDZflvR0FB5+
OD/QHsDv4SB6uX8TOhGbFsHpt7E0scb2U9B8gQeQQJZ3jmcIRp+K18mjYh/ErDFW
23ixBe7h3tn2MGUTOhv1ibOYDE3GYBuGLQiom6yhCs8zrneuAQARAQABtDFXbG9k
ZWsgV2VuY2VsIChDb2RlLVNpZ25pbmcgS2V5KSA8d2xvZGVrQGlzYy5vcmc+iQJO
BBMBCgA4FiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmNjqIkCGwMFCwkIBwMFFQoJ
CAsFFgIDAQACHgECF4AACgkQel4ITKylGIRk9g//XrvOYy9zQkpo4Dkol8yLxr99
Dq9Ur2v8F5Ba4za4QdUxeYrlq8J827mkUqMtnlyb/+3zSMy2I6HAI8QxlDZL5K0g
Gm7iLrwVTM8nAQiNU5vAe4D6PeO5ATBEvRdAUTQGz4xeaTrUXbmNUSC1dZEPvH1z
Fa/Z1WZoy9GLeuWDXix6OXTP8FlQWUTL4/ILLtfJDsWCCX7efkyfnvad8Ye2NfU9
tBjRX5QQ0Dpvgpr8/7El44XcmaHxPWEiq8X2p/d6j3nU/7LspUXRu3ptu5Q2RqMM
iRDZme2c8zieHETpC7m5sshzGxRtT5jWEtZ6V37On5DNTObvXCiaGV95qgiHi5VG
s3MFD3QSo1jJI951k68UM8V+OnzbJGN7TezZ3fTn5Pwdd4C4035QMl0E5NXCcXc8
9d+3DeFmewRRGCaOKPuO/jFPLWcwMlQqp5tkNx8LpqEZfD7/t6FrSvDUsUDU8Rn0
TQILnUZioO68HmeuJbhKaUCMuZGjBIbBqviiufFRiJuEFOVKADQ1u/P5ct/0T/gE
JAho3aubzdYMH5DLsaw03W5KfOjeTLW10zSmSK65wnR6fdwlo5l/Sg6Z63QXD+/H
/OIFgzviJkyoh6MkH55z2K8BDWbhOmaUBjNAcQEXV1KyHeLDkQ+TJfLjctv4KIpv
D7i6kNIp1b6OSdDS9W+ZAg0EY2OzdwEQAMRWPO237ohaXNpKO+dw1qkfOYYisiTQ
yfkT7BG0Xvu8jxeOdRuvUzzplgOfwWhOQkyEEXd205/PpwReeeRwhiu0BDSrzYGM
KZdw9Bw4enoaOinf5WTqM76mc5WUYfvDJIiHies+ANxj4EqTzvSif9hxvvzrbKYV
lHdaGtLm40D6yZSzDEe3X49DmEABM4g/Bs7NfVJcJ3LtLo6qbLy2tKEgNPW+VN/s
harufucxnH5HM6BUUOGZx8L04UCNJu+jvZ0zjLc5DqubNO1526kZclAo94DfTkb+
ir9nxKn7RkdcseibeYPdeIh3le6aU6M0KhTJs3RCxaQF9At08Vrrkh+wkK2Jr5QW
bs8cHpEJ+Q7BwDuAQetFi94eq7Sswh4mjhJ6ZnFCx8v9EbQnvL76afMbhZOezpaQ
aAwXVuIio2fsJpHfxWnXb93H1QKiOQdBZZLQGowcFQCqAWg7h2FwWWbKMV1smGHr
/28tLZtk/4aSCd9cZ9+nofFPPemPLbYwnBECIZN21QKZ2oBXKxb3hchy4EBTKWtC
G/fbTsjSfTCUpMNZ57HO3rGXchjSdIf+tTGJpAqWkTcXuhWXBMWPK6/2REk/DKis
XHugHg9R9hqGs2DaMpGh5NrOLly9+0dsjU15iTQucXbCS9895bRtmDjIN8dLSo9H
6DDw4yO7SHTlABEBAAG0NE1hcmNpbiBHb2R6aW5hIChDb2RlLVNpZ25pbmcgS2V5
KSA8bWdvZHppbmFAaXNjLm9yZz6JAk4EEwEKADgWIQQJCioHkj+SW1dngDpC5d94
