import bind9.18-9.18.29-1.el9

.bind9.18.metadata

@@ -0,0 +1 @@
+33ff5a86e56d65859358749654ea848809bd4532 SOURCES/bind-9.18.29.tar.xz

.gitignore

@@ -0,0 +1 @@
+SOURCES/bind-9.18.29.tar.xz

SOURCES/bind-9.16-redhat_doc.patch

@@ -0,0 +1,66 @@
+From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 17 Jun 2020 23:17:13 +0200
+Subject: [PATCH] Update man named with Red Hat specifics
+
+This is almost unmodified text and requires revalidation. Some of those
+statements are no longer correct.
+---
+ bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/bin/named/named.rst b/bin/named/named.rst
+index ea440b2..fa51984 100644
+--- a/bin/named/named.rst
++++ b/bin/named/named.rst
+@@ -212,6 +212,47 @@ Files
+ |named_pid|
+    The default process-id file.
+ 
++Notes
++~~~~~
++
++**Red Hat SELinux BIND Security Profile:**
++
++By default, Red Hat ships BIND with the most secure SELinux policy
++that will not prevent normal BIND operation and will prevent exploitation
++of all known BIND security vulnerabilities . See the selinux(8) man page
++for information about SElinux.
++
++It is not necessary to run named in a chroot environment if the Red Hat
++SELinux policy for named is enabled. When enabled, this policy is far
++more secure than a chroot environment. Users are recommended to enable
++SELinux and remove the bind-chroot package.
++
++*With this extra security comes some restrictions:*
++
++By default, the SELinux policy does not allow named to write any master
++zone database files. Only the root user may create files in the $ROOTDIR/var/named
++zone database file directory (the options { "directory" } option), where
++$ROOTDIR is set in /etc/sysconfig/named.
++
++The "named" group must be granted read privelege to
++these files in order for named to be enabled to read them.
++
++Any file created in the zone database file directory is automatically assigned
++the SELinux file context *named_zone_t* .
++
++By default, SELinux prevents any role from modifying *named_zone_t* files; this
++means that files in the zone database directory cannot be modified by dynamic
++DNS (DDNS) updates or zone transfers.
++
++The Red Hat BIND distribution and SELinux policy creates three directories where
++named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
++*/var/named/data*. By placing files you want named to modify, such as
++slave or DDNS updateable zone files and database / statistics dump files in
++these directories, named will work normally and no further operator action is
++required. Files in these directories are automatically assigned the '*named_cache_t*'
++file context, which SELinux allows named to write.
++
++
+ See Also
+ ~~~~~~~~
+ 
+-- 
+2.34.1
+

SOURCES/bind-9.18-unittest-netmgr-unstable.patch

@@ -0,0 +1,75 @@
+From 0f3a398fe813189c5dd56b0367a72c7b3f19504b Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 14 Sep 2022 13:06:24 +0200
+Subject: [PATCH] Disable some often failing tests
+
+Make those tests skipped in default build, when CI=true environment is
+set. It is not clear why they fail mostly on COPR, but they do fail
+often.
+---
+ tests/isc/netmgr_test.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tests/isc/netmgr_test.c b/tests/isc/netmgr_test.c
+index 94e4bf7..7f9629c 100644
+--- a/tests/isc/netmgr_test.c
++++ b/tests/isc/netmgr_test.c
+@@ -1567,13 +1567,13 @@ stream_half_recv_half_send(void **state __attribute__((unused))) {
+ /* TCP */
+ ISC_RUN_TEST_IMPL(tcp_noop) { stream_noop(state); }
+ 
+-ISC_RUN_TEST_IMPL(tcp_noresponse) { stream_noresponse(state); }
++ISC_RUN_TEST_IMPL(tcp_noresponse) { SKIP_IN_CI; stream_noresponse(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_timeout_recovery) { stream_timeout_recovery(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_one) { stream_recv_one(state); }
+ 
+-ISC_RUN_TEST_IMPL(tcp_recv_two) { stream_recv_two(state); }
++ISC_RUN_TEST_IMPL(tcp_recv_two) { SKIP_IN_CI; stream_recv_two(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_send) {
