Registration is now invite-only. Any user can make an invite, you need to create it here and give resulting link to someone to register.

Project import/bind - Diff 1fca60d876...d5fe0dbac2

view file @ d5fe0dbac2
... ... --- a/.abf.yml
... ... +++ b/.abf.yml
... ... @@ -1,7 +1,3 @@
1 1 
sources:
2 
  bind-9.11.26.tar.gz: 14064c865920842e48f444be2bda9dc91770e439
3 
  bind-dhcp-dynamic-dns-examples.tar.bz2: d33980aad3e0380fc89f8346ab37786d39157696
4 
  bind-manpages.tar.bz2: 4b08b3d62490f536ae52c34cfab1343d01b326c6
5 
  bind-sdb-ldap-1.0.tar.bz2: 7e928238c01d2402c4ec6500a8dd6e4063e32aa1
6 
  mysql-bind.tar.gz: 77ecec4b2108ce79e42da2eaf95ac1a0a2f22bdf
7 
  random.data: a164fcad1d64d6b5fab5034928cb7260f1fa8fdd
2 
  bind-9.16.35.tar.xz: ead745cfa0e8beb358339b30385fcd0332d79454
3 
  codesign2021.txt: 501a6f1178184653f288a79071c9abed8d09cb67
view file @ 1fca60d876
... ... --- a/.gitignore
... ... +++ /dev/null
... ... @@ -1,7 +0,0 @@
0 
*.tar.gz
1 
*.tar.gz.asc
2 
*.tar.bz2
3 
*.tar.bz2.asc
4 
*.rpm
5 
*~
6 
BUILD
 
\ No newline at end of file
view file @ 1fca60d876
... ... --- a/README.sdb_pgsql
... ... +++ /dev/null
... ... @@ -1,79 +0,0 @@
0 
			PGSQL BIND SDB driver
1
2 
The postgresql BIND SDB driver is of experimental status and should not be
3 
used for production systems.
4
5 
Usage:
6
7 
o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named )
8
9 
o Edit your named.conf to contain a database zone, eg. :
10
11 
zone "pgdb.net." IN {
12 
        type master;
13 
        database "pgsql  bind        pgdb     localhost pguser pgpasswd";
14 
        #                ^- DB name  ^-Table  ^-host    ^-user ^-password
15 
};
16
17 
o Create the database zone table
18 
  The table must contain the columns "name", "rdtype", and "rdata", and
19 
  is expected to contain a properly constructed zone.  The program "zonetodb"
20 
  creates such a table.
21
22 
  zonetodb usage:
23
24 
    zonetodb origin file dbname dbtable
25
26 
    where
27 
	origin : zone origin, eg "pgdb.net."
28 
	file   : master zone database file, eg. pgdb.net.db
29 
	dbname : name of postgresql database
30 
        dbtable: name of table in database
31
32 
    Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database
33 
        'pgdb' table:
34
35 
---
36 
#pgdb.net.db:
37 
$TTL 1H
38 
@       SOA     localhost.      root.localhost. (       1
39 
                                                3H
40 
                                                1H
41 
                                                1W
42 
                                                1H )
43 
        NS      localhost.
44 
host1   A       192.168.2.1
45 
host2   A       192.168.2.2
46 
host3   A       192.168.2.3
47 
host4   A       192.168.2.4
48 
host5   A       192.168.2.5
49 
host6   A       192.168.2.6
50 
host7   A       192.168.2.7
51 
---
52
53 
Issue this command as the pgsql user authorized to update the bind database:
54
55 
# zonetodb pgdb.net. pgdb.net.db bind pgdb
56
57 
will create / update the pgdb table in the 'bind' db:
58
59 
$ psql -dbind -c 'select * from pgdb;'
60 
      name      | ttl  | rdtype |                        rdata
61 
----------------+------+--------+-----------------------------------------------------
62 
 pgdb.net       | 3600 | SOA    | localhost. root.localhost. 1 10800 3600 604800 3600
63 
 pgdb.net       | 3600 | NS     | localhost.
64 
 host1.pgdb.net | 3600 | A      | 192.168.2.1
65 
 host2.pgdb.net | 3600 | A      | 192.168.2.2
66 
 host3.pgdb.net | 3600 | A      | 192.168.2.3
67 
 host4.pgdb.net | 3600 | A      | 192.168.2.4
68 
 host5.pgdb.net | 3600 | A      | 192.168.2.5
69 
 host6.pgdb.net | 3600 | A      | 192.168.2.6
70 
 host7.pgdb.net | 3600 | A      | 192.168.2.7
71 
(9 rows)
72
73 
I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK.
74
75 
NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named
76 
      service .
77
78 
USE AT YOUR OWN RISK!
view file @ d5fe0dbac2
... ... --- a/bind-9.10-dist-native-pkcs11.patch
... ... +++ b/bind-9.10-dist-native-pkcs11.patch
... ... @@ -1,68 +1,107 @@
1 
From 1cbffe7e8b5bced9134abbae23a2a20c83d39a6a Mon Sep 17 00:00:00 2001
2 
From: Petr Mensik <pemensik@redhat.com>
3 
Date: Thu, 21 Jan 2021 10:46:20 +0100
4 
Subject: [PATCH] Enable custom pkcs11 native build
5
6 
Share common parts like libisc, libcc and others. But provide native
7 
pkcs11 libraries as a new copy of libdns and libns.
8 
---
9 
 bin/Makefile.in                  |  2 +-
10 
 bin/confgen/Makefile.in          |  2 +-
11 
 bin/dnssec-pkcs11/Makefile.in    | 39 +++++++++++++++++---------------
12 
 bin/named-pkcs11/Makefile.in     | 31 +++++++++++++------------
13 
 configure.ac                     | 19 ++++++++++++++++
14 
 lib/Makefile.in                  |  2 +-
15 
 lib/dns-pkcs11/Makefile.in       | 22 +++++++++---------
16 
 lib/dns-pkcs11/tests/Makefile.in |  8 +++----
17 
 lib/ns-pkcs11/Makefile.in        | 26 ++++++++++-----------
18 
 lib/ns-pkcs11/tests/Makefile.in  | 12 +++++-----
19 
 make/includes.in                 |  7 ++++++
20 
 11 files changed, 100 insertions(+), 70 deletions(-)
21
1 22 
diff --git a/bin/Makefile.in b/bin/Makefile.in
2 
index f0c504a..ce7a2da 100644
23 
index 9ad7f62..094775a 100644
3 24 
--- a/bin/Makefile.in
4 25 
+++ b/bin/Makefile.in
5 
@@ -11,8 +11,8 @@ srcdir =	@srcdir@
26 
@@ -11,7 +11,7 @@ srcdir =	@srcdir@
6 27 
 VPATH =		@srcdir@
7 28 
 top_srcdir =	@top_srcdir@
8 29
9 30 
-SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
10 
-		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
11 
+SUBDIRS =	named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
12 
+		check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
31 
+SUBDIRS =	named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
32 
 		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
13 33 
 TARGETS =
14 34
15 
 @BIND9_MAKE_RULES@
35 
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
36 
index c126bf3..1b7512d 100644
37 
--- a/bin/confgen/Makefile.in
38 
+++ b/bin/confgen/Makefile.in
39 
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
40 
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
41 
 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
42
43 
-CDEFINES = @USE_PKCS11@
44 
+CDEFINES =
45 
 CWARNINGS =
46
47 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
16 48 
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
17 
index 4b8ca13..32f4470 100644
49 
index ace0e5a..e0f6a00 100644
18 50 
--- a/bin/dnssec-pkcs11/Makefile.in
19 51 
+++ b/bin/dnssec-pkcs11/Makefile.in
20 52 
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
21 53
22 54 
 @BIND9_MAKE_INCLUDES@
23 55
24 
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
25 
+CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
56 
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
57 
+CINCLUDES =	${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
58 
 		${OPENSSL_CFLAGS}
26 59
27 
-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
28 
-		@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
29 
+CDEFINES =	-DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
30 
+		@CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
60 
-CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
61 
+CDEFINES =	-DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
31 62 
 CWARNINGS =
32 63
33 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
34 
-ISCLIBS =	../../lib/isc/libisc.@A@
35 
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
36 
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
37 
+ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
38 
+ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
64 
-DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
65 
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
66 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
67 
 ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
68 
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
39 69
40 70 
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
41 
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
42 71 
+DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
43 
+ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
72 
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
73 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
44 74
45 
 DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
75 
@@ -36,12 +36,15 @@ LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
46 76
47 
@@ -35,10 +35,10 @@ LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
48 
 NOSYMLIBS =	${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
77 
 NOSYMLIBS =	${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
49 78
79 
+# Add suffix to all targets
80 
+EXEEXT =	-pkcs11@EXEEXT@
81 
+
50 82 
 # Alphabetically
51 
-TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
52 
-		dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
53 
-		dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
54 
-		dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
55 
+TARGETS =	dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
56 
+		dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
57 
+		dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \
58 
+		dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@
83 
-TARGETS =	dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
84 
-		dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
85 
-		dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
86 
-		dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
87 
-		dnssec-verify@EXEEXT@
88 
+TARGETS =	dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
89 
+		dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
90 
+		dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
91 
+		dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
92 
+		dnssec-verify${EXEEXT}
59 93
60 94 
 OBJS =		dnssectool.@O@
61 95
62 
@@ -59,15 +59,15 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
96 
@@ -52,19 +55,19 @@ SRCS =		dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
63 97
64 98 
 @BIND9_MAKE_RULES@
65 99
100 
-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
101 
+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
102 
 	export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
103 
 	${FINALBUILDCMD}
104
66 105 
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
67 106 
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
68 107 
 	export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
... ... @@ -78,7 +117,7 @@ index 4b8ca13..32f4470 100644
117 117 
 	export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
118 118 
 	${FINALBUILDCMD}
119 119
120 
@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
120 
@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
121 121 
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
122 122 
 		-c ${srcdir}/dnssec-signzone.c
123 123
... ... @@ -87,7 +126,7 @@ index 4b8ca13..32f4470 100644
126 126 
 	export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
127 127 
 	${FINALBUILDCMD}
128 128
129 
@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
129 
@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
130 130 
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
131 131 
 		-c ${srcdir}/dnssec-verify.c
132 132
... ... @@ -111,117 +150,70 @@ index 4b8ca13..32f4470 100644
150 150 
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
151 151 
 	dnssec-importkey.@O@ ${OBJS} ${LIBS}
152 152
153 
@@ -106,16 +106,14 @@ docclean manclean maintainer-clean::
154
155 
 installdirs:
156 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
157 
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
158
159 
 install-man8: ${MANPAGES}
160 
 	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
161
162 
-install:: ${TARGETS} installdirs install-man8
163 
+install:: ${TARGETS} installdirs
164 
 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
165
166 
 uninstall::
167 
-	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
168 
 	for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
169
170 
 clean distclean::
171 
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
172 
index 4b8ca13..4175996 100644
173 
--- a/bin/dnssec/Makefile.in
174 
+++ b/bin/dnssec/Makefile.in
175 
@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
176
177 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
178
179 
-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
180 
+CDEFINES =	-DVERSION=\"${VERSION}\" \
181 
 		@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
182 
 CWARNINGS =
183
184 153 
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
185 
index 70e5571..b5a4a6b 100644
154 
index debb906..ecfdb6c 100644
186 155 
--- a/bin/named-pkcs11/Makefile.in
187 156 
+++ b/bin/named-pkcs11/Makefile.in
188 
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
189 
 DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
157 
@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
190 158
191 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
192 
-		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
193 
-		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
194 
+		${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
195 
+		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
196 
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
197 
 		@DST_OPENSSL_INC@
159 
 DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
198 160
199 
-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
200 
+CDEFINES =      @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@
161 
-DLZDRIVER_OBJS =	@DLZ_DRIVER_OBJS@
162 
-DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
163 
-DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
164 
-DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
165 
+# Skip building on PKCS11 variant
166 
+DLZDRIVER_OBJS =
167 
+DLZDRIVER_SRCS =
168 
+DLZDRIVER_INCLUDES =
169 
+DLZDRIVER_LIBS =
170
171 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
172 
-		${NS_INCLUDES} ${DNS_INCLUDES} \
173 
+		${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
174 
 		${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
175 
 		${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
176 
 		${DBDRIVER_INCLUDES} \
177 
@@ -56,24 +57,24 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
178 
 		${LIBXML2_CFLAGS} \
179 
 		${MAXMINDDB_CFLAGS}
180
181 
-CDEFINES =      @CONTRIB_DLZ@
182 
+CDEFINES =
201 183
202 184 
 CWARNINGS =
203 185
204 
-DNSLIBS =	../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
205 
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
186 
-DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
187 
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
206 188 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
207 189 
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
208 
-ISCLIBS =	../../lib/isc/libisc.@A@
209 
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@
210 
+ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
211 
+ISCNOSYMLIBS =	../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
212 
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
190 
 ISCLIBS =	../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
191 
 ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
213 192 
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
193 
-NSLIBS =	../../lib/ns/libns.@A@
194 
+NSLIBS =	../../lib/ns-pkcs11/libns-pkcs11.@A@
214 195
215 196 
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
216 197 
+DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
217 198 
 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
218 199 
 ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
219 
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
220 
+ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
221 
 LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
200 
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
222 201 
 BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
202 
-NSDEPLIBS =	../../lib/ns/libns.@A@
203 
+NSDEPLIBS =	../../lib/ns-pkcs11/libns-pkcs11.@A@
223 204
224 
@@ -72,15 +72,15 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
225
226 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
227 
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
228 
-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
229 
+		@LIBS@
230
231 
 NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
232 
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
233 
-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
234 
+		@LIBS@
205 
 DEPLIBS =	${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
206 
 		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
207 
@@ -93,7 +94,7 @@ NOSYMLIBS =	${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
235 208
236 209 
 SUBDIRS =	unix
237 210
238 
-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
239 
+TARGETS =	named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
211 
-TARGETS =	named@EXEEXT@
212 
+TARGETS =	named-pkcs11@EXEEXT@
240 213
241 
 GEOIPLINKOBJS = geoip.@O@
242 214 
 GEOIP2LINKOBJS = geoip.@O@
243 
@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
244 
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
245 
 		zoneconf.@O@ \
246 
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
247 
-		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
248 
-		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
249 
+        lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
250
251 
 UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
252
253 
@@ -113,8 +112,7 @@ SRCS =		builtin.c client.c config.c control.c \
254 
 		tkeyconf.c tsigconf.c update.c xfrout.c \
255 
 		zoneconf.c \
256 
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
257 
-		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
258 
-		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
259 
+        lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
260
261 
 MANPAGES =	named.8 lwresd.8 named.conf.5
262
263 
@@ -154,21 +152,21 @@ server.@O@: server.c
215
216 
@@ -151,7 +152,7 @@ server.@O@: server.c
264 217 
 		-DPRODUCT=\"${PRODUCT}\" \
265 218 
 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
266 219
... ... @@ -230,85 +222,29 @@ index 70e5571..b5a4a6b 100644
222 222 
 	export MAKE_SYMTABLE="yes"; \
223 223 
 	export BASEOBJS="${OBJS} ${UOBJS}"; \
224 224 
 	${FINALBUILDCMD}
225 
@@ -170,11 +171,11 @@ statschannel.@O@: bind9.xsl.h
226 
 installdirs:
227 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
225 228
226 
-lwresd@EXEEXT@: named@EXEEXT@
227 
+lwresd@EXEEXT@: named-pkcs11@EXEEXT@
228 
 	rm -f lwresd@EXEEXT@
229 
-	@LN@ named@EXEEXT@ lwresd@EXEEXT@
230 
+	@LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
231
232 
 # Bit of hack, do not produce intermediate .o object for featuretest
233 
 feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
234 
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
235 
 		-c ${top_srcdir}/bin/tests/system/feature-test.c
236
237 
-feature-test@EXEEXT@: feature-test.@O@
238 
+feature-test-pkcs11@EXEEXT@: feature-test.@O@
239 
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
240 
 		-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
241
242 
@@ -201,16 +199,11 @@ install-man8: named.8 lwresd.8
243
244 
 install-man: install-man5 install-man8
245
246 
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
229 
-install:: named@EXEEXT@ installdirs
247 230 
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
248 
-	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
249 231 
+install:: named-pkcs11@EXEEXT@ installdirs
250 232 
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
251 233
252 234 
 uninstall::
253 
-	rm -f ${DESTDIR}${mandir}/man5/named.conf.5
254 
-	rm -f ${DESTDIR}${mandir}/man8/lwresd.8
255 
-	rm -f ${DESTDIR}${mandir}/man8/named.8
256 
-	rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
257 235 
-	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
258 236 
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
259 237
260 238 
 @DLZ_DRIVER_RULES@
261 239
262 
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
263 
index 70e5571..4cfed4d 100644
264 
--- a/bin/named/Makefile.in
265 
+++ b/bin/named/Makefile.in
266 
@@ -48,7 +48,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
267 
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
268 
 		@DST_OPENSSL_INC@
269
270 
-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
271 
+CDEFINES =      @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
272
273 
 CWARNINGS =
274
275 
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
276 
index a058c91..d4b689a 100644
277 
--- a/bin/pkcs11/Makefile.in
278 
+++ b/bin/pkcs11/Makefile.in
279 
@@ -15,13 +15,13 @@ top_srcdir =	@top_srcdir@
280
281 
 @BIND9_MAKE_INCLUDES@
282
283 
-CINCLUDES =	${ISC_INCLUDES}
284 
+CINCLUDES =	${ISC_PKCS11_INCLUDES}
285
286 
 CDEFINES =
287
288 
-ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
289 
+ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
290
291 
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
292 
+ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
293
294 
 DEPLIBS =	${ISCDEPLIBS}
295
296 240 
diff --git a/configure.ac b/configure.ac
297 
index 9b7d778..59ba20b 100644
241 
index e405eaf..efaa5a7 100644
298 242 
--- a/configure.ac
299 243 
+++ b/configure.ac
300 
@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
244 
@@ -1269,12 +1269,14 @@ AC_SUBST(USE_GSSAPI)
301 245 
 AC_SUBST(DST_GSSAPI_INC)
302 246 
 AC_SUBST(DNS_GSSAPI_LIBS)