yDJx2wUCY2OzdwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBC5d94yDJx
29U0D/41C8WaGEphQW1N5lT/1284qiPuz3w3iSciAAoAe8iHUGBcSNpAWQmWvWXI
buKb92Gtt8JtSOHwQj8qiHjqRsUu02t/tEgQMQUq6p2jqbxODJfHR8oMFMMB0i0I
RgKtEQeq5wRJpVtH+zIFSl9PorsJtHHfhVbqxvE/axcNKa+WaqZdHuKMqADupQEw
6rD7yYVX6YPiHxMhba2AAAoHT/3VpHC0JidZ5BWGwkfnGbV1/7O91GHfJx6KN/AK
DKb5hFl4TrieDLJzphBWg0y4FJ4K7WSIKvcT2cLel9f9pHV6ysqSZWkCbkjkaVIi
LyoA0o7l263WU0D5oG2ihW6Pa2YrWHDDjfTem+kOEFsMjN+Gw74I4KWUBtldfnHK
A8TyeviKkVok1lwDAoJ3LJi/bcyCLgBZLInOU31mQ7mIXq1ENCOIvQvaG0Lwdt59
sBI8sknHkt+54t/VCaKbWSBOzgGur6EDf9WtPHWvHNCKEleDiHCELdhRYYtENO7T
vTv6Fq6Lh26dor26LnARLPvGLAKwONJ0vlTEG8IyoD5AHz9MwdXYgzh8wIvc/HtD
/0FlQGLd0WYVI6UjZfPxHOZAzARJKXLJMqiSn8hnO8v6JZaUcOF0yRKTKtzqsjzU
v9TubCGdQAaCSCaD2fmA0BEs/FpOnZ8P1fXMpcHGEtMV0qc0wZkCDQRjY7/GARAA
ubCCHkdiMblMA9ZlcOVN1Wep7TuYxQouATTb+73iHDQRNIU7DvluHoSq5zJe1Qst
zjTmtlkr2dyI5JnBexUEKrw2X7gPXfLaXY01gLLB/Jn8tU9VxPqBybxmjmEdP58B
I7BwmCyMYNqDuvPSfTMlogH/pF35Al+c8UbOfDEQqxSO2nKPNa4T5ZoVxvMxV4gn
hEJPv8Xte/wiE+CxxbmO2we6rwJjWe7O3T0mNmqvpO8iIsLlQnwTFD5L1huywPc0
UDHK0nl8k2lkue2buaOiancLatXt/i+L1DIimCgZwOt3DlVLURH5lz5ALXE/fn+5
wKkp+XVyNTAEFhSGifgBDYFw3nZeRTU7unMsRssL8SjuwPWoCcRI/3VE08xCuXc+
h6NpGfeJjLRgUSSBF+958djY320TcXaRLrqRhjcJ34dBsDYsRSC15nnq2JU6Vj5t
rJL9qOdwVAFwKeAfROUULcy/LHZ3QgKLN5jOfdqYzE2KHk1+VANttRPTG34i6uq6
yzCFFYadwST22+QWvxh2ohYj2INvvrzRf3lVxssWyb4USB0JPajgnGeNY/hSYfDa
KArqOr9S+3q7h0v4RgoPxDRFIC8v/10W4wPC7R3wj0m/1WHkSm951Wtzq3V84uCF
LLhx2ByNpnJFRFqklonAH3WHUIeYcdXAsTeunrGU/XsAEQEAAbQuR3JlZyBDaG91
bGVzIChDb2RlLVNpZ25pbmcgS2V5KSA8Z3JlZ0Bpc2Mub3JnPokCTgQTAQoAOBYh
BJWA1r8syA8eO7ESUt6rkdVLE8m4BQJjY7/GAhsDBQsJCAcDBRUKCQgLBRYCAwEA
Ah4BAheAAAoJEN6rkdVLE8m42PwP/RFmUzgsoM23Z/NQ2AacCFTmHweEllkmf+25
3hP80BuSHKsdzlmllFux+xbKZEpQK0nL3fqW8yyv69WmsoKZPpZJxmQ6bwUbtXC7
rHkt5gfOXiTaxDBmgO2dcnDsKLb+bEQ7C5hay1P8rOvf13a4UZeTP37gRGmMr38+
LvADIspIxBdSvFa7Hb4HKG4VVDai8jaPCF0q8daEWMJxyKSfOQBtSVVAzjLcGrYR