+ 	SKIP_IN_CI;
+@@ -1623,6 +1623,7 @@ ISC_RUN_TEST_IMPL(tcp_recv_one_quota) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_two_quota) {
++	SKIP_IN_CI;
+ 	atomic_store(&check_listener_quota, true);
+ 	stream_recv_two(state);
+ }
+@@ -1836,6 +1837,7 @@ ISC_RUN_TEST_IMPL(tcpdns_recv_two) {
+ 	isc_result_t result = ISC_R_SUCCESS;
+ 	isc_nmsocket_t *listen_sock = NULL;
+ 
++	SKIP_IN_CI;
+ 	atomic_store(&nsends, 2);
+ 
+ 	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+@@ -2095,6 +2097,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tls_recv_two) {
++	SKIP_IN_CI;
+ 	stream_use_TLS = true;
+ 	stream_recv_two(state);
+ }
+@@ -2160,6 +2163,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one_quota) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tls_recv_two_quota) {
++	SKIP_IN_CI;
+ 	stream_use_TLS = true;
+ 	atomic_store(&check_listener_quota, true);
+ 	stream_recv_two(state);
+@@ -2395,6 +2399,7 @@ ISC_RUN_TEST_IMPL(tlsdns_recv_two) {
+ 	isc_result_t result = ISC_R_SUCCESS;
+ 	isc_nmsocket_t *listen_sock = NULL;
+ 
++	SKIP_IN_CI;
+ 	atomic_store(&nsends, 2);
+ 
+ 	result = isc_nm_listentlsdns(listen_nm, &tcp_listen_addr,
+-- 
+2.37.2
+

SOURCES/bind-9.18.29.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAma+DmEACgkQGC4jV5Ri
+76q1FQ/8CXrIA21FAdnGuGqC53EVOzFl3QptFMThoVTO0kzp7rQcwv8xE/gphXnT
+j4DWMAZ/tDW6ZalDbmCh6t+z/0pXewHB+43CILSkzU9Gi5gnAUHdIdlGQnYH/x2N
+eyHBKuB9Wubmi87Yu8zjtF+Xu43qgcYqNKP/QqU9YwsqPQ+7GgcKAETVidFMB9/4
+QZiMT4gMawguft+BwFZ1eYvk0Bemk0OkKhofyWDcVnl5r93pvTIK3SsIHyEHx7xu
+dbG9Z5HhoaJ8b48djahrrYSQCQ0Dn9KbEVLu+/BS5tz+k+V1VI1pk4OS15wn7yBZ
+8EqAGc5xj4MEKW7PEteOK7QQQE59yKY6SGwt+tQwokUZ/Rq4bAx2bHXY83oRBULo
+BIRDdgoxc9X44YQ/a55La+7/xq2eCYwW2s364R4To3K58nPCNlkdEQUziY1V7guR
+3zOcHPAZNe5bK7bN3BMDusQgtoerfSUC1x+zj5Nm9Xnb/yAtVUyiP/k/zlIds9W3
+rKSCM5FAuacZdWQKeVpRa1EaXhObm08qLO9a/Dc/Qvll8GKAmrMoll2WwEoUVlZ3
+HwZPRsPIWYSCemtHmp36b7nOZ0vo4NMXjb2nV7xW3a8BqOD3RW0XiTlC814qmqsU
+x16eOHowvtDw58abeBzPJ2k1yne1Ic2zBdJzUM9wqdJCoBN5g0A=
+=2EW2
+-----END PGP SIGNATURE-----

SOURCES/bind-9.5-PIE.patch

@@ -0,0 +1,17 @@
+diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
+index 57a023b..085f2f7 100644
+--- a/bin/named/Makefile.am
++++ b/bin/named/Makefile.am
+@@ -32,9 +32,12 @@ AM_CPPFLAGS +=				\
+ endif HAVE_LIBXML2
+ 
+ AM_CPPFLAGS +=						\
++	-fpie                                           \
+ 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
+ 	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
+ 
++AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
++
+ sbin_PROGRAMS = named
+ 
+ nodist_named_SOURCES = xsl.c

SOURCES/bind.tmpfiles.d

@@ -0,0 +1 @@
+d /run/named 0755 named named -

SOURCES/generate-rndc-key.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [ -r /etc/rc.d/init.d/functions ]; then
+	. /etc/rc.d/init.d/functions
+else
+success() {
+	echo $" OK "
+}
+
+failure() {
+	echo -n " "
+	echo $"FAILED"
+}
+fi
+
+# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
+
+if [ ! -s /etc/rndc.key ] && [ ! -s /etc/rndc.conf ]; then
+  echo -n $"Generating /etc/rndc.key:"
+  if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
+  then
+    chmod 640 /etc/rndc.key
+    chown root:named /etc/rndc.key
+    [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
+    success $"/etc/rndc.key generation"
+    echo
+  else
+    rc=$?
+    failure $"/etc/rndc.key generation"
+    echo
+    exit $rc
+  fi
+fi

SOURCES/isc-keyblock.asc

@@ -0,0 +1,175 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGNjen4BEADDHiUVNbkFtiKPaMWjKxbKmF1nmv7XKjDhwSww6WFiGPbQyxNM
+r8EHlEJx5kMT67rx0IYMhTLiXm/9C4dGYyUfFWc35CGetuzstzCNkwJs7vZAhEyk
++06CX4GFiHPOmWIupGCxFkNz1Qopz3ZePMlZRslVCHzW4dbg5NKLI0ojXlNaTDU5
+mgUXpsPi/6l6QE6q3ouvmWPF4u71cZ1+W4UkIRAXOlbVsDzGaMaoHjJd8cOM8DrZ
+gKHACNPjzqOvEujXDC2vyKw6XpxR+pHz0QcrRtlKnVhPNiKcDfw2mJJ5zxi9uSDc
+dh5FomMn9sS4gy2Tub2urELnPf9xnURftRGG3VO6nZc81ufQB4s1BNT2ny0Uhx5V