303 
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
247 
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
304 248 
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
305 249
306 250 
 #
... ... @@ -319,98 +255,47 @@ index 9b7d778..59ba20b 100644
255 255 
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
256 256
257 257 
 #
258 
 # was --with-randomdev specified?
259 
@@ -1496,12 +1498,12 @@ AC_ARG_ENABLE(openssl-hash,
260 
 AC_MSG_CHECKING(for OpenSSL library)
261 
 OPENSSL_WARNING=
262 
 openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
263 
-if test "yes" = "$want_native_pkcs11"
264 
-then
265 
-	use_openssl="native_pkcs11"
266 
-	want_openssl_hash="no"
267 
-	AC_MSG_RESULT(use of native PKCS11 instead)
268 
-fi
269 
+# if test "yes" = "$want_native_pkcs11"
270 
+# then
271 
+# 	use_openssl="native_pkcs11"
272 
+# 	want_openssl_hash="no"
273 
+# 	AC_MSG_RESULT(use of native PKCS11 instead)
274 
+# fi
275
276 
 if test "auto" = "$use_openssl"
277 
 then
278 
@@ -1511,6 +1513,7 @@ then
279 
 		fi
280 
 	done
258 
 # was --with-lmdb specified?
259 
@@ -2345,6 +2347,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
260 
 AC_SUBST(BIND9_NS_BUILDINCLUDE)
261 
 AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
262 
 AC_SUBST(BIND9_IRS_BUILDINCLUDE)
263 
+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE)
264 
+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE)
265 
 if test "X$srcdir" != "X"; then
266 
 	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
267 
 	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
268 
@@ -2353,6 +2357,8 @@ if test "X$srcdir" != "X"; then
269 
 	BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
270 
 	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
271 
 	BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
272 
+	BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
273 
+	BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
274 
 else
275 
 	BIND9_ISC_BUILDINCLUDE=""
276 
 	BIND9_ISCCC_BUILDINCLUDE=""
277 
@@ -2361,6 +2367,8 @@ else
278 
 	BIND9_NS_BUILDINCLUDE=""
279 
 	BIND9_BIND9_BUILDINCLUDE=""
280 
 	BIND9_IRS_BUILDINCLUDE=""
281 
+	BIND9_DNS_PKCS11_BUILDINCLUDE=""
282 
+	BIND9_NS_PKCS11_BUILDINCLUDE=""
281 283 
 fi
282 
+CRYPTO_PK11=""
283 
 OPENSSL_ECDSA=""
284 
 OPENSSL_GOST=""
285 
 OPENSSL_ED25519=""
286 
@@ -1532,11 +1535,10 @@ case "$with_gost" in
287 
 		;;
288 
 esac
289
290 
-case "$use_openssl" in
291 
-	native_pkcs11)
292 
-		AC_MSG_RESULT(disabled because of native PKCS11)
293 
+if test "$want_native_pkcs11" = "yes"
294 
+then
295 
 		DST_OPENSSL_INC=""
296 
-		CRYPTO="-DPKCS11CRYPTO"
297 
+		CRYPTO_PK11="-DPKCS11CRYPTO"
298 
 		CRYPTOLIB="pkcs11"
299 
 		OPENSSLECDSALINKOBJS=""
300 
 		OPENSSLECDSALINKSRCS=""
301 
@@ -1546,7 +1548,9 @@ case "$use_openssl" in
302 
 		OPENSSLGOSTLINKSRCS=""
303 
 		OPENSSLLINKOBJS=""
304 
 		OPENSSLLINKSRCS=""
305 
-		;;
306 
+fi
307 
+
308 
+case "$use_openssl" in
309 
 	no)
310 
 		AC_MSG_RESULT(no)
311 
 		DST_OPENSSL_INC=""
312 
@@ -1578,7 +1582,7 @@ case "$use_openssl" in
313 
 If you do not want OpenSSL, use --without-openssl])
314 
 		;;
315 
 	*)
316 
-		if test "yes" = "$want_native_pkcs11"
317 
+		if false # test "yes" = "$want_native_pkcs11"
318 
 		then
319 
 			AC_MSG_RESULT()
320 
 			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
321 
@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
322 
 AC_SUBST(OPENSSL_GOST)
323
324 
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
325 
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
326
327 
 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
328 
 if test "yes" = "$with_aes"
329 
@@ -2291,6 +2296,7 @@ esac
330 
 AC_SUBST(PKCS11LINKOBJS)
331 
 AC_SUBST(PKCS11LINKSRCS)
332 
 AC_SUBST(CRYPTO)
333 
+AC_SUBST(CRYPTO_PK11)
334 
 AC_SUBST(PKCS11_ECDSA)
335 
 AC_SUBST(PKCS11_GOST)
336 
 AC_SUBST(PKCS11_ED25519)