bCPDAI1DEASyQOru52WREe4vJCwSaq9dZyGhaWcnyTVQO8bsSLxu7cUVxA3SOheQ
izYKkYNbaBDmWlZxLYFsTUf5izEYdW5BwHaowmw22hSspFod+c37BoY/ePfkR5iQ
YuEff/unyqvdHMDqIXWZqpAi5o5hW3jdCd7ZL5T0WWjz4CQ8eko1ZYYnYzZlDrge
F0veW8+lzHBLx3Ad8HyVGwtRe+VV1V0AZ0lpWMtxo02ZDRtqNDqPqVfLT5P87ZPv
r5GhKtedgrjwY2clgmCT0xgAKNxi2SC+c/vI5PRkIoqwbTiryLIYq8tl6T1k6AMY
eN1ZNQR7eNEXpIvYRD/BZw7IWKkCRaKwfDVhUHCm0ikylwdLXIfEEEA5mu2LJeZh
vCddhks0S8+lRyWR/3okurF6rlloNtM1pslceh2AMDwfs3fORhYJxFsV7O7fyRnD
NS93fq56mQINBGNj8P4BEADXK//p0lWEUNUYirsm6BUyUXqPlPrpVTdPB1tJPj1o
zgeMKFOpYRPU1IZF1G6pbKD09gL6y19LehQYx1a57PF7kCx2ZvvcFN24EHto1H1p
Ti48dZ7KyyEO1rBeLY5Zjgz6YvQZcSH3cd6cTrAo7hPIAjtgSTWp04FjtYJqf+tT
gf+9ZWY+i4nQ6/Q5Z5NUd8jsOcOoFDsmY6Fds+lzn0aZSg2yfd8fnX5QFOIwDv66
aM25q2kvkrX0wtvSQbulC8x5g6fIB3xEL6MWbXcEBYkBMW5Cnw/Kmyj7lJwVwvEO
FFhKaOH/d2LG3rM66gl048aJYLhEJyFSyooBynXs8S/NLDgca94Bvb54FPX8LC3p
lqJRLxhdkha5NLcUYiHOq/L7LWdThh5rRAy87Ggog8TVza118K3oiYujlyVEzLhB
NVMT8x5kl15YknVgOKJAv9j28bSZihHrS7aga1BtYFD8yA9MuuDaHARV6YmThkdg
OEz/PNECjsxCLcT5Bbthzg6Jg1qo3Unyeup0UbyX4zxSphCVmerDmMYddLjJ/ydc
1uxyn4IPINBSx2sAPuUIymhVC29MB6N+SnB37/poTvSsIH15Vg264OVdaervIpuC
W3eUANr7zrdO85nc1CTWGhugFwccXv9nyxAt8zUF/ci17p1/mLpy9K3LqlStVI9j
MwARAQABtDBDYXRoeSBBbG1vbmQgKENvZGUtU2lnbmluZyBLZXkpIDxjYXRoeWFA
aXNjLm9yZz6JAk4EEwEKADgWIQT8h0w+P+hncHCscb617/asfhrd+AUCY2Pw/gIb
AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRC17/asfhrd+HM6D/9KD/n245Fq
jVzew92lJtufAxAFkTA5WO6fXweMlUeqMOub4vpVMLPLoFe5TzWbJMtF0m/P5+aU
YbcvZBWFHsrnwTgA55c1VrhggLOxpw4EU0TvBdwrO7PFOYc2WznaMG+mJdqw+uNM
yK+G44aIaC6rvi3ILSo5HPnbgQWHs39QIRLLcUjtqvavQQeyYAl0zrvNI9Xrs/Nf
eE6PS4hIXg90A9VJRhay18w9hA+STb+xmK+3oSwP1ayLqqQ43OnV/pExSHBsjBQk
4p1nIPlRFL30lGp/o2MoBsRvQM1tELpgBTk1LaTHzuKEpOskrWU37xu0QgEtj7YE
r0X+GGBxgJuUzqSyLsaDgH1sEDqE+AthFfv2dxDadcXM2cdch9y3OyuSMo89aWGc
mEVyesjYoV40tDCG73qLtfehhV/iARDMCfnZGyGYIZdDBL+tZTNeLKVDIUi/R3x9