+mXUJwefMypMBfAvWCWBCeyWYtBeo7LT3NmtLq3oVGPfl7+a0ToFAYeghspK8/nOX
+6/fqF1MEtzvWjXljz6K7FSDYSY9AoaESLHGwCo6dtff5S7f1+l6PCUNo6aM/B5Ke
+SIAN9Lm6z2iVuy9Lukw+5IRoRKHHV4rJauPtDeYoWnNiSd7Q4vFtotUIjRpDARpm
+xWS711Q2T+knHFLEiU8QzxjLhOnTzh4n9dDLHCkOY5WM5krldVeL5EuTyPKinuSn
+oE01A7I4IGJp753CshibxjNYDiEOVeK93R38Y543edlIrYxnfyMVsiqPkwARAQAB
+tDRNaWNoYcWCIEvEmXBpZcWEIChDb2RlLVNpZ25pbmcgS2V5KSA8bWljaGFsQGlz
+Yy5vcmc+iQJOBBMBCgA4FiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmNjen4CGwMF
+CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQUQpkKgbFLOwiLxAAjYuI4JQ8mPq7
+YrV9m4tu+jOKvoKfpjct2Rh02n/X3ChOgrdcXU898eH56tRk8Mv/E+cBTPN9zQn6
+rLprbYR2t2R+zgvuUZWA8In7aewoPIJw8OdlG0gTK9m3VHJIOhIX07qcFttSZw4m
+4rEU5mdxi9FatBWBzqnVm4Pn577aqRXK908j+6TvgWbZ6Cq0tw3syVT4kGj+93+P
+uIQQQkTYN8UDQPsAKzfzkbQC9I5YXBKUoB9CfhXig8V9N75R0gsWkJ8Vy/8wsPXT
+9/EPIIzhnhSuUIjvvBPbLGrzDgbhrfUQ/QVuXDVN8xl3rAWM/tiNGOnmzoYORyM5
+ftrnCDIaO4aVKR6rtEzfdQa5Kid1StfhFien/U8jYErxkEn2HRt2gVEX5nYq31T+
+0jgVode2Dzkm4+HKHmfOYsQeC07Mu6wZw9raNYqFjTcfh0ajFpLIT3j2YqOJE2jy
+KbcveJcy2NiOiUl13exIZuBkZm0wEVbvgVX1PlgL3GJqnbU/Q+maRTb8FBoQVsOd
+GIm7U/phU91qR+00SkOcp2LgHCCNKrmHXgiBNYBbInNIp6ze3bFvfKTRFn8WdY9v
+Z7vNfKar8rt90mpjYG9qMhmvh4E9icfp3wRUtOwyi7VVtVTTUq0iFTe2C0m0v6KW
+XcDwwwaTbl79BOqOH3Gp1flS2ECBsyiZAg0EY2N8xQEQAMWcyZbpxEyefX4JTszG
+ocpz8C8yqvZJQUfoDK5AecQWR7OegPkIqwJcHEH5cz+MduklXNQdra/snn6pxGig
+At3xCwfzRTH/aYXdjcjnma1elzZSTgk6Maw4zR/W9wea2DcUtMCcsys0gviN/VUe
+Aqt+5pmhy2PlEWfJG+Mzyrqgz3Q8hRyAJAKONAwNhs1A4ZqQX/6iuCkJbH1CBeoW
++c+5qJHYEXsx25qR1yiKOFo5b90QOcwaebUq+xKQRlnESn75FTgDjDfDm9BqrHcn
+Tv79kOuIN5vhz4BCsuo5QbNu4RGrs/1VSTPvMf5AN7xs9pYNMAEde7pSF1Ps3B5p
+CE6iUw9L53ytV4iJQKXpzG29LofUu65YQjIXPgK7NbBO7FUHA41YbSfoWiOAjfMh
+iE025YM2+RPQh/Nrc3PqBj4h21ycT+d8eEXKfc/okbVFFE9dKS1hUwKgSrs7baOG
+CBZdpiB+t3jWrr8UrteALab7v0rndco3QKOe9U3f+Gm3MdgLK1TGiRgpdyiIXEel
+J7zhsdoYEvaKMgUOjhf+COdlf8b9ITg93mDKe8h0OcpirCXw4O2ma3sklabzZKZf
+CPhhja6Ro5gmO5pxaLau+esQWNrjEikynNIs+GRphtcFsVVH+ww26mR0nI65Llgv
+kb4+DrbDGSPP6R/C2q/LMLM1ABEBAAG0ME1pY2hhbCBOb3dhayAoQ29kZS1TaWdu
+aW5nIEtleSkgPG1ub3dha0Bpc2Mub3JnPokCTgQTAQoAOBYhBNmczq+Hl0cBTwON
+YxguI1eUYu+qBQJjY3zFAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBgu
+I1eUYu+q9IAP/j/GGneuvjwbXdATiQAmkiFlOxjs+SsO/hgA/mmWcm+Kpg4cAlbP
+C2xEDa6biJyZ8TmLZEqPNrRm/umiisC8JnIJpIbInn42n4aDCRDW35lrYGdnP1Ft
+fexnEOWAJBDRVvh9OnfRfvf+HLFfLFl40b/15YzkTYGIfrMR9y8zalkzXxsVNsyr
+9Eq2pmYR7BT2z8d/9SAVuh8D3qgUylIgcFcCFJodsrI4zJSpIMfMntwVsZxDlis8
+JVFN8/pfhuBBe6vjqX/cGJnj6OL3T12jvvniv13W3rar2Ocm6XA9j1t5TZNhKqAy
+azAKu52NtdJjh25B6C/H+haXAX1eduCCE74uSarqS3F1wf6JI3p8fnWzk4hZNzxp
+nZjIk3vrHNjE4jXTZosXCf5DoVRfMpNbxj3YEnXV+kNZQRYPPatUPgFYbxz91hbN
+tHyCiy0GmTyf0QId8LTc0y9mPtP9QureJJ6rL8lt7pvXyrYglqhxDgRhJIGKMKdw
+0bQtTEF4tyNzC4/sg4/omAGH66clhXlqMmuUjHSUiQyA4LL1mJl63Q+bwqXX4B8t
+898tSUmb4Jmg3jLZ3Z9Hl7H8Sp3yYPOLzb2YUF6w3xFsUrNNzVxHFo8tAtEhtEfX
+D+ypkowZq8g41WqMlOBrrzQFuExUSXckH2Cn97lV6lkBoueqxP+Zv0bbmQINBGNj
+qIkBEADDw/CKszyuFKpVp4Z26rKJ3ooOlp8p9a+fmfuknPtMjJMSX8xK8pOlK739
+K83yvDRUidT4+R9IAUKM7TqGA0hoPZmZQLiK0YLlAAXufKxO9IsDZI/7DuF2d8fu
+usKQfS4oJC/IbzOAVwgwodnvKhttLWutT09GxiHrnfVPu6Uf4A+GWtrcTIWhXuxE
+m7+16ToxBOTLtQ3hh79/RndUuM0ldKRRzJUzASGIPmdQJDLCKgSSeaGjZAdq6gkl
+qT/K/R8eoLWSOaBRq8lBE1k7Tq4nSwthMHtCQq4+vxFWH3VF9hwy6ixccROPqt9s
+fNfJK3KF4KGhfejMuVn/Lxp1v+Ne2DsdnVofFakAbBMpMyauzAyXPncYSfFhzLBD
+kkn7THkfRznmHD8ux89kV534EyqYLjAy8AAD6zNc3tSYgfC0UUw7yz05Sl/eV9Xc
+pbezu2ipONlXko8jpCQiiHck599cy+StrjjYPwcHF5m8uUlNnzHoUj8qsoK5SA8u
+RnTW2I4DFbL0+x8eL7gmNQYFdMaA4azogtaTFWgPL2jPJ3B+/bUfHDZflvR0FB5+
+OD/QHsDv4SB6uX8TOhGbFsHpt7E0scb2U9B8gQeQQJZ3jmcIRp+K18mjYh/ErDFW
+23ixBe7h3tn2MGUTOhv1ibOYDE3GYBuGLQiom6yhCs8zrneuAQARAQABtDFXbG9k
+ZWsgV2VuY2VsIChDb2RlLVNpZ25pbmcgS2V5KSA8d2xvZGVrQGlzYy5vcmc+iQJO
+BBMBCgA4FiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmNjqIkCGwMFCwkIBwMFFQoJ
+CAsFFgIDAQACHgECF4AACgkQel4ITKylGIRk9g//XrvOYy9zQkpo4Dkol8yLxr99
+Dq9Ur2v8F5Ba4za4QdUxeYrlq8J827mkUqMtnlyb/+3zSMy2I6HAI8QxlDZL5K0g
+Gm7iLrwVTM8nAQiNU5vAe4D6PeO5ATBEvRdAUTQGz4xeaTrUXbmNUSC1dZEPvH1z