337 
@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
284
285 
 AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
286 
@@ -2816,8 +2824,11 @@ AC_CONFIG_FILES([
338 287 
 	bin/delv/Makefile
339 288 
 	bin/dig/Makefile
340 289 
 	bin/dnssec/Makefile
341 
+	bin/dnssec-pkcs11/Makefile
290 
+	bin/dnssec-pkcs11/Makefile
342 291 
 	bin/named/Makefile
343 292 
 	bin/named/unix/Makefile
344 293 
+	bin/named-pkcs11/Makefile
345 294 
+	bin/named-pkcs11/unix/Makefile
346 295 
 	bin/nsupdate/Makefile
347 296 
 	bin/pkcs11/Makefile
348 
 	bin/python/Makefile
349 
@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
297 
 	bin/plugins/Makefile
298 
@@ -2879,6 +2890,10 @@ AC_CONFIG_FILES([
350 299 
 	lib/dns/include/dns/Makefile
351 300 
 	lib/dns/include/dst/Makefile
352 301 
 	lib/dns/tests/Makefile
... ... @@ -421,73 +306,54 @@ index 9b7d778..59ba20b 100644
306 306 
 	lib/irs/Makefile
307 307 
 	lib/irs/include/Makefile
308 308 
 	lib/irs/include/irs/Makefile
309 
@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
310 
 	lib/isc/unix/include/Makefile
311 
 	lib/isc/unix/include/isc/Makefile
312 
 	lib/isc/unix/include/pkcs11/Makefile
313 
+	lib/isc-pkcs11/$arch/Makefile
314 
+	lib/isc-pkcs11/$arch/include/Makefile
315 
+	lib/isc-pkcs11/$arch/include/isc/Makefile
316 
+	lib/isc-pkcs11/$thread_dir/Makefile
317 
+	lib/isc-pkcs11/$thread_dir/include/Makefile
318 
+	lib/isc-pkcs11/$thread_dir/include/isc/Makefile
319 
+	lib/isc-pkcs11/Makefile
320 
+	lib/isc-pkcs11/include/Makefile
321 
+	lib/isc-pkcs11/include/isc/Makefile
322 
+	lib/isc-pkcs11/include/isc/platform.h
323 
+	lib/isc-pkcs11/include/pk11/Makefile
324 
+	lib/isc-pkcs11/include/pkcs11/Makefile
325 
+	lib/isc-pkcs11/tests/Makefile
326 
+	lib/isc-pkcs11/nls/Makefile
327 
+	lib/isc-pkcs11/unix/Makefile
328 
+	lib/isc-pkcs11/unix/include/Makefile
329 
+	lib/isc-pkcs11/unix/include/isc/Makefile
330 
+	lib/isc-pkcs11/unix/include/pkcs11/Makefile
331 
 	lib/isccc/Makefile
332 
 	lib/isccc/include/Makefile
333 
 	lib/isccc/include/isccc/Makefile
309 
@@ -2911,6 +2926,10 @@ AC_CONFIG_FILES([
310 
 	lib/ns/include/Makefile
311 
 	lib/ns/include/ns/Makefile
312 
 	lib/ns/tests/Makefile
313 
+	lib/ns-pkcs11/Makefile
314 
+	lib/ns-pkcs11/include/Makefile
315 
+	lib/ns-pkcs11/include/ns/Makefile
316 
+	lib/ns-pkcs11/tests/Makefile
317 
 	make/Makefile
318 
 	make/mkdep
319 
 	unit/unittest.sh
334 320 
diff --git a/lib/Makefile.in b/lib/Makefile.in
335 
index 81270a0..bcb5312 100644
321 
index 833964e..058ba2f 100644
336 322 
--- a/lib/Makefile.in
337 323 
+++ b/lib/Makefile.in
338 324 
@@ -15,7 +15,7 @@ top_srcdir =	@top_srcdir@
339 325 
 # Attempt to disable parallel processing.
340 326 
 .NOTPARALLEL:
341 327 
 .NO_PARALLEL:
342 
-SUBDIRS =	isc isccc dns isccfg bind9 lwres irs samples
343 
+SUBDIRS =	isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples
328 
-SUBDIRS =	isc isccc dns ns isccfg bind9 irs
329 
+SUBDIRS =	isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs
344 330 
 TARGETS =
345 331
346 332 
 @BIND9_MAKE_RULES@
347 333 
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
348 
index 7f09bd6..c388d9e 100644
334 
index 58bda3c..d6a45df 100644
349 335 
--- a/lib/dns-pkcs11/Makefile.in
350 336 
+++ b/lib/dns-pkcs11/Makefile.in
351 
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
337 
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
352 338
353 
 USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
339 
 @BIND9_MAKE_INCLUDES@
354 340
355 341 
-CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
356 
-		${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
357 
-		@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
358 342 
+CINCLUDES =	-I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
359 
+		${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
343 
 		${ISC_INCLUDES} \
344 
 		${FSTRM_CFLAGS} \
345 
 		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
346 
@@ -32,7 +32,7 @@ CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
347 
 		${LMDB_CFLAGS} \
348 
 		${MAXMINDDB_CFLAGS}
360 349
361 
-CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
362 
+CDEFINES =	-DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
350 
-CDEFINES =	@USE_GSSAPI@
351 
+CDEFINES =	@USE_GSSAPI@ @USE_PKCS11@
363 352
364 353 
 CWARNINGS =
365 354
366 
-ISCLIBS =	../../lib/isc/libisc.@A@
367 
+ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
368
369 
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
370 
+ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
371
372 
 LIBS =		${MAXMINDDB_LIBS} @LIBS@
373
374 
@@ -150,15 +149,15 @@ version.@O@: version.c
375 
 		-DLIBAGE=${LIBAGE} \
355 
@@ -135,15 +135,15 @@ version.@O@: version.c
356 
 		-DMAPAPI=\"${MAPAPI}\" \
376 357 
 		-c ${srcdir}/version.c
377 358
378 359 
-libdns.@SA@: ${OBJS}
... ... @@ -500,13 +366,13 @@ index 7f09bd6..c388d9e 100644
366 366 
 	${LIBTOOL_MODE_LINK} \
367 367 
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
368 368 
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
369 
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
369 
 		-release "${VERSION}" \
370 370 
-		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
371 371 
+		${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
372 372
373 373 
 include: gen
374 374 
 	${MAKE} include/dns/enumtype.h
375 
@@ -189,22 +188,22 @@ gen: gen.c
375 
@@ -174,22 +174,22 @@ gen: gen.c
376 376 
 	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
377 377 
 	${BUILD_LIBS} ${LFS_LIBS}
378 378
... ... @@ -534,89 +400,142 @@ index 7f09bd6..c388d9e 100644
400 400 
 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
401 401 
 	rm -f include/dns/rdatastruct.h
402 402 
 	rm -f dnstap.pb-c.c dnstap.pb-c.h
403 
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
404 
index 8ad54bb..a3ecdfb 100644
405 
--- a/lib/isc-pkcs11/Makefile.in
406 
+++ b/lib/isc-pkcs11/Makefile.in
407 
@@ -23,8 +23,8 @@ CINCLUDES =	-I${srcdir}/unix/include \
408 
 		-I${srcdir}/@ISC_THREAD_DIR@/include \
409 
 		-I${srcdir}/@ISC_ARCH_DIR@/include \
410 
 		-I./include \
411 
-		-I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
412 
-CDEFINES =	@CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
413 
+		-I${srcdir}/include ${DNS_PKCS11_INCLUDES}
414 
+CDEFINES =	@CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
403 
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
404 
index da91394..aadb73f 100644
405 
--- a/lib/dns-pkcs11/tests/Makefile.in
406 
+++ b/lib/dns-pkcs11/tests/Makefile.in
407 
@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
408
409 
 @BIND9_MAKE_INCLUDES@
410
411 
-CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
412 
+CINCLUDES =	-I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
413 
 		${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
414 
 		${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
415 
-CDEFINES =	-DTESTS="\"${top_builddir}/lib/dns/tests/\""
416 
+CDEFINES =	@USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
417
418 
 ISCLIBS =	../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
419 
 ISCDEPLIBS =	../../isc/libisc.@A@
420 
-DNSLIBS =	../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
421 
-DNSDEPLIBS =	../libdns.@A@
422 
+DNSLIBS =	../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
423 
+DNSDEPLIBS =	../libdns-pkcs11.@A@
424
425 
 LIBS =		@LIBS@ @CMOCKA_LIBS@
426
427 
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
428 
index bc683ce..7a9d2f2 100644
429 
--- a/lib/ns-pkcs11/Makefile.in
430 
+++ b/lib/ns-pkcs11/Makefile.in
431 
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
432
433 
 @BIND9_MAKE_INCLUDES@
434
435 
-CINCLUDES =	-I. -I${top_srcdir}/lib/ns -Iinclude \
436 
-		${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
437 
+CINCLUDES =	-I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
438 
+		${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
439 
 		${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
440 
 		${FSTRM_CFLAGS}
441
442 
-CDEFINES =	-DNAMED_PLUGINDIR=\"${plugindir}\"
443 
+CDEFINES =	@USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
444
415 445 
 CWARNINGS =
416 446
417 
 # Alphabetically
418 
@@ -103,40 +103,40 @@ version.@O@: version.c
419 
 		-DLIBAGE=${LIBAGE} \
420 
 		-c ${srcdir}/version.c
447 
@@ -29,9 +29,9 @@ ISCLIBS =	../../lib/isc/libisc.@A@
421 448
422 
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
423 
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS}
424 
 	${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
425 
 	${RANLIB} $@
449 
 ISCDEPLIBS =	../../lib/isc/libisc.@A@
450
451 
-DNSLIBS =	../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
452 
+DNSLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
453
454 
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
455 
+DNSDEPLIBS =	../../lib/dns-pkcs11/libdns-pkcs11.@A@
456
457 
 LIBS =		@LIBS@
426 458
427 
-libisc-nosymtbl.@SA@: ${OBJS}
428 
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS}
459 
@@ -60,28 +60,28 @@ version.@O@: version.c
460 
 		-DMAJOR=\"${MAJOR}\" \
461 
 		-c ${srcdir}/version.c
462
463 
-libns.@SA@: ${OBJS}
464 
+libns-pkcs11.@SA@: ${OBJS}
429 465 
 	${AR} ${ARFLAGS} $@ ${OBJS}
430 466 
 	${RANLIB} $@
431 467
432 
-libisc.la: ${OBJS} ${SYMTBLOBJS}
433 
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS}
468 
-libns.la: ${OBJS}
469 
+libns-pkcs11.la: ${OBJS}
434 470 
 	${LIBTOOL_MODE_LINK} \
435 
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
436 
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \
437 
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
438 
 		${OBJS} ${SYMTBLOBJS} ${LIBS}
439
440 
-libisc-nosymtbl.la: ${OBJS}
441 
+libisc-pkcs11-nosymtbl.la: ${OBJS}
442 
 	${LIBTOOL_MODE_LINK} \
443 
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
444 
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \
445 
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
446 
 		${OBJS} ${LIBS}
447
448 
-timestamp: libisc.@A@ libisc-nosymtbl.@A@
449 
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
471 
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
472 
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
473 
 		-release "${VERSION}" \
474 
-		${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
475 
+		${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
476
477 
-timestamp: libns.@A@
478 
+timestamp: libns-pkcs11.@A@
450 479 
 	touch timestamp
451 480
452 
-testdirs: libisc.@A@ libisc-nosymtbl.@A@
453 
+testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
454
455 481 
 installdirs:
456 482 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
457 483
458 484 
 install:: timestamp installdirs
459 
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
460 
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
485 
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
486 
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \
487 
 		${DESTDIR}${libdir}
461 488
462 489 
 uninstall::
463 
-	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
464 
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@
490 
-	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
491 
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@
465 492
466 493 
 clean distclean::
467 
-	rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
468 
-	libisc-nosymtbl.la timestamp
469 
+	rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
470 
+	libisc-pkcs11-nosymtbl.la timestamp
494 
-	rm -f libns.@A@ timestamp
495 
+	rm -f libns-pkcs11.@A@ timestamp
496 
diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
497 
index 4c3e694..c1b6d99 100644
498 
--- a/lib/ns-pkcs11/tests/Makefile.in
499 
+++ b/lib/ns-pkcs11/tests/Makefile.in
500 
@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
501
502 
 WRAP_OPTIONS =	-Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
503
504 
-CINCLUDES =	-I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
505 
+CINCLUDES =	-I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
506 
 		${OPENSSL_CFLAGS} \
507 
 		@CMOCKA_CFLAGS@
508 
-CDEFINES =	-DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
509 
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
510
511 
 ISCLIBS =	../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
512 
 ISCDEPLIBS =	../../isc/libisc.@A@
513 
-DNSLIBS =	../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
514 
-DNSDEPLIBS =	../../dns/libdns.@A@
515 
-NSLIBS =	../libns.@A@
516 
-NSDEPLIBS =	../libns.@A@
517 
+DNSLIBS =	../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
518 
+DNSDEPLIBS =	../../dns-pkcs11/libdns-pkcs11.@A@
519 
+NSLIBS =	../libns-pkcs11.@A@
520 
+NSDEPLIBS =	../libns-pkcs11.@A@
521
522 
 LIBS =		@LIBS@ @CMOCKA_LIBS@
523
471 524 
diff --git a/make/includes.in b/make/includes.in
472 
index fa86ad1..3cfbe9f 100644
525 
index b8317d3..b73b0c4 100644
473 526 
--- a/make/includes.in
474 527 
+++ b/make/includes.in
475 
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
528 
@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
476 529
477 530 
 TEST_INCLUDES = \
478 531 
 	-I${top_srcdir}/lib/tests/include
479 532 
+
480 
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
481 
+	-I${top_srcdir}/lib/isc-pkcs11 \
482 
+	-I${top_srcdir}/lib/isc-pkcs11/include \
483 
+	-I${top_srcdir}/lib/isc-pkcs11/unix/include \
484 
+	-I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
485 
+	-I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
486 
+
487 
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
533 
+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
488 534 
+	-I${top_srcdir}/lib/dns-pkcs11/include
535 
+
536 
+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
537 
+	-I${top_srcdir}/lib/ns-pkcs11/include
538 
+
539 
--
540 
2.31.1
541
view file @ 1fca60d876
... ... --- a/bind-9.10-sdb.patch
... ... +++ /dev/null
... ... @@ -1,319 +0,0 @@
0 
diff --git a/bin/Makefile.in b/bin/Makefile.in
1 
index ce7a2da..4e6a824 100644
2 
--- a/bin/Makefile.in
3 
+++ b/bin/Makefile.in
4 
@@ -11,8 +11,8 @@ srcdir =	@srcdir@
5 
 VPATH =		@srcdir@
6 
 top_srcdir =	@top_srcdir@
7
8 
-SUBDIRS =	named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
9 
-		check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
10 
+SUBDIRS =	named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
11 
+		check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests
12 
 TARGETS =
13
14 
 @BIND9_MAKE_RULES@
15 
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
16 
index 4cfed4d..c6b42b2 100644
17 
--- a/bin/named-sdb/Makefile.in
18 
+++ b/bin/named-sdb/Makefile.in
19 
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
20 
 #
21 
 # Add database drivers here.
22 
 #
23 
-DBDRIVER_OBJS =
24 
-DBDRIVER_SRCS =
25 
+DBDRIVER_OBJS =	ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
26 
+DBDRIVER_SRCS =	ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
27 
 DBDRIVER_INCLUDES =
28 
-DBDRIVER_LIBS =
29 
+DBDRIVER_LIBS =	-lldap -llber -lsqlite3 -lpq
30
31 
 DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
32
33 
@@ -80,7 +80,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
34
35 
 SUBDIRS =	unix
36
37 
-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
38 
+TARGETS =	named-sdb@EXEEXT@ feature-test-sdb@EXEEXT@
39
40 
 GEOIPLINKOBJS = geoip.@O@
41 
 GEOIP2LINKOBJS = geoip.@O@
42 
@@ -154,7 +154,7 @@ server.@O@: server.c
43 
 		-DPRODUCT=\"${PRODUCT}\" \
44 
 		-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
45
46 
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
47 
+named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS}
48 
 	export MAKE_SYMTABLE="yes"; \
49 
 	export BASEOBJS="${OBJS} ${UOBJS}"; \
50 
 	${FINALBUILDCMD}
51 
@@ -168,7 +168,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
52 
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
53 
 		-c ${top_srcdir}/bin/tests/system/feature-test.c
54
55 
-feature-test@EXEEXT@: feature-test.@O@
56 
+feature-test-sdb@EXEEXT@: feature-test.@O@
57 
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
58 
 		-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
59
60 
@@ -190,8 +190,6 @@ statschannel.@O@: bind9.xsl.h
61
62 
 installdirs:
63 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
64 
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
65 
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
66
67 
 install-man5: named.conf.5
68 
 	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
69 
@@ -201,16 +199,11 @@ install-man8: named.8 lwresd.8
70
71 
 install-man: install-man5 install-man8
72
73 
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
74 
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
75 
-	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
76 
+install:: ${TARGETS} installdirs
77 
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
78
79 
 uninstall::
80 
-	rm -f ${DESTDIR}${mandir}/man5/named.conf.5
81 
-	rm -f ${DESTDIR}${mandir}/man8/lwresd.8
82 
-	rm -f ${DESTDIR}${mandir}/man8/named.8
83 
-	rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
84 
-	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
85 
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@
86
87 
 @DLZ_DRIVER_RULES@
88
89 
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
90 
index c9fc3cc..148ebb3 100644
91 
--- a/bin/named-sdb/main.c
92 
+++ b/bin/named-sdb/main.c
93 
@@ -97,6 +97,10 @@
94 
  * Include header files for database drivers here.
95 
  */
96 
 /* #include "xxdb.h" */
97 
+#include "ldapdb.h"
98 
+#include "pgsqldb.h"
99 
+#include "sqlitedb.h"
100 
+#include "dirdb.h"
101
102 
 #ifdef CONTRIB_DLZ
103 
 /*
104 
@@ -1134,6 +1138,11 @@ setup(void) {
105 
 		ns_main_earlyfatal("isc_app_start() failed: %s",
106 
 				   isc_result_totext(result));
107
108 
+	ldapdb_clear();
109 
+	pgsqldb_clear();
110 
+	dirdb_clear();
111 
+	sqlitedb_clear();
112 
+
113 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
114 
 		      ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
115 
 		      ns_g_product, ns_g_version,
116 
@@ -1334,6 +1343,75 @@ setup(void) {
117 
 				   isc_result_totext(result));
118 
 #endif
119
120 
+        result = ldapdb_init();
121 
+        if (result != ISC_R_SUCCESS)
122 
+        {
123 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
124 
+                          ISC_LOG_ERROR,
125 
+                          "SDB ldap module initialisation failed: %s.",
126 
+                          isc_result_totext(result)
127 
+                );
128 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
129 
+                          ISC_LOG_ERROR,
130 
+                          "SDB ldap zone database will be unavailable."
131 
+                );
132 
+        }else
133 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
134 
+                          ISC_LOG_NOTICE, "SDB ldap zone database module loaded."
135 
+                         );
136 
+
137 
+        result = pgsqldb_init();
138 
+        if (result != ISC_R_SUCCESS)
139 
+        {
140 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
141 
+                          ISC_LOG_ERROR,
142 
+                          "SDB pgsql module initialisation failed: %s.",
143 
+                          isc_result_totext(result)
144 
+                );
145 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
146 
+                          ISC_LOG_ERROR,
147 
+                          "SDB pgsql zone database will be unavailable."
148 
+                );
149 
+        }else
150 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
151 
+                          ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
152 
+                         );
153 
+
154 
+        result = sqlitedb_init();
155 
+        if (result != ISC_R_SUCCESS)
156 
+        {
157 
+             isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
158 
+                          ISC_LOG_ERROR,
159 
+                          "SDB sqlite3 module initialisation failed: %s.",
160 
+                          isc_result_totext(result)
161 
+                );
162 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
163 
+                          ISC_LOG_ERROR,
164 
+                          "SDB sqlite3 zone database will be unavailable."
165 
+                );
166 
+        }else
167 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
168 
+                          ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded."
169 
+                         );
170 
+
171 
+        result = dirdb_init();
172 
+        if (result != ISC_R_SUCCESS)
173 
+        {
174 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
175 
+                          ISC_LOG_ERROR,
176 
+                          "SDB directory DB module initialisation failed: %s.",
177 
+                          isc_result_totext(result)
178 
+                );
179 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
180 
+                          ISC_LOG_ERROR,
181 
+                          "SDB directory DB zone database will be unavailable."
182 
+                );
183 
+        }else
184 
+            isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
185 
+                          ISC_LOG_NOTICE, "SDB directory DB zone database module loaded."