OmpEl8ZuCuYltyEsJnCF/rQBVMgcTOmsMu6CMx+qT3kC8iGtHqkUT2ufpKISahTn
e329FQjClEWwBHkr0T4K80Z0REjSo6UBtio73IOCxXe0RqO37L/qgo8xKZbLxy86
857PRWJhgbw169FJ2kR5p+M5d/g/MUeYnigvWlORW5LyrFg6RnZ1ZbULZI80QhHN
aSFf/w020HBsLCkzWA/XM6MO2ifJTSn8NpkCDQRkSjCrARAApLUMHAbmxUMWLgDQ
apRZBwWXriEyIVqA/SIy1PyWPPFXqs3LZ5Kn5Gw1WO8PfzkPZNtccGmNLjujIoRB
qR41nV5zxcpS896SujBoYl80A4F4v9Op9i2pFeI9r9acFcUDjbGWBqNro4EfRcJN
Ctkd9+pl3TUvFX06QCTxmmHy3M81SW3b4NWI+jia1cKjCd+qBFBgKWdjSMBeVTBC
R9eKqsBQ1UJql2bRzc8pReS+TYCeEbhaOCvUCCKCwGtsSUOW726iNB/4zR4OOuQV
B9ORufwed+E/RXa8N08/l5O96uXG0krJtOVm0/qQcXOaKxiDo6djnAgCdjFK5zaj
7594wqbI7de58alWb/egqIhjBTgk+/cO+epZ05qx5SoJZL7ny2ottrfS2cBqP4g1
SIt1sYl9ImHmJkNrNDy0s25nE9Nga6OfRqVbwnwot4ouTGwj0oZsCjw+gWjDdztH
1fUWSnlA8jaX9/RZG2wKt9dI+Tp/U4d5dyTb8lIIzzgtAzDmDfPxwwT0rxAAL13A
gDkJ0AzXA4WTOxb/JE2yfCz//kt7n8SYM//LixL4VAB7e/wnfZBhTq0OFpaPjFU0
h/k0dc40AqcUuK3lSSjQr3KTzRHtjz8qtN4DFSuyZac83QSVtWE1rFKjS8bl3XHC
kFFRJ2dMt2WRSkLOYNiTGbYLvmEAEQEAAbQwQW5kcmVpIFBhdmVsIChDb2RlLVNp
Z25pbmcgS2V5KSA8YW5kcmVpQGlzYy5vcmc+iQJOBBMBCgA4FiEE2mo1COZypJ3T
gq/ZW49NkbiO2QkFAmRKMKsCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
W49NkbiO2QnQZw//XCpeqT0z/sqtu4FYWwYLz1OvWqhe+uA45f9BccnNSVkGFa7w
3hlLQC/FLUIx2cVy9AluJBP29iQge/bCcXnzo/QvCbhe/4lCTxhr7nsBe1bWpuNI
4Pl+cQxZQBwcz74zZ1jjaaQOqm3XtdZxeKNfCQmNvz389UZEk2m8K6qJD23fy20V
n5Y2C502UuP3MitbYKBxBSbs+Auwy1evz/prQ9VeD4Nv3Zr+jWbWFW+dSDC8jkrX
cGdwWrUQ51QD8VBB9lPWPGY6yTbRmacr4AlVSo2DAfyjHRrGHigRF/VAD5p1+u2g
3UFLJaEyujfzwU1kG4+zQCWZ2W2UBOekklq/yefxEY5vU1/Lad7vQhBmogQNF21T
FvLUE6ez7XNsdMZStDPiT8OoTyFZYLRM4yw5rWKw+1mICBv7NV82YD/8hoMoZPyX
2tNRTXv2MZ6qD++0dMCIZNEyFTB344srvQSyJ7K7vwxulc7iFWngRA8oe6JkAhH4
B0yNq1FJm6jIL41S2FmnDL3DlfAdKWapBqzgqkv+X5DQBaTlG9a4BcSsdMJgU/Yx
dD03YsKhDtEWTqBmmEamR1K1CgCC3mOJfsHB5z+Qhdraz2hMr00EQrD5lnpLLpcF
rYWoilvVlRy7Y7U5wfhY4074L2ZfB+yElKsvtfGKJX/8g+eJdeRuII+hjEc=
=NX7P
-----END PGP PUBLIC KEY BLOCK-----