+Fa/Z1WZoy9GLeuWDXix6OXTP8FlQWUTL4/ILLtfJDsWCCX7efkyfnvad8Ye2NfU9
+tBjRX5QQ0Dpvgpr8/7El44XcmaHxPWEiq8X2p/d6j3nU/7LspUXRu3ptu5Q2RqMM
+iRDZme2c8zieHETpC7m5sshzGxRtT5jWEtZ6V37On5DNTObvXCiaGV95qgiHi5VG
+s3MFD3QSo1jJI951k68UM8V+OnzbJGN7TezZ3fTn5Pwdd4C4035QMl0E5NXCcXc8
+9d+3DeFmewRRGCaOKPuO/jFPLWcwMlQqp5tkNx8LpqEZfD7/t6FrSvDUsUDU8Rn0
+TQILnUZioO68HmeuJbhKaUCMuZGjBIbBqviiufFRiJuEFOVKADQ1u/P5ct/0T/gE
+JAho3aubzdYMH5DLsaw03W5KfOjeTLW10zSmSK65wnR6fdwlo5l/Sg6Z63QXD+/H
+/OIFgzviJkyoh6MkH55z2K8BDWbhOmaUBjNAcQEXV1KyHeLDkQ+TJfLjctv4KIpv
+D7i6kNIp1b6OSdDS9W+ZAg0EY2OzdwEQAMRWPO237ohaXNpKO+dw1qkfOYYisiTQ
+yfkT7BG0Xvu8jxeOdRuvUzzplgOfwWhOQkyEEXd205/PpwReeeRwhiu0BDSrzYGM
+KZdw9Bw4enoaOinf5WTqM76mc5WUYfvDJIiHies+ANxj4EqTzvSif9hxvvzrbKYV
+lHdaGtLm40D6yZSzDEe3X49DmEABM4g/Bs7NfVJcJ3LtLo6qbLy2tKEgNPW+VN/s
+harufucxnH5HM6BUUOGZx8L04UCNJu+jvZ0zjLc5DqubNO1526kZclAo94DfTkb+
+ir9nxKn7RkdcseibeYPdeIh3le6aU6M0KhTJs3RCxaQF9At08Vrrkh+wkK2Jr5QW
+bs8cHpEJ+Q7BwDuAQetFi94eq7Sswh4mjhJ6ZnFCx8v9EbQnvL76afMbhZOezpaQ
+aAwXVuIio2fsJpHfxWnXb93H1QKiOQdBZZLQGowcFQCqAWg7h2FwWWbKMV1smGHr
+/28tLZtk/4aSCd9cZ9+nofFPPemPLbYwnBECIZN21QKZ2oBXKxb3hchy4EBTKWtC
+G/fbTsjSfTCUpMNZ57HO3rGXchjSdIf+tTGJpAqWkTcXuhWXBMWPK6/2REk/DKis
+XHugHg9R9hqGs2DaMpGh5NrOLly9+0dsjU15iTQucXbCS9895bRtmDjIN8dLSo9H
+6DDw4yO7SHTlABEBAAG0NE1hcmNpbiBHb2R6aW5hIChDb2RlLVNpZ25pbmcgS2V5
+KSA8bWdvZHppbmFAaXNjLm9yZz6JAk4EEwEKADgWIQQJCioHkj+SW1dngDpC5d94
+yDJx2wUCY2OzdwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBC5d94yDJx
+29U0D/41C8WaGEphQW1N5lT/1284qiPuz3w3iSciAAoAe8iHUGBcSNpAWQmWvWXI
+buKb92Gtt8JtSOHwQj8qiHjqRsUu02t/tEgQMQUq6p2jqbxODJfHR8oMFMMB0i0I
+RgKtEQeq5wRJpVtH+zIFSl9PorsJtHHfhVbqxvE/axcNKa+WaqZdHuKMqADupQEw
+6rD7yYVX6YPiHxMhba2AAAoHT/3VpHC0JidZ5BWGwkfnGbV1/7O91GHfJx6KN/AK
+DKb5hFl4TrieDLJzphBWg0y4FJ4K7WSIKvcT2cLel9f9pHV6ysqSZWkCbkjkaVIi
+LyoA0o7l263WU0D5oG2ihW6Pa2YrWHDDjfTem+kOEFsMjN+Gw74I4KWUBtldfnHK
+A8TyeviKkVok1lwDAoJ3LJi/bcyCLgBZLInOU31mQ7mIXq1ENCOIvQvaG0Lwdt59
+sBI8sknHkt+54t/VCaKbWSBOzgGur6EDf9WtPHWvHNCKEleDiHCELdhRYYtENO7T
+vTv6Fq6Lh26dor26LnARLPvGLAKwONJ0vlTEG8IyoD5AHz9MwdXYgzh8wIvc/HtD
+/0FlQGLd0WYVI6UjZfPxHOZAzARJKXLJMqiSn8hnO8v6JZaUcOF0yRKTKtzqsjzU
+v9TubCGdQAaCSCaD2fmA0BEs/FpOnZ8P1fXMpcHGEtMV0qc0wZkCDQRjY7/GARAA
+ubCCHkdiMblMA9ZlcOVN1Wep7TuYxQouATTb+73iHDQRNIU7DvluHoSq5zJe1Qst
+zjTmtlkr2dyI5JnBexUEKrw2X7gPXfLaXY01gLLB/Jn8tU9VxPqBybxmjmEdP58B
+I7BwmCyMYNqDuvPSfTMlogH/pF35Al+c8UbOfDEQqxSO2nKPNa4T5ZoVxvMxV4gn
+hEJPv8Xte/wiE+CxxbmO2we6rwJjWe7O3T0mNmqvpO8iIsLlQnwTFD5L1huywPc0
+UDHK0nl8k2lkue2buaOiancLatXt/i+L1DIimCgZwOt3DlVLURH5lz5ALXE/fn+5
+wKkp+XVyNTAEFhSGifgBDYFw3nZeRTU7unMsRssL8SjuwPWoCcRI/3VE08xCuXc+
+h6NpGfeJjLRgUSSBF+958djY320TcXaRLrqRhjcJ34dBsDYsRSC15nnq2JU6Vj5t
+rJL9qOdwVAFwKeAfROUULcy/LHZ3QgKLN5jOfdqYzE2KHk1+VANttRPTG34i6uq6
+yzCFFYadwST22+QWvxh2ohYj2INvvrzRf3lVxssWyb4USB0JPajgnGeNY/hSYfDa
+KArqOr9S+3q7h0v4RgoPxDRFIC8v/10W4wPC7R3wj0m/1WHkSm951Wtzq3V84uCF
+LLhx2ByNpnJFRFqklonAH3WHUIeYcdXAsTeunrGU/XsAEQEAAbQuR3JlZyBDaG91
+bGVzIChDb2RlLVNpZ25pbmcgS2V5KSA8Z3JlZ0Bpc2Mub3JnPokCTgQTAQoAOBYh
+BJWA1r8syA8eO7ESUt6rkdVLE8m4BQJjY7/GAhsDBQsJCAcDBRUKCQgLBRYCAwEA
+Ah4BAheAAAoJEN6rkdVLE8m42PwP/RFmUzgsoM23Z/NQ2AacCFTmHweEllkmf+25
+3hP80BuSHKsdzlmllFux+xbKZEpQK0nL3fqW8yyv69WmsoKZPpZJxmQ6bwUbtXC7
+rHkt5gfOXiTaxDBmgO2dcnDsKLb+bEQ7C5hay1P8rOvf13a4UZeTP37gRGmMr38+
+LvADIspIxBdSvFa7Hb4HKG4VVDai8jaPCF0q8daEWMJxyKSfOQBtSVVAzjLcGrYR
+bCPDAI1DEASyQOru52WREe4vJCwSaq9dZyGhaWcnyTVQO8bsSLxu7cUVxA3SOheQ
+izYKkYNbaBDmWlZxLYFsTUf5izEYdW5BwHaowmw22hSspFod+c37BoY/ePfkR5iQ
+YuEff/unyqvdHMDqIXWZqpAi5o5hW3jdCd7ZL5T0WWjz4CQ8eko1ZYYnYzZlDrge
+F0veW8+lzHBLx3Ad8HyVGwtRe+VV1V0AZ0lpWMtxo02ZDRtqNDqPqVfLT5P87ZPv
+r5GhKtedgrjwY2clgmCT0xgAKNxi2SC+c/vI5PRkIoqwbTiryLIYq8tl6T1k6AMY
+eN1ZNQR7eNEXpIvYRD/BZw7IWKkCRaKwfDVhUHCm0ikylwdLXIfEEEA5mu2LJeZh
+vCddhks0S8+lRyWR/3okurF6rlloNtM1pslceh2AMDwfs3fORhYJxFsV7O7fyRnD
+NS93fq56mQINBGNj8P4BEADXK//p0lWEUNUYirsm6BUyUXqPlPrpVTdPB1tJPj1o
+zgeMKFOpYRPU1IZF1G6pbKD09gL6y19LehQYx1a57PF7kCx2ZvvcFN24EHto1H1p