186 
+                         );
187 
+
188 
+
189 
 	ns_server_create(ns_g_mctx, &ns_g_server);
190
191 
 #ifdef HAVE_LIBSECCOMP
192 
@@ -1376,6 +1454,11 @@ cleanup(void) {
193
194 
 	dns_name_destroy();
195
196 
+	ldapdb_clear();
197 
+	pgsqldb_clear();
198 
+	sqlitedb_clear();
199 
+	dirdb_clear();
200 
+
201 
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
202 
 		      ISC_LOG_NOTICE, "exiting");
203 
 	ns_log_shutdown();
204 
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
205 
index 4cfed4d..f4bce7b 100644
206 
--- a/bin/named/Makefile.in
207 
+++ b/bin/named/Makefile.in
208 
@@ -45,10 +45,10 @@ DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
209 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
210 
 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
211 
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
212 
-		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
213 
+		${MAXMINDDB_CFLAGS} \
214 
 		@DST_OPENSSL_INC@
215
216 
-CDEFINES =      @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
217 
+CDEFINES =      @USE_GSSAPI@ @CRYPTO@
218
219 
 CWARNINGS =
220
221 
@@ -72,11 +72,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
222
223 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
224 
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
225 
-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
226 
+		@LIBS@
227
228 
 NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
229 
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
230 
-		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
231 
+		@LIBS@
232
233 
 SUBDIRS =	unix
234
235 
@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
236 
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
237 
 		zoneconf.@O@ \
238 
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
239 
-		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
240 
-		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
241 
+		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
242
243 
 UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
244
245 
@@ -113,8 +112,7 @@ SRCS =		builtin.c client.c config.c control.c \
246 
 		tkeyconf.c tsigconf.c update.c xfrout.c \
247 
 		zoneconf.c \
248 
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
249 
-		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
250 
-		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
251 
+		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
252
253 
 MANPAGES =	named.8 lwresd.8 named.conf.5
254
255 
@@ -212,7 +210,5 @@ uninstall::
256 
 	rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
257 
 	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
258
259 
-@DLZ_DRIVER_RULES@
260 
-
261 
 named-symtbl.@O@: named-symtbl.c
262 
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
263 
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
264 
index c7e0868..95ab742 100644
265 
--- a/bin/sdb_tools/Makefile.in
266 
+++ b/bin/sdb_tools/Makefile.in
267 
@@ -32,11 +32,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
268 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
269 
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
270
271 
-TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@
272 
+TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
273
274 
-OBJS	=	zone2ldap.@O@ zonetodb.@O@
275 
+OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
276
277 
-SRCS    =       zone2ldap.c zonetodb.c
278 
+SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c
279
280 
 MANPAGES =      zone2ldap.1
281
282 
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
283 
 zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
284 
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
285
286 
+zone2sqlite@EXEEXT@: zone2sqlite.@O@  ${DEPLIBS}
287 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
288 
+
289 
 clean distclean manclean maintainer-clean::
290 
 	rm -f ${TARGETS} ${OBJS}
291
292 
@@ -60,4 +63,5 @@ installdirs:
293 
 install:: ${TARGETS} installdirs
294 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
295 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
296 
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
297 
 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
298 
diff --git a/configure.ac b/configure.ac
299 
index f85f45f..7d28c52 100644
300 
--- a/configure.ac
301 
+++ b/configure.ac
302 
@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
303 
 	bin/named/unix/Makefile
304 
 	bin/named-pkcs11/Makefile
305 
 	bin/named-pkcs11/unix/Makefile
306 
+	bin/named-sdb/Makefile
307 
+	bin/named-sdb/unix/Makefile
308 
 	bin/nsupdate/Makefile
309 
 	bin/pkcs11/Makefile
310 
 	bin/python/Makefile
311 
@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
312 
 	bin/python/isc/tests/policy_test.py
313 
 	bin/python/isc/utils.py
314 
 	bin/rndc/Makefile
315 
+	bin/sdb_tools/Makefile
316 
 	bin/tests/Makefile
317 
 	bin/tests/headerdep_test.sh
318 
 	bin/tests/optional/Makefile
view file @ 1fca60d876
... ... --- a/bind-9.10-use-of-strlcat.patch
... ... +++ /dev/null
... ... @@ -1,18 +0,0 @@
0 
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
1 
index d56bc56..99c3314 100644
2 
--- a/bin/sdb_tools/zone2ldap.c
3 
+++ b/bin/sdb_tools/zone2ldap.c
4 
@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
5 
     }
6
7
8 
-      strlcat (dn, tmp, sizeof (dn));
9 
+      strncat (dn, tmp, sizeof (dn) - strlen (dn));
10 
     }
11
12 
   sprintf (tmp, "dc=%s", dc_list[0]);
13 
-  strlcat (dn, tmp, sizeof (dn));
14 
+  strncat (dn, tmp, sizeof (dn) - strlen (dn));
15
16 
 	    fflush(NULL);
17 
   return dn;
view file @ 1fca60d876
... ... --- a/bind-9.11-engine-pkcs11.patch
... ... +++ /dev/null
... ... @@ -1,27 +0,0 @@
0 
From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001
1 
From: Petr Mensik <pemensik@redhat.com>
2 
Date: Tue, 27 Aug 2019 20:39:59 +0200
3 
Subject: [PATCH] Do not set engine for native PKCS11
4
5 
It resets already set lib_path to pkcs11, which is invalid in native
6 
pkcs11 crypto. Engine has to be path to PKCS#11 module.
7 
---
8 
 bin/named/include/named/globals.h | 2 +-
9 
 1 file changed, 1 insertion(+), 1 deletion(-)
10
11 
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
12 
index eda2214..2a611d5 100644
13 
--- a/bin/named/include/named/globals.h
14 
+++ b/bin/named/include/named/globals.h
15 
@@ -160,7 +160,7 @@ EXTERN const char *		ns_g_defaultdnstap	INIT(NULL);
16
17 
 EXTERN const char *		ns_g_username		INIT(NULL);
18
19 
-#if defined(USE_PKCS11)
20 
+#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO)
21 
 EXTERN const char *		ns_g_engine		INIT(PKCS11_ENGINE);
22 
 #else
23 
 EXTERN const char *		ns_g_engine		INIT(NULL);
... ... ---
24 
2.20.1
25
view file @ 1fca60d876
... ... --- a/bind-9.11-export-suffix.patch
... ... +++ /dev/null
... ... @@ -1,39 +0,0 @@
0 
diff --git a/configure.ac b/configure.ac
1 
index c1bfd62..7c5ad51 100644
2 
--- a/configure.ac
3 
+++ b/configure.ac
4 
@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
5 
 AC_SUBST(BUILD_LDFLAGS)
6 
 AC_SUBST(BUILD_LIBS)
7
8 
+AC_SUBST(LIBDIR_SUFFIX)
9 
+
10 
 #
11 
 # Commands to run at the end of config.status.
12 
 # Don't just put these into configure, it won't work right if somebody
13 
diff --git a/isc-config.sh.in b/isc-config.sh.in
14 
index b5e94ed..d2857e0 100644
15 
--- a/isc-config.sh.in
16 
+++ b/isc-config.sh.in
17 
@@ -13,16 +13,17 @@ prefix=@prefix@
18 
 exec_prefix=@exec_prefix@
19 
 exec_prefix_set=
20 
 includedir=@includedir@
21 
+libdir_suffix=@LIBDIR_SUFFIX@
22 
 arch=$(uname -m)
23
24 
 case $arch in
25 
 	x86_64 | amd64 | sparc64 | s390x | ppc64)
26 
-		libdir=/usr/lib64
27 
-		sec_libdir=/usr/lib
28 
+		libdir=/usr/lib64${libdir_suffix}
29 
+		sec_libdir=/usr/lib${libdir_suffix}
30 
 		;;
31 
 	* )
32 
-		libdir=/usr/lib
33 
-		sec_libdir=/usr/lib64
34 
+		libdir=/usr/lib${libdir_suffix}
35 
+		sec_libdir=/usr/lib64${libdir_suffix}
36 
 		;;
37 
 esac
38
view file @ 1fca60d876
... ... --- a/bind-9.11-feature-test-named.patch
... ... +++ /dev/null
... ... @@ -1,71 +0,0 @@
0 
From 3f2fafe5368655225eddf0537e58e425bbc297be Mon Sep 17 00:00:00 2001
1 
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
2 
Date: Wed, 30 Jan 2019 14:37:17 +0100
3 
Subject: [PATCH] Create feature-test in source directory
4
5 
Feature-test tool is used in system tests to test compiled in changes.
6 
Because we build more variants of named with different configuration,
7 
compile feature-test for each of them this way.
8
9 
Named variant specific feature-test does not have defined gss support,
10 
even when it was enabled by configure. bin/tests/system Makefile defines
11 
it, so define it also in named variants.
12 
---
13 
 bin/named/Makefile.in       | 13 +++++++++++--
14 
 bin/tests/system/conf.sh.in |  2 +-
15 
 2 files changed, 12 insertions(+), 3 deletions(-)
16
17 
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
18 
index 3166368..70e5571 100644
19 
--- a/bin/named/Makefile.in
20 
+++ b/bin/named/Makefile.in
21 
@@ -48,7 +48,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
22 
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
23 
 		@DST_OPENSSL_INC@
24
25 
-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
26 
+CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @USE_GSSAPI@ @CRYPTO@
27
28 
 CWARNINGS =
29
30 
@@ -80,7 +80,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
31
32 
 SUBDIRS =	unix
33
34 
-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
35 
+TARGETS =	named@EXEEXT@ lwresd@EXEEXT@ feature-test@EXEEXT@
36
37 
 GEOIPLINKOBJS = geoip.@O@
38 
 GEOIP2LINKOBJS = geoip.@O@
39 
@@ -163,6 +163,15 @@ lwresd@EXEEXT@: named@EXEEXT@
40 
 	rm -f lwresd@EXEEXT@
41 
 	@LN@ named@EXEEXT@ lwresd@EXEEXT@
42
43 
+# Bit of hack, do not produce intermediate .o object for featuretest
44 
+feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
45 
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
46 
+		-c ${top_srcdir}/bin/tests/system/feature-test.c
47 
+
48 
+feature-test@EXEEXT@: feature-test.@O@
49 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
50 
+		-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
51 
+
52 
 doc man:: ${MANOBJS}
53
54 
 docclean manclean maintainer-clean::
55 
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
56 
index cedabbe..e1bf5da 100644
57 
--- a/bin/tests/system/conf.sh.in
58 
+++ b/bin/tests/system/conf.sh.in
59 
@@ -71,7 +71,7 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
60 
 MDIG=$TOP/bin/tools/mdig
61 
 NZD2NZF=$TOP/bin/tools/named-nzd2nzf
62 
 FSTRM_CAPTURE=@FSTRM_CAPTURE@
63 
-FEATURETEST=$TOP/bin/tests/system/feature-test
64 
+FEATURETEST=$TOP/bin/named/feature-test
65
66 
 RANDFILE=$TOP/bin/tests/system/random.data
67
... ... ---
68 
2.20.1
69
view file @ 1fca60d876
... ... --- a/bind-9.11-fips-code.patch
... ... +++ /dev/null
... ... @@ -1,1459 +0,0 @@
0 
From eff6dcb62f3cea6df0a848c2220a49bc02cb4a0e Mon Sep 17 00:00:00 2001
1 
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
2 
Date: Thu, 2 Aug 2018 23:34:45 +0200
3 
Subject: [PATCH] FIPS code changes
4 
MIME-Version: 1.0
5 
Content-Type: text/plain; charset=UTF-8
6 
Content-Transfer-Encoding: 8bit
7
8 
Squashed commit of the following:
9
10 
commit b49f70ce0575b6b52a71b90fe0376dbf16f92c6b
11 
Author: Petr Menšík <pemensik@redhat.com>
12 
Date:   Mon Jan 22 14:12:37 2018 +0100
13
14 
    Update system tests to detect MD5 disabled at runtime
15
16 
commit 80ceffee4860c24baf70bc9a8653d92731eda2e4
17 
Author: Petr Menšík <pemensik@redhat.com>
18 
Date:   Thu Aug 2 14:53:54 2018 +0200
19
20 
    Avoid warning about undefined parameters
21
22 
commit e4ad4363e3d1acaac58456117579f02761f38fdc
23 
Author: Petr Menšík <pemensik@redhat.com>
24 
Date:   Wed Jun 20 19:31:19 2018 +0200
25
26 
    Fix rndc-confgen default algorithm, report true algorithm in usage.
27
28 
commit 7e629a351010cb75e0589ec361f720085675998c
29 
Author: Petr Menšík <pemensik@redhat.com>
30 
Date:   Fri Feb 23 21:21:30 2018 +0100
31
32 
    Cleanup only if initialization was successful
33
34 
commit 2101b948c77cbcbe07eb4a1e60f3e693b2245ec6
35 
Author: Petr Menšík <pemensik@redhat.com>
36 
Date:   Mon Feb 5 12:19:28 2018 +0100
37
38 
    Ensure dst backend is initialized first even before hmac algorithms.
39
40 
commit 7567c7edde7519115a9ae7e20818c835d3eb1ffe
41 
Author: Petr Menšík <pemensik@redhat.com>
42 
Date:   Mon Feb 5 12:17:54 2018 +0100
43
44 
    Skip initialization of MD5 based algorithms if not available.
45
46 
commit 5782137df6b45a6d900d5a1c250c1257227e917a
47 
Author: Petr Menšík <pemensik@redhat.com>
48 
Date:   Mon Feb 5 10:21:27 2018 +0100
49
50 
    Change secalgs skipping to be more safe
51
52 
commit f2d78729898182d2d19d5064de1bec9b66817159
53 
Author: Petr Menšík <pemensik@redhat.com>
54 
Date:   Wed Jan 31 18:26:11 2018 +0100
55
56 
    Skip MD5 algorithm also in case of NULL name
57
58 
commit 32a2ad4abc7aaca1c257730319ad3c27405d3407
59 
Author: Petr Menšík <pemensik@redhat.com>
60 
Date:   Wed Jan 31 11:38:12 2018 +0100
61
62 
    Make MD5 behave like unknown algorithm in TSIG.
63
64 
commit 13cd3f704dce568fdf24a567be5802b58ac6007b
65 
Author: Petr Menšík <pemensik@redhat.com>
66 
Date:   Tue Nov 28 20:14:37 2017 +0100
67
68 
    Select token with most supported functions, instead of demanding it must support all functions
69
70 
    Initialize PKCS#11 always until successfully initialized
71
72 
commit a71df74abdca4fe63bcdf542b81a109cf1f495b4
73 
Author: Petr Menšík <pemensik@redhat.com>
74 
Date:   Mon Jan 22 16:17:44 2018 +0100
75
76 
    Handle MD5 unavailability from DST
77
78 
commit dd82cb263efa2753d3ee772972726ea08bcc639b
79 
Author: Petr Menšík <pemensik@redhat.com>
80 
Date:   Mon Jan 22 14:11:16 2018 +0100
81
82 
    Check runtime flag from library and applications, fail gracefully.
83
84 
commit c7b2f87f07ecae75b821a908e29f08a42371e32e
85 
Author: Petr Menšík <pemensik@redhat.com>
86 
Date:   Mon Jan 22 08:39:08 2018 +0100
87
88 
    Modify libraries to use isc_md5_available() if PK11_MD5_DISABLE is not
89 
    defined.
90 
    TODO: pk11.c should accept slot without MD5 support.
91
92 
commit 0b8e470ec636b9e350b5ec3203eb2b4091415fde
93 
Author: Petr Menšík <pemensik@redhat.com>
94 
Date:   Mon Jan 22 07:21:04 2018 +0100
95
96 
    Add runtime detection whether MD5 is useable.