2
SOURCES/named-chroot.files
Unescape View File

@ -16,8 +16,6 @@
/etc/named /etc/named
/usr/lib64/bind /usr/lib64/bind
/usr/lib/bind /usr/lib/bind
/usr/lib64/named
/usr/lib/named
/usr/share/GeoIP /usr/share/GeoIP
/run/named /run/named
/proc/sys/net/ipv4/ip_local_port_range /proc/sys/net/ipv4/ip_local_port_range

3
SOURCES/named-chroot.service
Unescape View File

@ -17,7 +17,7 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot/run/named/named.pid PIDFile=/var/named/chroot/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
@ -25,6 +25,7 @@ ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/r
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=false PrivateTmp=false
Restart=on-abnormal
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

26
SOURCES/named-pkcs11.service
Unescape View File

@ -1,26 +0,0 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
After=named-setup-rndc.service
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target

8
SOURCES/named.conf.sample
Unescape View File

@ -159,17 +159,17 @@ view "internal"
*/ */
zone "my.internal.zone" { zone "my.internal.zone" {
type master; type primary;
file "my.internal.zone.db"; file "my.internal.zone.db";
}; };
zone "my.slave.internal.zone" { zone "my.slave.internal.zone" {
type slave; type secondary;
file "slaves/my.slave.internal.zone.db"; file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ; masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them // put slave zones in the slaves/ directory so named can update them
}; };
zone "my.ddns.internal.zone" { zone "my.ddns.internal.zone" {
type master; type primary;
allow-update { key ddns_key; }; allow-update { key ddns_key; };
file "dynamic/my.ddns.internal.zone.db"; file "dynamic/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them // put dynamically updateable zones in the slaves/ directory so named can update them
@ -202,7 +202,7 @@ view "external"
// contain entries for just your web and mail servers: // contain entries for just your web and mail servers:
zone "my.external.zone" { zone "my.external.zone" {
type master; type primary;
file "my.external.zone.db"; file "my.external.zone.db";
}; };
}; };

10
SOURCES/named.rfc1912.zones
Unescape View File

@ -15,31 +15,31 @@
// //
zone "localhost.localdomain" IN { zone "localhost.localdomain" IN {
type master; type primary;
file "named.localhost"; file "named.localhost";
allow-update { none; }; allow-update { none; };
}; };
zone "localhost" IN { zone "localhost" IN {
type master; type primary;
file "named.localhost"; file "named.localhost";
allow-update { none; }; allow-update { none; };
}; };
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master; type primary;
file "named.loopback"; file "named.loopback";
allow-update { none; }; allow-update { none; };
}; };
zone "1.0.0.127.in-addr.arpa" IN { zone "1.0.0.127.in-addr.arpa" IN {
type master; type primary;
file "named.loopback"; file "named.loopback";
allow-update { none; }; allow-update { none; };
}; };
zone "0.in-addr.arpa" IN { zone "0.in-addr.arpa" IN {
type master; type primary;
file "named.empty"; file "named.empty";
allow-update { none; }; allow-update { none; };
}; };