+Ti48dZ7KyyEO1rBeLY5Zjgz6YvQZcSH3cd6cTrAo7hPIAjtgSTWp04FjtYJqf+tT
+gf+9ZWY+i4nQ6/Q5Z5NUd8jsOcOoFDsmY6Fds+lzn0aZSg2yfd8fnX5QFOIwDv66
+aM25q2kvkrX0wtvSQbulC8x5g6fIB3xEL6MWbXcEBYkBMW5Cnw/Kmyj7lJwVwvEO
+FFhKaOH/d2LG3rM66gl048aJYLhEJyFSyooBynXs8S/NLDgca94Bvb54FPX8LC3p
+lqJRLxhdkha5NLcUYiHOq/L7LWdThh5rRAy87Ggog8TVza118K3oiYujlyVEzLhB
+NVMT8x5kl15YknVgOKJAv9j28bSZihHrS7aga1BtYFD8yA9MuuDaHARV6YmThkdg
+OEz/PNECjsxCLcT5Bbthzg6Jg1qo3Unyeup0UbyX4zxSphCVmerDmMYddLjJ/ydc
+1uxyn4IPINBSx2sAPuUIymhVC29MB6N+SnB37/poTvSsIH15Vg264OVdaervIpuC
+W3eUANr7zrdO85nc1CTWGhugFwccXv9nyxAt8zUF/ci17p1/mLpy9K3LqlStVI9j
+MwARAQABtDBDYXRoeSBBbG1vbmQgKENvZGUtU2lnbmluZyBLZXkpIDxjYXRoeWFA
+aXNjLm9yZz6JAk4EEwEKADgWIQT8h0w+P+hncHCscb617/asfhrd+AUCY2Pw/gIb
+AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRC17/asfhrd+HM6D/9KD/n245Fq
+jVzew92lJtufAxAFkTA5WO6fXweMlUeqMOub4vpVMLPLoFe5TzWbJMtF0m/P5+aU
+YbcvZBWFHsrnwTgA55c1VrhggLOxpw4EU0TvBdwrO7PFOYc2WznaMG+mJdqw+uNM
+yK+G44aIaC6rvi3ILSo5HPnbgQWHs39QIRLLcUjtqvavQQeyYAl0zrvNI9Xrs/Nf
+eE6PS4hIXg90A9VJRhay18w9hA+STb+xmK+3oSwP1ayLqqQ43OnV/pExSHBsjBQk
+4p1nIPlRFL30lGp/o2MoBsRvQM1tELpgBTk1LaTHzuKEpOskrWU37xu0QgEtj7YE
+r0X+GGBxgJuUzqSyLsaDgH1sEDqE+AthFfv2dxDadcXM2cdch9y3OyuSMo89aWGc
+mEVyesjYoV40tDCG73qLtfehhV/iARDMCfnZGyGYIZdDBL+tZTNeLKVDIUi/R3x9
+OmpEl8ZuCuYltyEsJnCF/rQBVMgcTOmsMu6CMx+qT3kC8iGtHqkUT2ufpKISahTn
+e329FQjClEWwBHkr0T4K80Z0REjSo6UBtio73IOCxXe0RqO37L/qgo8xKZbLxy86
+857PRWJhgbw169FJ2kR5p+M5d/g/MUeYnigvWlORW5LyrFg6RnZ1ZbULZI80QhHN
+aSFf/w020HBsLCkzWA/XM6MO2ifJTSn8NpkCDQRkSjCrARAApLUMHAbmxUMWLgDQ
+apRZBwWXriEyIVqA/SIy1PyWPPFXqs3LZ5Kn5Gw1WO8PfzkPZNtccGmNLjujIoRB
+qR41nV5zxcpS896SujBoYl80A4F4v9Op9i2pFeI9r9acFcUDjbGWBqNro4EfRcJN
+Ctkd9+pl3TUvFX06QCTxmmHy3M81SW3b4NWI+jia1cKjCd+qBFBgKWdjSMBeVTBC
+R9eKqsBQ1UJql2bRzc8pReS+TYCeEbhaOCvUCCKCwGtsSUOW726iNB/4zR4OOuQV
+B9ORufwed+E/RXa8N08/l5O96uXG0krJtOVm0/qQcXOaKxiDo6djnAgCdjFK5zaj
+7594wqbI7de58alWb/egqIhjBTgk+/cO+epZ05qx5SoJZL7ny2ottrfS2cBqP4g1
+SIt1sYl9ImHmJkNrNDy0s25nE9Nga6OfRqVbwnwot4ouTGwj0oZsCjw+gWjDdztH
+1fUWSnlA8jaX9/RZG2wKt9dI+Tp/U4d5dyTb8lIIzzgtAzDmDfPxwwT0rxAAL13A
+gDkJ0AzXA4WTOxb/JE2yfCz//kt7n8SYM//LixL4VAB7e/wnfZBhTq0OFpaPjFU0
+h/k0dc40AqcUuK3lSSjQr3KTzRHtjz8qtN4DFSuyZac83QSVtWE1rFKjS8bl3XHC
+kFFRJ2dMt2WRSkLOYNiTGbYLvmEAEQEAAbQwQW5kcmVpIFBhdmVsIChDb2RlLVNp
+Z25pbmcgS2V5KSA8YW5kcmVpQGlzYy5vcmc+iQJOBBMBCgA4FiEE2mo1COZypJ3T
+gq/ZW49NkbiO2QkFAmRKMKsCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ
+W49NkbiO2QnQZw//XCpeqT0z/sqtu4FYWwYLz1OvWqhe+uA45f9BccnNSVkGFa7w
+3hlLQC/FLUIx2cVy9AluJBP29iQge/bCcXnzo/QvCbhe/4lCTxhr7nsBe1bWpuNI
+4Pl+cQxZQBwcz74zZ1jjaaQOqm3XtdZxeKNfCQmNvz389UZEk2m8K6qJD23fy20V
+n5Y2C502UuP3MitbYKBxBSbs+Auwy1evz/prQ9VeD4Nv3Zr+jWbWFW+dSDC8jkrX
+cGdwWrUQ51QD8VBB9lPWPGY6yTbRmacr4AlVSo2DAfyjHRrGHigRF/VAD5p1+u2g
+3UFLJaEyujfzwU1kG4+zQCWZ2W2UBOekklq/yefxEY5vU1/Lad7vQhBmogQNF21T
+FvLUE6ez7XNsdMZStDPiT8OoTyFZYLRM4yw5rWKw+1mICBv7NV82YD/8hoMoZPyX
+2tNRTXv2MZ6qD++0dMCIZNEyFTB344srvQSyJ7K7vwxulc7iFWngRA8oe6JkAhH4
+B0yNq1FJm6jIL41S2FmnDL3DlfAdKWapBqzgqkv+X5DQBaTlG9a4BcSsdMJgU/Yx
+dD03YsKhDtEWTqBmmEamR1K1CgCC3mOJfsHB5z+Qhdraz2hMr00EQrD5lnpLLpcF
+rYWoilvVlRy7Y7U5wfhY4074L2ZfB+yElKsvtfGKJX/8g+eJdeRuII+hjEc=
+=NX7P
+-----END PGP PUBLIC KEY BLOCK-----

SOURCES/named-chroot-setup.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Set-up/destroy chroot environment for named (DNS)
+BindsTo=named-chroot.service
+Wants=named-setup-rndc.service
+After=named-setup-rndc.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files

SOURCES/named-chroot.files

@@ -0,0 +1,25 @@
+# Configuration of files used in chroot
+# Following files are made available after named-chroot.service start
+# if they are missing or empty in target directory.
+/etc/localtime
+/etc/named.root.key
+/etc/named.conf
+/etc/named.rfc1912.zones
+/etc/rndc.conf
+/etc/rndc.key
+/etc/named.iscdlv.key
+/etc/crypto-policies/back-ends/bind.config
+/etc/protocols
+/etc/services
+/etc/named.dnssec.keys
+/etc/pki/dnssec-keys
+/etc/named
+/usr/lib64/bind