97 
---
98 
 bin/confgen/keygen.c              | 10 +++-
99 
 bin/confgen/rndc-confgen.c        | 32 ++++---------
100 
 bin/dig/dig.c                     |  7 +--
101 
 bin/dig/dighost.c                 | 14 ++++--
102 
 bin/dnssec/dnssec-keygen.c        | 14 ++++++
103 
 bin/named/config.c                | 25 +++++++++-
104 
 bin/nsupdate/nsupdate.c           | 24 ++++++----
105 
 bin/rndc/rndc.c                   |  3 +-
106 
 bin/tests/optional/hash_test.c    | 78 ++++++++++++++++---------------
107 
 bin/tests/system/tkey/keycreate.c |  3 ++
108 
 bin/tests/system/tkey/keydelete.c | 17 ++++---
109 
 lib/bind9/check.c                 | 10 ++++
110 
 lib/dns/dst_api.c                 | 23 ++++++---
111 
 lib/dns/dst_internal.h            |  3 +-
112 
 lib/dns/dst_parse.c               | 18 +++++--
113 
 lib/dns/hmac_link.c               | 18 ++-----
114 
 lib/dns/opensslrsa_link.c         |  6 +++
115 
 lib/dns/pkcs11rsa_link.c          | 33 +++++++++++--
116 
 lib/dns/rcode.c                   | 21 ++++++++-
117 
 lib/dns/tests/rsa_test.c          |  4 ++
118 
 lib/dns/tests/tsig_test.c         |  1 +
119 
 lib/dns/tkey.c                    |  9 ++++
120 
 lib/dns/tsec.c                    |  8 +++-
121 
 lib/dns/tsig.c                    | 17 ++++---
122 
 lib/isc/include/isc/md5.h         |  3 ++
123 
 lib/isc/md5.c                     | 59 +++++++++++++++++++++++
124 
 lib/isc/pk11.c                    | 44 +++++++++++------
125 
 lib/isc/tests/hash_test.c         |  9 ++++
126 
 lib/isccc/cc.c                    | 42 +++++++++++------
127 
 29 files changed, 400 insertions(+), 155 deletions(-)
128
129 
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
130 
index 8931ad5..5015abb 100644
131 
--- a/bin/confgen/keygen.c
132 
+++ b/bin/confgen/keygen.c
133 
@@ -22,6 +22,7 @@
134 
 #include <isc/entropy.h>
135 
 #include <isc/file.h>
136 
 #include <isc/keyboard.h>
137 
+#include <isc/md5.h>
138 
 #include <isc/mem.h>
139 
 #include <isc/print.h>
140 
 #include <isc/result.h>
141 
@@ -73,7 +74,7 @@ alg_fromtext(const char *name) {
142 
 		p = &name[5];
143
144 
 #ifndef PK11_MD5_DISABLE
145 
-	if (strcasecmp(p, "md5") == 0)
146 
+	if (strcasecmp(p, "md5") == 0 && isc_md5_available())
147 
 		return DST_ALG_HMACMD5;
148 
 #endif
149 
 	if (strcasecmp(p, "sha1") == 0)
150 
@@ -132,6 +133,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
151 
 	switch (alg) {
152 
 #ifndef PK11_MD5_DISABLE
153 
 	    case DST_ALG_HMACMD5:
154 
+		if (!isc_md5_available()) {
155 
+			fatal("unsupported algorithm %d\n", alg);
156 
+		} else if (keysize < 1 || keysize > 512) {
157 
+			fatal("keysize %d out of range (must be 1-512)\n",
158 
+			      keysize);
159 
+		}
160 
+		break;
161 
 #endif
162 
 	    case DST_ALG_HMACSHA1:
163 
 	    case DST_ALG_HMACSHA224:
164 
diff --git a/bin/confgen/rndc-confgen.c b/bin/confgen/rndc-confgen.c
165 
index 5ca3d76..6b7790a 100644
166 
--- a/bin/confgen/rndc-confgen.c
167 
+++ b/bin/confgen/rndc-confgen.c
168 
@@ -36,6 +36,7 @@
169 
 #include <isc/file.h>
170 
 #include <isc/keyboard.h>
171 
 #include <isc/mem.h>
172 
+#include <isc/md5.h>
173 
 #include <isc/net.h>
174 
 #include <isc/print.h>
175 
 #include <isc/result.h>
176 
@@ -63,7 +64,7 @@ const char *progname;
177
178 
 bool verbose = false;
179
180 
-const char *keyfile, *keydef;
181 
+const char *keyfile, *keydef, *algdef;
182
183 
 ISC_PLATFORM_NORETURN_PRE static void
184 
 usage(int status) ISC_PLATFORM_NORETURN_POST;
185 
@@ -71,13 +72,12 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
186 
 static void
187 
 usage(int status) {
188
189 
-#ifndef PK11_MD5_DISABLE
190 
 	fprintf(stderr, "\
191 
 Usage:\n\
192 
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
193 
 [-s addr] [-t chrootdir] [-u user]\n\
194 
   -a:		 generate just the key clause and write it to keyfile (%s)\n\
195 
-  -A alg:	 algorithm (default hmac-md5)\n\
196 
+  -A alg:	 algorithm (default %s)\n\
197 
   -b bits:	 from 1 through 512, default 256; total length of the secret\n\
198 
   -c keyfile:	 specify an alternate key file (requires -a)\n\
199 
   -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
200 
@@ -86,24 +86,7 @@ Usage:\n\
201 
   -s addr:	 the address to which rndc should connect\n\
202 
   -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
203 
   -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
204 
-		 progname, keydef);
205 
-#else
206 
-	fprintf(stderr, "\
207 
-Usage:\n\
208 
- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
209 
-[-s addr] [-t chrootdir] [-u user]\n\
210 
-  -a:		 generate just the key clause and write it to keyfile (%s)\n\
211 
-  -A alg:	 algorithm (default hmac-sha256)\n\
212 
-  -b bits:	 from 1 through 512, default 256; total length of the secret\n\
213 
-  -c keyfile:	 specify an alternate key file (requires -a)\n\
214 
-  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
215 
-  -p port:	 the port named will listen on and rndc will connect to\n\
216 
-  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
217 
-  -s addr:	 the address to which rndc should connect\n\
218 
-  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
219 
-  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
220 
-		 progname, keydef);
221 
-#endif
222 
+		 progname, keydef, algdef);
223
224 
 	exit (status);
225 
 }
226 
@@ -139,11 +122,12 @@ main(int argc, char **argv) {
227 
 	progname = program;
228
229 
 	keyname = DEFAULT_KEYNAME;
230 
-#ifndef PK11_MD5_DISABLE
231 
-	alg = DST_ALG_HMACMD5;
232 
-#else
233 
 	alg = DST_ALG_HMACSHA256;
234 
+#ifndef PK11_MD5_DISABLE
235 
+	if (isc_md5_available())
236 
+		alg = DST_ALG_HMACMD5;
237 
 #endif
238 
+	algdef = alg_totext(alg);
239 
 	serveraddr = DEFAULT_SERVER;
240 
 	port = DEFAULT_PORT;
241
242 
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
243 
index 706299e..aaf22e7 100644
244 
--- a/bin/dig/dig.c
245 
+++ b/bin/dig/dig.c
246 
@@ -20,6 +20,7 @@
247 
 #include <ctype.h>
248
249 
 #include <isc/app.h>
250 
+#include <isc/md5.h>
251 
 #include <isc/netaddr.h>
252 
 #include <isc/parseint.h>
253 
 #include <isc/platform.h>
254 
@@ -1774,10 +1775,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
255 
 			ptr = ptr2;
256 
 			ptr2 = ptr3;
257 
 		} else  {
258 
-#ifndef PK11_MD5_DISABLE
259 
-			hmacname = DNS_TSIG_HMACMD5_NAME;
260 
-#else
261 
 			hmacname = DNS_TSIG_HMACSHA256_NAME;
262 
+#ifndef PK11_MD5_DISABLE
263 
+			if (isc_md5_available())
264 
+				hmacname = DNS_TSIG_HMACMD5_NAME;
265 
 #endif
266 
 			digestbits = 0;
267 
 		}
268 
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
269 
index 93e5b40..afd2700 100644
270 
--- a/bin/dig/dighost.c
271 
+++ b/bin/dig/dighost.c
272 
@@ -80,6 +80,7 @@
273 
 #include <isc/hex.h>
274 
 #include <isc/lang.h>
275 
 #include <isc/log.h>
276 
+#include <isc/md5.h>
277 
 #include <isc/netaddr.h>
278 
 #include <isc/netdb.h>
279 
 #include <isc/parseint.h>
280 
@@ -1246,9 +1247,10 @@ parse_hmac(const char *hmac) {
281 
 	digestbits = 0;
282
283 
 #ifndef PK11_MD5_DISABLE
284 
-	if (strcasecmp(buf, "hmac-md5") == 0) {
285 
+	if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) {
286 
 		hmacname = DNS_TSIG_HMACMD5_NAME;
287 
-	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
288 
+	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0 &&
289 
+		   isc_md5_available()) {
290 
 		hmacname = DNS_TSIG_HMACMD5_NAME;
291 
 		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
292 
 	} else
293 
@@ -1368,7 +1370,13 @@ setup_file_key(void) {
294 
 	switch (dst_key_alg(dstkey)) {
295 
 #ifndef PK11_MD5_DISABLE
296 
 	case DST_ALG_HMACMD5:
297 
-		hmacname = DNS_TSIG_HMACMD5_NAME;
298 
+		if (isc_md5_available()) {
299 
+			hmacname = DNS_TSIG_HMACMD5_NAME;
300 
+		} else {
301 
+			printf(";; Couldn't create key %s: bad algorithm\n",
302 
+			       keynametext);
303 
+			goto failure;
304 
+		}
305 
 		break;
306 
 #endif
307 
 	case DST_ALG_HMACSHA1:
308 
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
309 
index 1476d0d..f5c9316 100644
310 
--- a/bin/dnssec/dnssec-keygen.c
311 
+++ b/bin/dnssec/dnssec-keygen.c
312 
@@ -36,6 +36,7 @@
313 
 #include <isc/buffer.h>
314 
 #include <isc/commandline.h>
315 
 #include <isc/entropy.h>
316 
+#include <isc/md5.h>
317 
 #include <isc/mem.h>
318 
 #include <isc/print.h>
319 
 #include <isc/region.h>
320 
@@ -562,6 +563,19 @@ main(int argc, char **argv) {
321 
 					"\"-a RSAMD5\"\n");
322 
 			INSIST(freeit == NULL);
323 
 			return (1);
324 
+		} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
325 
+			if (isc_md5_available()) {
326 
+				alg = DST_ALG_HMACMD5;
327 
+			} else {
328 
+				fprintf(stderr,
329 
+					"The use of HMAC-MD5 was disabled\n");
330 
+				return (1);
331 
+			}
332 
+		} else if (strcasecmp(algname, "RSAMD5") == 0 &&
333 
+			   !isc_md5_available()) {
334 
+			fprintf(stderr, "The use of RSAMD5 was disabled\n");
335 
+			INSIST(freeit == NULL);
336 
+			return (1);
337 
 		} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
338 
 			alg = DST_ALG_HMACMD5;
339 
 #else
340 
diff --git a/bin/named/config.c b/bin/named/config.c
341 
index 32c454a..dff826b 100644
342 
--- a/bin/named/config.c
343 
+++ b/bin/named/config.c
344 
@@ -18,6 +18,7 @@
345
346 
 #include <isc/buffer.h>
347 
 #include <isc/log.h>
348 
+#include <isc/md5.h>
349 
 #include <isc/mem.h>
350 
 #include <isc/parseint.h>
351 
 #include <isc/region.h>
352 
@@ -974,6 +975,21 @@ ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
353 
 	return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
354 
 }
355
356 
+static inline int
357 
+algorithms_start() {
358 
+#ifndef PK11_MD5_DISABLE
359 
+	if (!isc_md5_available()) {
360 
+		int i = 0;
361 
+		while (algorithms[i].str != NULL &&
362 
+			algorithms[i].hmac == hmacmd5) {
363 
+			i++;
364 
+		}
365 
+		return i;
366 
+	}
367 
+#endif
368 
+	return 0;
369 
+}
370 
+
371 
 isc_result_t
372 
 ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
373 
 			   unsigned int *typep, uint16_t *digestbits)
374 
@@ -983,7 +999,7 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
375 
 	uint16_t bits;
376 
 	isc_result_t result;
377
378 
-	for (i = 0; algorithms[i].str != NULL; i++) {
379 
+	for (i = algorithms_start(); algorithms[i].str != NULL; i++) {
380 
 		len = strlen(algorithms[i].str);
381 
 		if (strncasecmp(algorithms[i].str, str, len) == 0 &&
382 
 		    (str[len] == '\0' ||
383 
@@ -1006,7 +1022,12 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
384 
 	if (name != NULL) {
385 
 		switch (algorithms[i].hmac) {
386 
 #ifndef PK11_MD5_DISABLE
387 
-		case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
388 
+		case hmacmd5:
389 
+			if (isc_md5_available()) {
390 
+				*name = dns_tsig_hmacmd5_name; break;
391 
+			} else {
392 
+				return (ISC_R_NOTFOUND);
393 
+			}
394 
 #endif
395 
 		case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
396 
 		case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
397 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
398 
index de60313..bbb3936 100644
399 
--- a/bin/nsupdate/nsupdate.c
400 
+++ b/bin/nsupdate/nsupdate.c
401 
@@ -31,6 +31,7 @@
402 
 #include <isc/hash.h>
403 
 #include <isc/lex.h>
404 
 #include <isc/log.h>
405 
+#include <isc/md5.h>
406 
 #include <isc/mem.h>
407 
 #include <isc/parseint.h>
408 
 #include <isc/portset.h>
409 
@@ -477,9 +478,10 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len,
410 
 	strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
411
412 
 #ifndef PK11_MD5_DISABLE
413 
-	if (strcasecmp(buf, "hmac-md5") == 0) {
414 
+	if (strcasecmp(buf, "hmac-md5") == 0 && isc_md5_available()) {
415 
 		*hmac = DNS_TSIG_HMACMD5_NAME;
416 
-	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
417 
+	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0 &&
418 
+		   isc_md5_available()) {
419 
 		*hmac = DNS_TSIG_HMACMD5_NAME;
420 
 		result = isc_parse_uint16(&digestbits, &buf[9], 10);
421 
 		if (result != ISC_R_SUCCESS || digestbits > 128) {
422 
@@ -592,10 +594,10 @@ setup_keystr(void) {
423 
 			exit(1);
424 
 		}
425 
 	} else {
426 
-#ifndef PK11_MD5_DISABLE
427 
-		hmacname = DNS_TSIG_HMACMD5_NAME;
428 
-#else
429 
 		hmacname = DNS_TSIG_HMACSHA256_NAME;
430 
+#ifndef PK11_MD5_DISABLE
431 
+		if (isc_md5_available())
432 
+			hmacname = DNS_TSIG_HMACMD5_NAME;
433 
 #endif
434 
 		name = keystr;
435 
 		n = s;
436 
@@ -732,7 +734,8 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
437 
 	switch (dst_key_alg(dstkey)) {
438 
 #ifndef PK11_MD5_DISABLE
439 
 	case DST_ALG_HMACMD5:
440 
-		hmacname = DNS_TSIG_HMACMD5_NAME;
441 
+		if (isc_md5_available())
442 
+			hmacname = DNS_TSIG_HMACMD5_NAME;
443 
 		break;
444 
 #endif
445 
 	case DST_ALG_HMACSHA1:
446 
@@ -1637,12 +1640,13 @@ evaluate_key(char *cmdline) {
447 
 			return (STATUS_SYNTAX);
448 
 		}
449 
 		namestr = n + 1;
450 
-	} else
451 
-#ifndef PK11_MD5_DISABLE
452 
-		hmacname = DNS_TSIG_HMACMD5_NAME;
453 
-#else
454 
+	} else {
455 
 		hmacname = DNS_TSIG_HMACSHA256_NAME;
456 
+#ifndef PK11_MD5_DISABLE
457 
+		if (isc_md5_available())
458 
+			hmacname = DNS_TSIG_HMACMD5_NAME;
459 
 #endif
460 
+	}
461
462 
 	isc_buffer_init(&b, namestr, strlen(namestr));
463 
 	isc_buffer_add(&b, strlen(namestr));
464 
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
465 
index 9eb0ce0..8083654 100644
466 
--- a/bin/rndc/rndc.c
467 
+++ b/bin/rndc/rndc.c