148
SOURCES/named.root
Unescape View File

@ -1,56 +1,92 @@
; This file holds the information on root name servers needed to
; <<>> DiG 9.18.20 <<>> -4 +tcp +norec +nostats @d.root-servers.net ; initialize cache of Internet domain name servers
; (1 server found) ; (e.g. reference this file in the "cache . <file>"
;; global options: +cmd ; configuration file of BIND domain name servers).
;; Got answer: ;
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47286 ; This file is made available by InterNIC
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 ; under anonymous FTP as
; file /domain/named.cache
;; OPT PSEUDOSECTION: ; on server FTP.INTERNIC.NET
; EDNS: version: 0, flags:; udp: 1450 ; -OR- RS.INTERNIC.NET
;; QUESTION SECTION: ;
;. IN NS ; last update: December 20, 2023
; related version of root zone: 2023122001
;; ANSWER SECTION: ;
. 518400 IN NS a.root-servers.net. ; FORMERLY NS.INTERNIC.NET
. 518400 IN NS b.root-servers.net. ;
. 518400 IN NS c.root-servers.net. . 3600000 NS A.ROOT-SERVERS.NET.
. 518400 IN NS d.root-servers.net. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
. 518400 IN NS e.root-servers.net. A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
. 518400 IN NS f.root-servers.net. ;
. 518400 IN NS g.root-servers.net. ; FORMERLY NS1.ISI.EDU
. 518400 IN NS h.root-servers.net. ;
. 518400 IN NS i.root-servers.net. . 3600000 NS B.ROOT-SERVERS.NET.
. 518400 IN NS j.root-servers.net. B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2
. 518400 IN NS k.root-servers.net. B.ROOT-SERVERS.NET. 3600000 AAAA 2801:1b8:10::b
. 518400 IN NS l.root-servers.net. ;
. 518400 IN NS m.root-servers.net. ; FORMERLY C.PSI.NET
;
;; ADDITIONAL SECTION: . 3600000 NS C.ROOT-SERVERS.NET.
a.root-servers.net. 518400 IN A 198.41.0.4 C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
b.root-servers.net. 518400 IN A 170.247.170.2 C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
c.root-servers.net. 518400 IN A 192.33.4.12 ;
d.root-servers.net. 518400 IN A 199.7.91.13 ; FORMERLY TERP.UMD.EDU
e.root-servers.net. 518400 IN A 192.203.230.10 ;
f.root-servers.net. 518400 IN A 192.5.5.241 . 3600000 NS D.ROOT-SERVERS.NET.
g.root-servers.net. 518400 IN A 192.112.36.4 D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
h.root-servers.net. 518400 IN A 198.97.190.53 D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
i.root-servers.net. 518400 IN A 192.36.148.17 ;
j.root-servers.net. 518400 IN A 192.58.128.30 ; FORMERLY NS.NASA.GOV
k.root-servers.net. 518400 IN A 193.0.14.129 ;
l.root-servers.net. 518400 IN A 199.7.83.42 . 3600000 NS E.ROOT-SERVERS.NET.
m.root-servers.net. 518400 IN A 202.12.27.33 E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
b.root-servers.net. 518400 IN AAAA 2801:1b8:10::b ;
c.root-servers.net. 518400 IN AAAA 2001:500:2::c ; FORMERLY NS.ISC.ORG
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d ;
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e . 3600000 NS F.ROOT-SERVERS.NET.
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
h.root-servers.net. 518400 IN AAAA 2001:500:1::53 ;
i.root-servers.net. 518400 IN AAAA 2001:7fe::53 ; FORMERLY NS.NIC.DDN.MIL
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 ;
k.root-servers.net. 518400 IN AAAA 2001:7fd::1 . 3600000 NS G.ROOT-SERVERS.NET.
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
m.root-servers.net. 518400 IN AAAA 2001:dc3::35 G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

3
SOURCES/named.service
Unescape View File

@ -13,13 +13,14 @@ EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi' ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true PrivateTmp=true
Restart=on-abnormal
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

865
SPECS/bind.spec
View File

File diff suppressed because it is too large Load Diff
Write Preview
Loading…
Cancel
Save