+/usr/lib/bind
+/usr/share/GeoIP
+/run/named
+/proc/sys/net/ipv4/ip_local_port_range
+# Warning: the order is important
+# If a directory containing $ROOTDIR is listed here,
+# it MUST be listed last. (/var/named contains /var/named/chroot)
+/var/named

SOURCES/named-chroot.service

@@ -0,0 +1,31 @@
+# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
+# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
+# broken when rsyslogd daemon is restarted (due update, for example).
+
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Requires=named-chroot-setup.service
+Before=nss-lookup.target
+After=named-chroot-setup.service
+After=network.target
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/var/named/chroot/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
+
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=false
+Restart=on-abnormal
+
+[Install]
+WantedBy=multi-user.target

SOURCES/named-setup-rndc.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Generate rndc key for BIND (DNS)
+
+[Service]
+Type=oneshot
+
+ExecStart=/usr/libexec/generate-rndc-key.sh

SOURCES/named.conf

@@ -0,0 +1,59 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 { 127.0.0.1; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	secroots-file	"/var/named/data/named.secroots";
+	recursing-file	"/var/named/data/named.recursing";
+	allow-query     { localhost; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-validation yes;
+
+	managed-keys-directory "/var/named/dynamic";
+	geoip-directory "/usr/share/GeoIP";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+	include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+

SOURCES/named.conf.sample

@@ -0,0 +1,243 @@
+/*
+ Sample named.conf BIND DNS server 'named' configuration file
+ for the Red Hat BIND distribution.
+
+ See the BIND Administrator's Reference Manual (ARM) for details, in:
+   file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
+ Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
+ its manual.
+*/
+
+options
+{
+	// Put files that named is allowed to write in the data/ directory:
+	directory 		"/var/named";		// "Working" directory
+	dump-file 		"data/cache_dump.db";
+        statistics-file 	"data/named_stats.txt";
+        memstatistics-file 	"data/named_mem_stats.txt";
+	secroots-file		"data/named.secroots";
+	recursing-file		"data/named.recursing";
+
+
+	/*
+	  Specify listenning interfaces. You can use list of addresses (';' is
+	  delimiter) or keywords "any"/"none"
+	*/
+	//listen-on port 53	{ any; };
+	listen-on port 53	{ 127.0.0.1; };
+
+	//listen-on-v6 port 53	{ any; };
+	listen-on-v6 port 53	{ ::1; };
+
+	/*
+	  Access restrictions
+
+	  There are two important options:
+	    allow-query { argument; };
+	      - allow queries for authoritative data
+
+	    allow-query-cache { argument; };
+	      - allow queries for non-authoritative data (mostly cached data)
+
+	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
+	  Examples:
+	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
+	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
+	*/
+
+	allow-query		{ localhost; };
+	allow-query-cache	{ localhost; };
+
+	/* Enable/disable recursion - recursion yes/no;
+
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	 */
+	recursion yes;
+
+	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
+
+	/* Enable DNSSEC validation on recursive servers */
+	dnssec-validation yes;
+
+	/* In Fedora we use /run/named instead of default /var/run/named
+	   so we have to configure paths properly. */
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+    /* In Fedora we use system-wide Crypto Policy */
+    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+    include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging 
+{
+/*      If you want to enable debugging, eg. using the 'rndc trace' command,
+ *      named will try to write the 'named.run' file in the $directory (/var/named).