468 
@@ -23,6 +23,7 @@
469 
 #include <isc/file.h>
470 
 #include <isc/log.h>
471 
 #include <isc/net.h>
472 
+#include <isc/md5.h>
473 
 #include <isc/mem.h>
474 
 #include <isc/print.h>
475 
 #include <isc/random.h>
476 
@@ -636,7 +637,7 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
477 
 	algorithmstr = cfg_obj_asstring(algorithmobj);
478
479 
 #ifndef PK11_MD5_DISABLE
480 
-	if (strcasecmp(algorithmstr, "hmac-md5") == 0)
481 
+	if (strcasecmp(algorithmstr, "hmac-md5") == 0 && isc_md5_available())
482 
 		algorithm = ISCCC_ALG_HMACMD5;
483 
 	else
484 
 #endif
485 
diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c
486 
index bf2891a..b5f0a1c 100644
487 
--- a/bin/tests/optional/hash_test.c
488 
+++ b/bin/tests/optional/hash_test.c
489 
@@ -90,43 +90,47 @@ main(int argc, char **argv) {
490 
 	print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4);
491
492 
 #ifndef PK11_MD5_DISABLE
493 
-	s = "abc";
494 
-	isc_md5_init(&md5);
495 
-	memmove(buffer, s, strlen(s));
496 
-	isc_md5_update(&md5, buffer, strlen(s));
497 
-	isc_md5_final(&md5, digest);
498 
-	print_digest(s, "md5", digest, 4);
499 
-
500 
-	/*
501 
-	 * The 3 HMAC-MD5 examples from RFC2104
502 
-	 */
503 
-	s = "Hi There";
504 
-	memset(key, 0x0b, 16);
505 
-	isc_hmacmd5_init(&hmacmd5, key, 16);
506 
-	memmove(buffer, s, strlen(s));
507 
-	isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
508 
-	isc_hmacmd5_sign(&hmacmd5, digest);
509 
-	print_digest(s, "hmacmd5", digest, 4);
510 
-
511 
-	s = "what do ya want for nothing?";
512 
-	strlcpy((char *)key, "Jefe", sizeof(key));
513 
-	isc_hmacmd5_init(&hmacmd5, key, 4);
514 
-	memmove(buffer, s, strlen(s));
515 
-	isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
516 
-	isc_hmacmd5_sign(&hmacmd5, digest);
517 
-	print_digest(s, "hmacmd5", digest, 4);
518 
-
519 
-	s = "\335\335\335\335\335\335\335\335\335\335"
520 
-	    "\335\335\335\335\335\335\335\335\335\335"
521 
-	    "\335\335\335\335\335\335\335\335\335\335"
522 
-	    "\335\335\335\335\335\335\335\335\335\335"
523 
-	    "\335\335\335\335\335\335\335\335\335\335";
524 
-	memset(key, 0xaa, 16);
525 
-	isc_hmacmd5_init(&hmacmd5, key, 16);
526 
-	memmove(buffer, s, strlen(s));
527 
-	isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
528 
-	isc_hmacmd5_sign(&hmacmd5, digest);
529 
-	print_digest(s, "hmacmd5", digest, 4);
530 
+	if (isc_md5_available()) {
531 
+		s = "abc";
532 
+		isc_md5_init(&md5);
533 
+		memmove(buffer, s, strlen(s));
534 
+		isc_md5_update(&md5, buffer, strlen(s));
535 
+		isc_md5_final(&md5, digest);
536 
+		print_digest(s, "md5", digest, 4);
537 
+
538 
+		/*
539 
+		 * The 3 HMAC-MD5 examples from RFC2104
540 
+		 */
541 
+		s = "Hi There";
542 
+		memset(key, 0x0b, 16);
543 
+		isc_hmacmd5_init(&hmacmd5, key, 16);
544 
+		memmove(buffer, s, strlen(s));
545 
+		isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
546 
+		isc_hmacmd5_sign(&hmacmd5, digest);
547 
+		print_digest(s, "hmacmd5", digest, 4);
548 
+
549 
+		s = "what do ya want for nothing?";
550 
+		strlcpy((char *)key, "Jefe", sizeof(key));
551 
+		isc_hmacmd5_init(&hmacmd5, key, 4);
552 
+		memmove(buffer, s, strlen(s));
553 
+		isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
554 
+		isc_hmacmd5_sign(&hmacmd5, digest);
555 
+		print_digest(s, "hmacmd5", digest, 4);
556 
+
557 
+		s = "\335\335\335\335\335\335\335\335\335\335"
558 
+		    "\335\335\335\335\335\335\335\335\335\335"
559 
+		    "\335\335\335\335\335\335\335\335\335\335"
560 
+		    "\335\335\335\335\335\335\335\335\335\335"
561 
+		    "\335\335\335\335\335\335\335\335\335\335";
562 
+		memset(key, 0xaa, 16);
563 
+		isc_hmacmd5_init(&hmacmd5, key, 16);
564 
+		memmove(buffer, s, strlen(s));
565 
+		isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
566 
+		isc_hmacmd5_sign(&hmacmd5, digest);
567 
+		print_digest(s, "hmacmd5", digest, 4);
568 
+	} else {
569 
+		fprintf(stderr, "Skipping disabled MD5 algorithm\n");
570 
+	}
571 
 #endif
572
573 
 	/*
574 
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
575 
index 5a00f86..653c951 100644
576 
--- a/bin/tests/system/tkey/keycreate.c
577 
+++ b/bin/tests/system/tkey/keycreate.c
578 
@@ -20,6 +20,7 @@
579 
 #include <isc/entropy.h>
580 
 #include <isc/hash.h>
581 
 #include <isc/log.h>
582 
+#include <isc/md5.h>
583 
 #include <isc/mem.h>
584 
 #include <isc/print.h>
585 
 #include <isc/sockaddr.h>
586 
@@ -142,6 +143,8 @@ sendquery(isc_task_t *task, isc_event_t *event) {
587 
 	static char keystr[] = "0123456789ab";
588
589 
 	isc_event_free(&event);
590 
+	if (!isc_md5_available())
591 
+		CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
592
593 
 	result = ISC_R_FAILURE;
594 
 	if (inet_pton(AF_INET, "10.53.0.1", &inaddr) != 1)
595 
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
596 
index bde66a4..70a40c3 100644
597 
--- a/bin/tests/system/tkey/keydelete.c
598 
+++ b/bin/tests/system/tkey/keydelete.c
599 
@@ -225,12 +225,17 @@ main(int argc, char **argv) {
600 
 	result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
601 
 	CHECK("dst_key_fromnamedfile", result);
602 
 #ifndef PK11_MD5_DISABLE
603 
-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
604 
-					   DNS_TSIG_HMACMD5_NAME,
605 
-					   dstkey, true, NULL, 0, 0,
606 
-					   mctx, ring, &tsigkey);
607 
-	dst_key_free(&dstkey);
608 
-	CHECK("dns_tsigkey_createfromkey", result);
609 
+	if (isc_md5_available()) {
610 
+		result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
611 
+						   DNS_TSIG_HMACMD5_NAME,
612 
+						   dstkey, true, NULL, 0, 0,
613 
+						   mctx, ring, &tsigkey);
614 
+		dst_key_free(&dstkey);
615 
+		CHECK("dns_tsigkey_createfromkey", result);
616 
+	} else {
617 
+		dst_key_free(&dstkey);
618 
+		CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
619 
+	}
620 
 #else
621 
 	dst_key_free(&dstkey);
622 
 	CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
623 
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
624 
index ec0ab6d..e0803d4 100644
625 
--- a/lib/bind9/check.c
626 
+++ b/lib/bind9/check.c
627 
@@ -23,6 +23,7 @@
628 
 #include <isc/file.h>
629 
 #include <isc/hex.h>
630 
 #include <isc/log.h>
631 
+#include <isc/md5.h>
632 
 #include <isc/mem.h>
633 
 #include <isc/netaddr.h>
634 
 #include <isc/parseint.h>
635 
@@ -2618,6 +2619,15 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
636 
 	}
637
638 
 	algorithm = cfg_obj_asstring(algobj);
639 
+#ifndef PK11_MD5_DISABLE
640 
+	/* Skip hmac-md5* algorithms */
641 
+	if (!isc_md5_available() &&
642 
+	    strncasecmp(algorithm, "hmac-md5", 8) == 0) {
643 
+		cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
644 
+			    "disabled algorithm '%s'", algorithm);
645 
+		return (ISC_R_DISABLED);
646 
+	}
647 
+#endif
648 
 	for (i = 0; algorithms[i].name != NULL; i++) {
649 
 		len = strlen(algorithms[i].name);
650 
 		if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
651 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
652 
index e3c47a9..320c0f8 100644
653 
--- a/lib/dns/dst_api.c
654 
+++ b/lib/dns/dst_api.c
655 
@@ -192,6 +192,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
656 
 	dst_result_register();
657
658 
 	memset(dst_t_func, 0, sizeof(dst_t_func));
659 
+
660 
+#ifdef OPENSSL
661 
+	RETERR(dst__openssl_init(engine));
662 
+#elif PKCS11CRYPTO
663 
+	RETERR(dst__pkcs11_init(mctx, engine));
664 
+#endif
665 
 #ifndef PK11_MD5_DISABLE
666 
 	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
667 
 #endif
668 
@@ -201,7 +207,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
669 
 	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
670 
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
671 
 #ifdef OPENSSL
672 
-	RETERR(dst__openssl_init(engine));
673 
 #ifndef PK11_MD5_DISABLE
674 
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
675 
 				    DST_ALG_RSAMD5));
676 
@@ -235,14 +240,18 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
677 
 	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
678 
 #endif
679 
 #elif PKCS11CRYPTO
680 
-	RETERR(dst__pkcs11_init(mctx, engine));
681 
 #ifndef PK11_MD5_DISABLE
682 
-	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
683 
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5],
684 
+				   DST_ALG_RSAMD5));
685 
 #endif
686 
-	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
687 
-	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
688 
-	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
689 
-	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
690 
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1],
691 
+				   DST_ALG_RSASHA1));
692 
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
693 
+				   DST_ALG_NSEC3RSASHA1));
694 
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256],
695 
+				   DST_ALG_RSASHA256));
696 
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512],
697 
+				   DST_ALG_RSASHA512));
698 
 #ifndef PK11_DSA_DISABLE
699 
 	RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
700 
 	RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
701 
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
702 
index 6ee796c..3e55d44 100644
703 
--- a/lib/dns/dst_internal.h
704 
+++ b/lib/dns/dst_internal.h
705 
@@ -250,7 +250,8 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
706 
 isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
707 
 isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
708 
 				  unsigned char algorithm);
709 
-isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
710 
+isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp,
711 
+				 unsigned char algorithm);
712 
 #ifndef PK11_DSA_DISABLE
713 
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
714 
 isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
715 
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
716 
index f31c33d..87023a6 100644
717 
--- a/lib/dns/dst_parse.c
718 
+++ b/lib/dns/dst_parse.c
719 
@@ -33,6 +33,7 @@
720 
 #include <isc/file.h>
721 
 #include <isc/fsaccess.h>
722 
 #include <isc/lex.h>
723 
+#include <isc/md5.h>
724 
 #include <isc/mem.h>
725 
 #include <isc/print.h>
726 
 #include <isc/stdtime.h>
727 
@@ -396,6 +397,10 @@ check_data(const dst_private_t *priv, const unsigned int alg,
728 
 	switch (alg) {
729 
 #ifndef PK11_MD5_DISABLE
730 
 	case DST_ALG_RSAMD5:
731 
+		if (isc_md5_available())
732 
+			return (check_rsa(priv, external));
733 
+		else
734 
+			return (DST_R_UNSUPPORTEDALG);
735 
 #endif
736 
 	case DST_ALG_RSASHA1:
737 
 	case DST_ALG_NSEC3RSASHA1:
738 
@@ -421,7 +426,10 @@ check_data(const dst_private_t *priv, const unsigned int alg,
739 
 		return (check_eddsa(priv, external));
740 
 #ifndef PK11_MD5_DISABLE
741 
 	case DST_ALG_HMACMD5:
742 
-		return (check_hmac_md5(priv, old));
743 
+		if (isc_md5_available())
744 
+			return (check_hmac_md5(priv, old));
745 
+		else
746 
+			return (DST_R_UNSUPPORTEDALG);
747 
 #endif
748 
 	case DST_ALG_HMACSHA1:
749 
 		return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
750 
@@ -640,11 +648,13 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
751 
 	}
752
753 
 #ifdef PK11_MD5_DISABLE
754 
-	check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
755 
-			   true, external);
756 
+	if (alg == DST_ALG_RSA)
757 
+		alg = DST_ALG_RSASHA1;
758 
 #else
759 
-	check = check_data(priv, alg, true, external);
760 
+	if (!isc_md5_available() && alg == DST_ALG_RSA)
761 
+		alg = DST_ALG_RSASHA1;
762 
 #endif
763 
+	check = check_data(priv, alg, true, external);
764 
 	if (check < 0) {
765 
 		ret = DST_R_INVALIDPRIVATEKEY;
766 
 		goto fail;
767 
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
768 
index 3b6579b..4bdce2f 100644
769 
--- a/lib/dns/hmac_link.c
770 
+++ b/lib/dns/hmac_link.c
771 
@@ -340,20 +340,10 @@ static dst_func_t hmacmd5_functions = {
772
773 
 isc_result_t
774 
 dst__hmacmd5_init(dst_func_t **funcp) {
775 
-#ifdef HAVE_FIPS_MODE
776 
-	/*
777 
-	 * Problems from OpenSSL are likely from FIPS mode
778 
-	 */
779 
-	int fips_mode = FIPS_mode();
780 
-
781 
-	if (fips_mode != 0) {
782 
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
783 
-				 "FIPS mode is %d: MD5 is only supported "
784 
-				 "if the value is 0.\n"
785 
-				 "Please disable either FIPS mode or MD5.",
786 
-				 fips_mode);
787 
-	}
788 
-#endif
789 
+
790 
+	/* Intentionally skip initialization */
791 
+	if (!isc_md5_available())
792 
+		return (ISC_R_SUCCESS);
793
794 
 #if PK11_FLAVOR != PK11_UTIMACO_FLAVOR
795 
 	/*
796 
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
797 
index ec35f50..c80fabe 100644
798 
--- a/lib/dns/opensslrsa_link.c
799 
+++ b/lib/dns/opensslrsa_link.c
800 
@@ -1812,6 +1812,12 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
801
802 
 	if (*funcp == NULL) {
803 
 		switch (algorithm) {
804 
+#ifndef PK11_MD5_DISABLE
805 
+		case DST_ALG_RSAMD5:
806 
+			if (isc_md5_available())
807 
+				*funcp = &opensslrsa_functions;
808 
+			break;
809 
+#endif
810 
 		case DST_ALG_RSASHA256:
811 
 #if defined(HAVE_EVP_SHA256) || !USE_EVP
812 
 			*funcp = &opensslrsa_functions;
813 
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
814 
index 096c1a8..6c280bf 100644
815 
--- a/lib/dns/pkcs11rsa_link.c
816 
+++ b/lib/dns/pkcs11rsa_link.c
817 
@@ -96,10 +96,15 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
818 
 #endif
819
820 
 	/*
821 
-	 * Reject incorrect RSA key lengths.
822 
+	 * Reject incorrect RSA key lengths or disabled algorithms.
823 
 	 */
824 
 	switch (dctx->key->key_alg) {
825 
 	case DST_ALG_RSAMD5:
826 
+#ifndef PK11_MD5_DISABLE
827 
+		if (!isc_md5_available())
828 
+			return (ISC_R_FAILURE);
829 
+#endif
830 
+		/* FALLTHROUGH */
831 
 	case DST_ALG_RSASHA1:
832 
 	case DST_ALG_NSEC3RSASHA1:
833 
 		/* From RFC 3110 */
834 
@@ -641,6 +646,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
835 
 	switch (key->key_alg) {
836 
 #ifndef PK11_MD5_DISABLE
837 
 	case DST_ALG_RSAMD5:
838 
+		if (!isc_md5_available())
839 
+			return (ISC_R_FAILURE);
840 
+
841 
 		mech.mechanism = CKM_MD5;
842 
 		break;
843 
 #endif
844 
@@ -799,6 +807,9 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
845 
 	switch (key->key_alg) {
846 
 #ifndef PK11_MD5_DISABLE
847 
 	case DST_ALG_RSAMD5:
848 
+		if (!isc_md5_available())
849 
+			return (ISC_R_FAILURE);
850 
+
851 
 		der = md5_der;
852 
 		derlen = sizeof(md5_der);
853 
 		hashlen = ISC_MD5_DIGESTLENGTH;
854 
@@ -1024,6 +1035,9 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
855 
 	switch (key->key_alg) {
856 
 #ifndef PK11_MD5_DISABLE
857 
 	case DST_ALG_RSAMD5:
858 
+		if (!isc_md5_available())
859 
+			return (ISC_R_FAILURE);
860 
+
861 
 		der = md5_der;
862 
 		derlen = sizeof(md5_der);
863 
 		hashlen = ISC_MD5_DIGESTLENGTH;
864 
@@ -2231,11 +2245,22 @@ static dst_func_t pkcs11rsa_functions = {
865 
 };
866
867 
 isc_result_t
868 
-dst__pkcs11rsa_init(dst_func_t **funcp) {
869 
+dst__pkcs11rsa_init(dst_func_t **funcp, unsigned char algorithm) {
870 
 	REQUIRE(funcp != NULL);
871
872 
-	if (*funcp == NULL)
873 
-		*funcp = &pkcs11rsa_functions;
874 
+	if (*funcp == NULL) {
875 
+		switch (algorithm) {
876 
+#ifndef PK11_MD5_DISABLE
877 
+			case DST_ALG_RSAMD5:
878 
+				if (isc_md5_available())
879 
+					*funcp = &pkcs11rsa_functions;
880 
+				break;
881 
+#endif
882 
+			default:
883 
+				*funcp = &pkcs11rsa_functions;
884 
+				break;
885 
+		}
886 
+	}
887 
 	return (ISC_R_SUCCESS);
888 
 }
889
890 
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
891 
index 9c42c50..f51d548 100644
892 
--- a/lib/dns/rcode.c
893 
+++ b/lib/dns/rcode.c
894 
@@ -16,6 +16,7 @@
895 
 #include <stdbool.h>
896
897 
 #include <isc/buffer.h>
898 
+#include <isc/md5.h>
899 
 #include <isc/parseint.h>
900 
 #include <isc/print.h>
901 
 #include <isc/region.h>
902 
@@ -357,17 +358,33 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
903 
 	return (dns_mnemonic_totext(cert, target, certs));
904 
 }
905
906 
+static inline struct tbl *
907 
+secalgs_tbl_start() {
908 
+	struct tbl *algs = secalgs;
909 
+
910 
+#ifndef PK11_MD5_DISABLE
911 
+	if (!isc_md5_available()) {
912 
+		while (algs->name != NULL &&
913 
+		       algs->value == DNS_KEYALG_RSAMD5)
914 
+			++algs;
915 
+	}
916 
+#endif
917 
+	return algs;
918 
+}
919 
+
920 
 isc_result_t
921 
 dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
922 
 	unsigned int value;
923 
-	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
924 
+
925 
+	RETERR(dns_mnemonic_fromtext(&value, source,
926 
+	                             secalgs_tbl_start(), 0xff));
927 
 	*secalgp = value;
928 
 	return (ISC_R_SUCCESS);
929 
 }
930
931 
 isc_result_t
932 
 dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
933 
-	return (dns_mnemonic_totext(secalg, target, secalgs));
934 
+	return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
935 
 }
936
937 
 void
938 
diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c
939 
index f9ac6d0..241e17e 100644
940 
--- a/lib/dns/tests/rsa_test.c
941 
+++ b/lib/dns/tests/rsa_test.c
942 
@@ -27,6 +27,7 @@
943 
 #define UNIT_TESTING
944 
 #include <cmocka.h>
945
946 
+#include <isc/md5.h>
947 
 #include <isc/util.h>
948 
 #include <isc/print.h>
949
950 
@@ -248,6 +249,8 @@ isc_rsa_verify_test(void **state) {
951 
 	/* RSAMD5 */
952
953 
 #ifndef PK11_MD5_DISABLE
954 
+	if (isc_md5_available()) {
955 
+		/* wrong indentation is kept for diff minimization */
956 
 	key->key_alg = DST_ALG_RSAMD5;
957
958 
 	ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
959 
@@ -265,6 +268,7 @@ isc_rsa_verify_test(void **state) {
960 
 	assert_int_equal(ret, ISC_R_SUCCESS);
961
962 
 	dst_context_destroy(&ctx);
963 
+	}
964 
 #endif
965
966 
 	/* RSASHA256 */
967 
diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
968 
index 11d011a..feb2068 100644
969 
--- a/lib/dns/tests/tsig_test.c
970 
+++ b/lib/dns/tests/tsig_test.c
971 
@@ -25,6 +25,7 @@
972 
 #define UNIT_TESTING
973 
 #include <cmocka.h>
974
975 
+#include <isc/md5.h>
976 
 #include <isc/mem.h>
977 
 #include <isc/print.h>
978 
 #include <isc/util.h>
979 
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
980 
index 89cfc79..d07364a 100644
981 
--- a/lib/dns/tkey.c
982 
+++ b/lib/dns/tkey.c
983 
@@ -245,6 +245,9 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
984 
 	unsigned char digests[32];
985 
 	unsigned int i;
986
987 
+	if (!isc_md5_available())
988 
+		return (ISC_R_NOTIMPLEMENTED);
989 
+
990 
 	isc_buffer_usedregion(shared, &r);
991
992 
 	/*
993 
@@ -321,6 +324,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
994 
 	}
995
996 
 #ifndef PK11_MD5_DISABLE
997 
+	if (!isc_md5_available()) {
998 
+		tkey_log("process_dhtkey: MD5 was disabled");
999 
+		tkeyout->error = dns_tsigerror_badalg;
1000 
+		return (ISC_R_SUCCESS);
1001 
+	}
1002 
+
1003 
 	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
1004 
 		tkey_log("process_dhtkey: algorithms other than "
1005 
 			 "hmac-md5 are not supported");
1006 
diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
1007 
index 9d8ead4..0c82f65 100644
1008 
--- a/lib/dns/tsec.c
1009 
+++ b/lib/dns/tsec.c
1010 
@@ -11,6 +11,7 @@
1011
1012 
 #include <config.h>
1013
1014 
+#include <isc/md5.h>
1015 
 #include <isc/mem.h>
1016 
 #include <isc/util.h>
1017
1018 
@@ -63,7 +64,12 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
1019 
 		switch (dst_key_alg(key)) {
1020 
 #ifndef PK11_MD5_DISABLE
1021 
 		case DST_ALG_HMACMD5:
1022 
-			algname = dns_tsig_hmacmd5_name;
1023 
+			if (isc_md5_available()) {
1024 
+				algname = dns_tsig_hmacmd5_name;
1025 
+			} else {
1026 
+				isc_mem_put(mctx, tsec, sizeof(*tsec));
1027 
+				return (DNS_R_BADALG);
1028 
+			}
1029 
 			break;
1030 
 #endif
1031 
 		case DST_ALG_HMACSHA1:
1032 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
1033 
index 58c1104..00ee1e1 100644
1034 
--- a/lib/dns/tsig.c
1035 
+++ b/lib/dns/tsig.c
1036 
@@ -273,7 +273,8 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
1037 
 	(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
1038
1039 
 #ifndef PK11_MD5_DISABLE
1040 
-	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
1041 
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) &&
1042 
+	    isc_md5_available()) {
1043 
 		tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
1044 
 		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
1045 
 			ret = DNS_R_BADALG;
1046 
@@ -499,7 +500,8 @@ destroyring(dns_tsig_keyring_t *ring) {
1047 
 static unsigned int
1048 
 dst_alg_fromname(dns_name_t *algorithm) {
1049 
 #ifndef PK11_MD5_DISABLE
1050 
-	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
1051 
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) &&
1052 
+	    isc_md5_available()) {
1053 
 		return (DST_ALG_HMACMD5);
1054 
 	} else
1055 
 #endif
1056 
@@ -683,7 +685,8 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
1057 
 		REQUIRE(secret != NULL);
1058
1059 
 #ifndef PK11_MD5_DISABLE
1060 
-	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
1061 
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) &&
1062 
+	    isc_md5_available()) {
1063 
 		if (secret != NULL) {
1064 
 			isc_buffer_t b;
1065
1066 
@@ -1291,7 +1294,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
1067 
 		return (ret);
1068 
 	if (
1069 
 #ifndef PK11_MD5_DISABLE
1070 
-	    alg == DST_ALG_HMACMD5 ||
1071 
+	    (alg == DST_ALG_HMACMD5 && isc_md5_available()) ||
1072 
 #endif
1073 
 	    alg == DST_ALG_HMACSHA1 ||
1074 
 	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
1075 
@@ -1460,7 +1463,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
1076
1077 
 	if (
1078 
 #ifndef PK11_MD5_DISABLE
1079 
-	    alg == DST_ALG_HMACMD5 ||
1080 
+	    (alg == DST_ALG_HMACMD5 && isc_md5_available()) ||
1081 
 #endif
1082 
 	    alg == DST_ALG_HMACSHA1 ||
1083 
 	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
1084 
@@ -1601,7 +1604,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
1085 
 			goto cleanup_querystruct;
1086 
 		if (
1087 
 #ifndef PK11_MD5_DISABLE
1088 
-			alg == DST_ALG_HMACMD5 ||
1089 
+			(alg == DST_ALG_HMACMD5 && isc_md5_available()) ||
1090 
 #endif
1091 
 			alg == DST_ALG_HMACSHA1 ||
1092 
 			alg == DST_ALG_HMACSHA224 ||
1093 
@@ -1780,7 +1783,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
1094 
 			goto cleanup_context;
1095 
 		if (
1096 
 #ifndef PK11_MD5_DISABLE
1097 
-			alg == DST_ALG_HMACMD5 ||
1098 
+			(alg == DST_ALG_HMACMD5 && isc_md5_available()) ||
1099 
 #endif
1100 
 			alg == DST_ALG_HMACSHA1 ||
1101 
 			alg == DST_ALG_HMACSHA224 ||
1102 
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
1103 
index 4d29398..e3f5cec 100644
1104 
--- a/lib/isc/include/isc/md5.h
1105 
+++ b/lib/isc/include/isc/md5.h
1106 
@@ -91,6 +91,9 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
1107 
 bool
1108 
 isc_md5_check(bool testing);
1109
1110 
+bool
1111 
+isc_md5_available(void);
1112 
+
1113 
 ISC_LANG_ENDDECLS
1114
1115 
 #endif /* !PK11_MD5_DISABLE */
1116 
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
1117 
index 249f3da..628a414 100644
1118 
--- a/lib/isc/md5.c
1119 
+++ b/lib/isc/md5.c
1120 
@@ -37,6 +37,7 @@
1121
1122 
 #include <isc/assertions.h>
1123 
 #include <isc/md5.h>
1124 
+#include <isc/once.h>
1125 
 #include <isc/platform.h>
1126 
 #include <isc/safe.h>
1127 
 #include <isc/string.h>
1128 
@@ -54,6 +55,9 @@
1129 
 #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
1130 
 #endif
1131
1132 
+static isc_once_t available_once = ISC_ONCE_INIT;
1133 
+static bool available = false;
1134 
+
1135 
 void
1136 
 isc_md5_init(isc_md5_t *ctx) {
1137 
 	ctx->ctx = EVP_MD_CTX_new();
1138 
@@ -85,8 +89,33 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
1139 
 	ctx->ctx = NULL;
1140 
 }
1141
1142 
+static void
1143 
+do_detect_available() {
1144 
+	isc_md5_t local;
1145 
+	isc_md5_t *ctx = &local;
1146 
+	unsigned char digest[ISC_MD5_DIGESTLENGTH];
1147 
+
1148 
+	ctx->ctx = EVP_MD_CTX_new();
1149 
+	RUNTIME_CHECK(ctx->ctx != NULL);
1150 
+	available = (EVP_DigestInit(ctx->ctx, EVP_md5()) == 1);
1151 
+	if (available)
1152 
+		(void)EVP_DigestFinal(ctx->ctx, digest, NULL);
1153 
+	EVP_MD_CTX_free(ctx->ctx);
1154 
+	ctx->ctx = NULL;
1155 
+}
1156 
+
1157 
+bool
1158 
+isc_md5_available() {
1159 
+	RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available)
1160 
+		      == ISC_R_SUCCESS);
1161 
+	return available;
1162 
+}
1163 
+
1164 
 #elif PKCS11CRYPTO
1165
1166 
+static isc_once_t available_once = ISC_ONCE_INIT;
1167 
+static bool available = false;
1168 
+
1169 
 void
1170 
 isc_md5_init(isc_md5_t *ctx) {
1171 
 	CK_RV rv;
1172 
@@ -129,6 +158,31 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
1173 
 	pk11_return_session(ctx);
1174 
 }
1175
1176 
+static void
1177 
+do_detect_available() {