+ *      By default, SELinux policy does not allow named to modify the /var/named directory,
+ *      so put the default debug log file in data/ :
+ */
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+/*
+ Views let a name server answer a DNS query differently depending on who is asking.
+
+ By default, if named.conf contains no "view" clauses, all zones are in the 
+ "default" view, which matches all clients.
+
+ Views are processed sequentially. The first match is used so the last view should
+ match "any" - it's fallback and the most restricted view.
+
+ If named.conf contains any "view" clause, then all zones MUST be in a view.
+*/
+
+view "localhost_resolver"
+{
+/* This view sets up named to be a localhost resolver ( caching only nameserver ).
+ * If all you want is a caching-only nameserver, then you need only define this view:
+ */
+	match-clients 		{ localhost; };
+	recursion yes;
+
+	# all views must contain the root hints zone:
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+        /* these are zones that contain definitions for all the localhost
+         * names and addresses, as recommended in RFC1912 - these names should
+	 * not leak to the other nameservers:
+	 */
+	include "/etc/named.rfc1912.zones";
+};
+view "internal"
+{
+/* This view will contain zones you want to serve only to "internal" clients
+   that connect via your directly attached LAN interfaces - "localnets" .
+ */
+	match-clients		{ localnets; };
+	recursion yes;
+
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+        /* these are zones that contain definitions for all the localhost
+         * names and addresses, as recommended in RFC1912 - these names should
+	 * not leak to the other nameservers:
+	 */
+	include "/etc/named.rfc1912.zones";
+
+	// These are your "authoritative" internal zones, and would probably
+	// also be included in the "localhost_resolver" view above :
+
+	/*
+	  NOTE for dynamic DNS zones and secondary zones:
+
+	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
+
+	  If you are using views and DDNS/secondary zones it is strongly
+	  recommended to read FAQ on ISC site (www.isc.org), section
+	  "Configuration and Setup Questions", questions
+	  "How do I share a dynamic zone between multiple views?" and
+	  "How can I make a server a slave for both an internal and an external
+	   view at the same time?"
+	*/
+
+	zone "my.internal.zone" { 
+		type primary;
+		file "my.internal.zone.db";
+	};
+	zone "my.slave.internal.zone" {
+		type secondary;
+		file "slaves/my.slave.internal.zone.db";
+		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
+		// put slave zones in the slaves/ directory so named can update them
+	};	
+	zone "my.ddns.internal.zone" {
+		type primary;
+		allow-update { key ddns_key; };
+		file "dynamic/my.ddns.internal.zone.db";
+		// put dynamically updateable zones in the slaves/ directory so named can update them
+	};
+};
+
+key ddns_key
+{
+	algorithm hmac-sha256;
+	secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
+};
+
+view "external"
+{
+/* This view will contain zones you want to serve only to "external" clients
+ * that have addresses that are not match any above view:
+ */
+	match-clients		{ any; };
+
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+	recursion no;
+	// you'd probably want to deny recursion to external clients, so you don't
+        // end up providing free DNS service to all takers
+
+	// These are your "authoritative" external zones, and would probably
+        // contain entries for just your web and mail servers:
+
+	zone "my.external.zone" { 
+		type primary;
+		file "my.external.zone.db";
+	};
+};
+
+/* Trusted keys
+
+  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
+  should configure at least one trusted key.
+
+  Note that no key written below is valid. Especially root key because root zone
+  is not signed yet.
+*/
+/*
+trust-anchors {
+// Root Key
+. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		      +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		      ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		      0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		      oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		      RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		      R1AkUTV74bU=";
+
+// Key for forward zone
+example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
+				LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
+				LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
+				UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
+				yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
+				Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
+				Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
+				xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
+
+
+// Key for reverse zone.
+2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
+};
+*/

SOURCES/named.empty

@@ -0,0 +1,10 @@
+$TTL 3H
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1

SOURCES/named.localhost

@@ -0,0 +1,10 @@
+$TTL 1D
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1

SOURCES/named.logrotate

@@ -0,0 +1,12 @@
+/var/named/data/named.run {
+    missingok
+    su named named
+    create 0644 named named
+    postrotate
+        /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
+    endscript
+}

SOURCES/named.loopback

@@ -0,0 +1,11 @@
+$TTL 1D
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1
+	PTR	localhost.

SOURCES/named.rfc1912.zones

@@ -0,0 +1,45 @@
+// named.rfc1912.zones:
+//
+// Provided by Red Hat caching-nameserver package 
+//
+// ISC BIND named zone configuration for zones recommended by
+// RFC 1912 section 4.1 : localhost TLDs and address zones
+// and https://tools.ietf.org/html/rfc6303
+// (c)2007 R W Franks
+// 
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+// Note: empty-zones-enable yes; option is default.
+// If private ranges should be forwarded, add 
+// disable-empty-zone "."; into options
+// 
+
+zone "localhost.localdomain" IN {
+	type primary;
+	file "named.localhost";
+	allow-update { none; };
+};
+
+zone "localhost" IN {
+	type primary;
+	file "named.localhost";
+	allow-update { none; };
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
+	type primary;
+	file "named.loopback";
+	allow-update { none; };
+};
+
+zone "1.0.0.127.in-addr.arpa" IN {
+	type primary;
+	file "named.loopback";
+	allow-update { none; };
+};
+
+zone "0.in-addr.arpa" IN {
+	type primary;
+	file "named.empty";
+	allow-update { none; };
+};

SOURCES/named.root

@@ -0,0 +1,92 @@
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:     December 20, 2023
+;       related version of root zone:     2023122001
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+; 
+; FORMERLY NS1.ISI.EDU 
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
+B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
+; 
+; FORMERLY C.PSI.NET 
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+; 
+; FORMERLY TERP.UMD.EDU 
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+; 
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+; 
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+; 
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+; 
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+; 
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+; 
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+; 
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+; 
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+; 
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file

SOURCES/named.root.key

@@ -0,0 +1,13 @@
+trust-anchors {
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+        # for current trust anchor information.
+        #
+        # This key (20326) was published in the root zone in 2017.
+        # Servers which were already using the old key (19036) should
+        # roll seamlessly to this new one via RFC 5011 rollover. Servers
+        # being set up for the first time can use the contents of this
+        # file as initializing keys; thereafter, the keys in the
+        # managed key database will be trusted and maintained
+        # automatically.
+        . initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
+};

SOURCES/named.rwtab

@@ -0,0 +1,6 @@
+dirs    /var/named
+
+files	/var/named/named.ca
+files	/var/named/named.empty
+files	/var/named/named.localhost
+files	/var/named/named.loopback

SOURCES/named.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=named-setup-rndc.service
+After=network.target
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+Restart=on-abnormal
+
+[Install]
+WantedBy=multi-user.target

SOURCES/named.sysconfig

@@ -0,0 +1,17 @@
+# BIND named process options
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# OPTIONS="whatever"     --  These additional options will be passed to named
+#                            at startup. Don't add -t here, enable proper
+#                            -chroot.service unit file.
+#
+# NAMEDCONF=/etc/named/alternate.conf
+#                        --  Don't use -c to change configuration file.
+#                            Extend systemd named.service instead or use this
+#                            variable.
+#
+# DISABLE_ZONE_CHECKING  --  By default, service file calls named-checkzone
+#                            utility for every zone to ensure all zones are
+#                            valid before named starts. If you set this option
+#                            to 'yes' then service file doesn't perform those
+#                            checks.

SOURCES/setup-named-chroot.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+
+ROOTDIR="$1"
+CONFIG_FILES="${3:-/etc/named-chroot.files}"
+
+usage()
+{
+  echo
+  echo 'This script setups chroot environment for BIND'
+  echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
+}
+
+if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
+  echo 'Wrong number of arguments'
+  usage
+  exit 1
+fi
+
+# Exit if ROOTDIR doesn't exist
+if ! [ -d "$ROOTDIR" ]; then
+  echo "Root directory $ROOTDIR doesn't exist"
+  usage
+  exit 1
+fi
+
+if ! [ -r "$CONFIG_FILES" ]; then
+  echo "Files list $CONFIG_FILES doesn't exist" 2>&1
+  usage
+  exit 1
+fi
+
+dev_create()
+{
+  DEVNAME="$ROOTDIR/dev/$1"
+  shift
+  if ! [ -e "$DEVNAME" ]; then
+    /bin/mknod -m 0664 "$DEVNAME" $@
+    /bin/chgrp named "$DEVNAME"
+    if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
+      /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
+    fi
+  fi
+}
+
+dev_chroot_prep()
+{
+  dev_create random  c 1 8
+  dev_create urandom c 1 9
+  dev_create zero    c 1 5
+  dev_create null    c 1 3
+}
+
+files_comment_filter()
+{
+  if [ -d "$1" ]; then
+    grep -v '^[[:space:]]*#' "$1"/*.files
+  else
+    grep -v '^[[:space:]]*#' "$1"
+  fi
+}
+
+mount_chroot_conf()
+{
+  if [ -n "$ROOTDIR" ]; then
+    # Check devices are prepared
+    dev_chroot_prep
+    files_comment_filter "$CONFIG_FILES" | while read -r all; do
+      # Skip nonexistant files
+      [ -e "$all" ] || continue
+
+      # If mount source is a file
+      if ! [ -d "$all" ]; then
+        # mount it only if it is not present in chroot or it is empty
+        if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
+          touch "$ROOTDIR$all"
+          mount --bind "$all" "$ROOTDIR$all"
+        fi
+      else
+        # Mount source is a directory. Mount it only if directory in chroot is
+        # empty.
+        if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
+          mount --bind --make-private "$all" "$ROOTDIR$all"
+        fi
+      fi
+    done
+  fi
+}
+
+umount_chroot_conf()
+{
+  if [ -n "$ROOTDIR" ]; then
+    files_comment_filter "$CONFIG_FILES" | while read -r all; do
+      # Check if file is mount target. Do not use /proc/mounts because detecting
+      # of modified mounted files can fail.
+      if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
+        umount "$ROOTDIR$all"
+        # Remove temporary created files
+        [ -f "$all" ] && rm -f "$ROOTDIR$all"
+      fi
+    done
+  fi
+}
+
+case "$2" in
+  on)
+    mount_chroot_conf
+    ;;
+  off)
+    umount_chroot_conf
+    ;;
+  *)
+    echo 'Second argument has to be "on" or "off"'
+    usage
+    exit 1
+esac
+
+exit 0

SOURCES/setup-named-softhsm.sh

@@ -0,0 +1,124 @@
+#!/bin/sh
+#
+# This script will initialise token storage of softhsm PKCS11 provider
+# in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Quotes around eval are mandatory!
+# Recommended use:
+# eval "$(bash setup-named-softhsm.sh -A)"
+#
+
+SOFTHSM2_CONF="$1"
+TOKENPATH="$2"
+GROUPNAME="$3"
+# Do not use this script for real keys worth protection
+# This is intended for crypto accelerators using PKCS11 interface.
+# Uninitialized token would fail any crypto operation.
+PIN=1234
+SO_PIN=1234
+LABEL=rpm
+
+set -e
+
+echo_i()
+{
+	echo "#" $@
+}
+
+random()
+{
+	if [ -x "$(which openssl 2>/dev/null)" ]; then
+		openssl rand -base64 $1
+	else
+		dd if=/dev/urandom bs=1c count=$1 | base64
+	fi
+}
+
+usage()
+{
+	echo "Usage: $0 -A [token directory] [group]"
+	echo "   or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
+if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
+	usage >&2
+	exit 1
+fi
+
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+	# Automagic mode instead
+	MODE=secure
+	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+	PIN_SOURCE="$TOKENPATH/pin"
+	SOPIN_SOURCE="$TOKENPATH/so-pin"
+	TOKENPATH="$TOKENPATH/tokens"
+else
+	MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
+if ! [ -f "$SOFTHSM2_CONF" ]; then
+cat  << SED > "$SOFTHSM2_CONF"
+# SoftHSM v2 configuration file
+
+directories.tokendir = ${TOKENPATH}
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+SED
+else
+	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
+fi
+
+if [ -n "$PIN_SOURCE" ]; then
+	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+	if [ -n "$GROUPNAME" ]; then
+		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+	fi
+fi
+
+export SOFTHSM2_CONF
+
+if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
+then
+	echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
+else
+	PIN=$(random 6)
+	SO_PIN=$(random 18)
+	if [ -n "$PIN_SOURCE" ]; then
+		echo -n "$PIN" > "$PIN_SOURCE"
+		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+	fi
+
+	echo_i "Initializing tokens to ${TOKENPATH}..."
+	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
+
+	if [ -n "$GROUPNAME" ]; then
+		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
+		chmod -R -- g=rX,o= "$TOKENPATH"
+	fi
+fi
+
+echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""

SOURCES/trusted-key.key

@@ -0,0 +1 @@
+. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=