1178 
+	isc_md5_t local;
1179 
+	isc_md5_t *ctx = &local;
1180 
+	CK_RV rv;
1181 
+	CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
1182 
+
1183 
+	if (pk11_get_session(ctx, OP_DIGEST, true, false,
1184 
+				       false, NULL, 0) == ISC_R_SUCCESS)
1185 
+	{
1186 
+		rv = pkcs_C_DigestInit(ctx->session, &mech);
1187 
+		isc_md5_invalidate(ctx);
1188 
+		available = (rv == CKR_OK);
1189 
+	} else {
1190 
+		available = false;
1191 
+	}
1192 
+}
1193 
+
1194 
+bool
1195 
+isc_md5_available() {
1196 
+	RUNTIME_CHECK(isc_once_do(&available_once, do_detect_available)
1197 
+		      == ISC_R_SUCCESS);
1198 
+	return available;
1199 
+}
1200 
+
1201 
 #else
1202
1203 
 static void
1204 
@@ -338,6 +392,11 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
1205 
 	memmove(digest, ctx->buf, 16);
1206 
 	isc_safe_memwipe(ctx, sizeof(*ctx));	/* In case it's sensitive */
1207 
 }
1208 
+
1209 
+bool
1210 
+isc_md5_available() {
1211 
+	return true;
1212 
+}
1213 
 #endif
1214
1215 
 /*
1216 
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
1217 
index 0d5b009..7809e7b 100644
1218 
--- a/lib/isc/pk11.c
1219 
+++ b/lib/isc/pk11.c
1220 
@@ -197,8 +197,6 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
1221 
 	UNLOCK(&alloclock);
1222 
 	if (initialized) {
1223 
 		goto unlock;
1224 
-	} else {
1225 
-		initialized = true;
1226 
 	}
1227
1228 
 	ISC_LIST_INIT(tokens);
1229 
@@ -238,6 +236,7 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) {
1230 
 	}
1231 
 #endif
1232 
 #endif /* PKCS11CRYPTO */
1233 
+	initialized = true;
1234 
  unlock:
1235 
 	UNLOCK(&sessionlock);
1236 
 	return (result);
1237 
@@ -589,6 +588,8 @@ scan_slots(void) {
1238 
 	pk11_token_t *token;
1239 
 	unsigned int i;
1240 
 	bool bad;
1241 
+	unsigned int best_rsa_algorithms = 0;
1242 
+	unsigned int best_digest_algorithms = 0;
1243
1244 
 	slotCount = 0;
1245 
 	PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
1246 
@@ -601,6 +602,8 @@ scan_slots(void) {
1247 
 	PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
1248
1249 
 	for (i = 0; i < slotCount; i++) {
1250 
+		unsigned int rsa_algorithms = 0;
1251 
+		unsigned int digest_algorithms = 0;
1252 
 		slot = slotList[i];
1253 
 		PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
1254
1255 
@@ -640,11 +643,12 @@ scan_slots(void) {
1256 
 		if ((rv != CKR_OK) ||
1257 
 		    ((mechInfo.flags & CKF_SIGN) == 0) ||
1258 
 		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
1259 
-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE)
1260 
-			bad = true;
1261 
-#endif
1262 
 			PK11_TRACEM(CKM_MD5_RSA_PKCS);
1263 
 		}
1264 
+#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE)
1265 
+		else
1266 
+			++rsa_algorithms;
1267 
+#endif
1268 
 		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
1269 
 					     &mechInfo);
1270 
 		if ((rv != CKR_OK) ||
1271 
@@ -687,8 +691,14 @@ scan_slots(void) {
1272 
 		if (bad)
1273 
 			goto try_dsa;
1274 
 		token->operations |= 1 << OP_RSA;
1275 
-		if (best_rsa_token == NULL)
1276 
+		if (best_rsa_token == NULL) {
1277 
 			best_rsa_token = token;
1278 
+			best_rsa_algorithms = rsa_algorithms;
1279 
+		} else if (rsa_algorithms > best_rsa_algorithms) {
1280 
+			pk11_mem_put(best_rsa_token, sizeof(*best_rsa_token));
1281 
+			best_rsa_token = token;
1282 
+			best_rsa_algorithms = rsa_algorithms;
1283 
+		}
1284
1285 
 	try_dsa:
1286 
 		bad = false;
1287 
@@ -756,11 +766,12 @@ scan_slots(void) {
1288 
 		bad = false;
1289 
 		rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
1290 
 		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
1291 
-#ifndef PK11_MD5_DISABLE
1292 
-			bad = true;
1293 
-#endif
1294 
 			PK11_TRACEM(CKM_MD5);
1295 
 		}
1296 
+#ifndef PK11_MD5_DISABLE
1297 
+		else
1298 
+			++digest_algorithms;
1299 
+#endif
1300 
 		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
1301 
 		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
1302 
 			bad = true;
1303 
@@ -788,11 +799,12 @@ scan_slots(void) {
1304 
 		}
1305 
 		rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
1306 
 		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
1307 
-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
1308 
-			bad = true;
1309 
-#endif
1310 
 			PK11_TRACEM(CKM_MD5_HMAC);
1311 
 		}
1312 
+#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
1313 
+		else
1314 
+			++digest_algorithms;
1315 
+#endif
1316 
 		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
1317 
 		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
1318 
 #ifndef PK11_SHA_1_HMAC_REPLACE
1319 
@@ -830,8 +842,14 @@ scan_slots(void) {
1320 
 		}
1321 
 		if (!bad) {
1322 
 			token->operations |= 1 << OP_DIGEST;
1323 
-			if (digest_token == NULL)
1324 
+			if (digest_token == NULL) {
1325 
 				digest_token = token;
1326 
+				best_digest_algorithms = digest_algorithms;
1327 
+			} else if (digest_algorithms > best_digest_algorithms) {
1328 
+				pk11_mem_put(digest_token, sizeof(*digest_token));
1329 
+				digest_token = token;
1330 
+				best_digest_algorithms = digest_algorithms;
1331 
+			}
1332 
 		}
1333
1334 
 		/* ECDSA requires digest */
1335 
diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c
1336 
index 31ced94..421131e 100644
1337 
--- a/lib/isc/tests/hash_test.c
1338 
+++ b/lib/isc/tests/hash_test.c
1339 
@@ -775,6 +775,9 @@ isc_md5_test(void **state) {
1340
1341 
 	UNUSED(state);
1342
1343 
+	if (!isc_md5_available())
1344 
+		return;
1345 
+
1346 
 	/*
1347 
 	 * These are the various test vectors.  All of these are passed
1348 
 	 * through the hash function and the results are compared to the
1349 
@@ -1630,6 +1633,9 @@ isc_hmacmd5_test(void **state) {
1350
1351 
 	UNUSED(state);
1352
1353 
+	if (!isc_md5_available())
1354 
+		return;
1355 
+
1356 
 	/*
1357 
 	 * These are the various test vectors.  All of these are passed
1358 
 	 * through the hash function and the results are compared to the
1359 
@@ -1940,6 +1946,9 @@ static void
1360 
 md5_check_test(void **state) {
1361 
 	UNUSED(state);
1362
1363 
+	if (!isc_md5_available())
1364 
+		return;
1365 
+
1366 
 	assert_true(isc_md5_check(false));
1367 
 	assert_false(isc_md5_check(true));
1368
1369 
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
1370 
index c2740cb..c314d76 100644
1371 
--- a/lib/isccc/cc.c
1372 
+++ b/lib/isccc/cc.c
1373 
@@ -272,11 +272,15 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac,
1374 
 	switch (algorithm) {
1375 
 #ifndef PK11_MD5_DISABLE
1376 
 	case ISCCC_ALG_HMACMD5:
1377 
-		isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
1378 
-				 REGION_SIZE(*secret));
1379 
-		isc_hmacmd5_update(&ctx.hmd5, data, length);
1380 
-		isc_hmacmd5_sign(&ctx.hmd5, digest);
1381 
-		source.rend = digest + ISC_MD5_DIGESTLENGTH;
1382 
+		if (isc_md5_available()) {
1383 
+			isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
1384 
+					 REGION_SIZE(*secret));
1385 
+			isc_hmacmd5_update(&ctx.hmd5, data, length);
1386 
+			isc_hmacmd5_sign(&ctx.hmd5, digest);
1387 
+			source.rend = digest + ISC_MD5_DIGESTLENGTH;
1388 
+		} else {
1389 
+			return (ISC_R_FAILURE);
1390 
+		}
1391 
 		break;
1392 
 #endif
1393
1394 
@@ -350,14 +354,18 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
1395 
 {
1396 
 	unsigned int hmac_base, signed_base;
1397 
 	isc_result_t result;
1398 
+	const bool md5 = (algorithm == ISCCC_ALG_HMACMD5);
1399
1400 
 #ifndef PK11_MD5_DISABLE
1401 
+	if (md5 && !isc_md5_available())
1402 
+		return (ISC_R_NOTIMPLEMENTED);
1403 
+
1404 
 	result = isc_buffer_reserve(buffer,
1405 
-				    4 + ((algorithm == ISCCC_ALG_HMACMD5) ?
1406 
+				    4 + ((md5) ?
1407 
 					 sizeof(auth_hmd5) :
1408 
 					 sizeof(auth_hsha)));
1409 
 #else
1410 
-	if (algorithm == ISCCC_ALG_HMACMD5)
1411 
+	if (md5)
1412 
 		return (ISC_R_NOTIMPLEMENTED);
1413 
 	result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha));
1414 
 #endif
1415 
@@ -376,7 +384,7 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
1416 
 		 * we know what it is.
1417 
 		 */
1418 
 #ifndef PK11_MD5_DISABLE
1419 
-		if (algorithm == ISCCC_ALG_HMACMD5) {
1420 
+		if (md5) {
1421 
 			hmac_base = (*buffer)->used + HMD5_OFFSET;
1422 
 			isc_buffer_putmem(*buffer,
1423 
 					  auth_hmd5, sizeof(auth_hmd5));
1424 
@@ -442,7 +450,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
1425 
 	if (!isccc_alist_alistp(_auth))
1426 
 		return (ISC_R_FAILURE);
1427 
 #ifndef PK11_MD5_DISABLE
1428 
-	if (algorithm == ISCCC_ALG_HMACMD5)
1429 
+	if (algorithm == ISCCC_ALG_HMACMD5 && isc_md5_available())
1430 
 		hmac = isccc_alist_lookup(_auth, "hmd5");
1431 
 	else
1432 
 #endif
1433 
@@ -457,12 +465,16 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
1434 
 	switch (algorithm) {
1435 
 #ifndef PK11_MD5_DISABLE
1436 
 	case ISCCC_ALG_HMACMD5:
1437 
-		isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
1438 
-				 REGION_SIZE(*secret));
1439 
-		isc_hmacmd5_update(&ctx.hmd5, data, length);
1440 
-		isc_hmacmd5_sign(&ctx.hmd5, digest);
1441 
-		source.rend = digest + ISC_MD5_DIGESTLENGTH;
1442 
-		break;
1443 
+		if (isc_md5_available()) {
1444 
+			isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
1445 
+					 REGION_SIZE(*secret));
1446 
+			isc_hmacmd5_update(&ctx.hmd5, data, length);
1447 
+			isc_hmacmd5_sign(&ctx.hmd5, digest);
1448 
+			source.rend = digest + ISC_MD5_DIGESTLENGTH;
1449 
+			break;
1450 
+		} else {
1451 
+			return (ISC_R_FAILURE);
1452 
+		}
1453 
 #endif
1454
1455 
 	case ISCCC_ALG_HMACSHA1:
... ... ---
1456 
2.20.1
1457
view file @ d5fe0dbac2
... ... --- a/bind-9.11-fips-tests.patch
... ... +++ b/bind-9.11-fips-tests.patch
... ... @@ -1,4 +1,4 @@
1 
From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001
1 
From 9575852be2344244ac182d7d019869406d3bd963 Mon Sep 17 00:00:00 2001
2 2 
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
3 3 
Date: Thu, 2 Aug 2018 23:46:45 +0200
4 4 
Subject: [PATCH] FIPS tests changes
... ... @@ -73,44 +73,32 @@ Date: Wed Mar 7 10:44:23 2018 +0100
73 73 
 .../system/allow-query/ns2/named40.conf.in    |  4 +-
74 74 
 bin/tests/system/allow-query/tests.sh         | 18 ++---
75 75 
 bin/tests/system/catz/ns1/named.conf.in       |  2 +-
76 
 bin/tests/system/catz/ns2/named.conf.in       |  2 +-
76 
 bin/tests/system/catz/ns2/named1.conf.in      |  2 +-
77 
 bin/tests/system/catz/ns2/named2.conf.in      |  2 +-
77 78 
 bin/tests/system/checkconf/bad-tsig.conf      |  2 +-
78 79 
 bin/tests/system/checkconf/good.conf          |  2 +-
79 
 bin/tests/system/digdelv/ns2/example.db       | 15 +++--
80 
 bin/tests/system/digdelv/tests.sh             | 20 +++---
81 
 bin/tests/system/dlv/ns1/sign.sh              |  4 +-
82 
 bin/tests/system/dlv/ns2/sign.sh              |  4 +-
83 
 bin/tests/system/dlv/ns6/sign.sh              | 66 +++++++++---------
84 
 bin/tests/system/dnssec/ns2/sign.sh           |  8 +--
85 
 bin/tests/system/dnssec/ns5/trusted.conf.bad  |  2 +-
86 
 bin/tests/system/dnssec/tests.sh              |  4 +-
87 80 
 bin/tests/system/feature-test.c               | 14 ++++
88 
 bin/tests/system/filter-aaaa/ns1/sign.sh      |  4 +-
89 
 bin/tests/system/filter-aaaa/ns4/sign.sh      |  4 +-
90 81 
 bin/tests/system/notify/ns5/named.conf.in     |  6 +-
91 82 
 bin/tests/system/notify/tests.sh              |  6 +-
92 83 
 bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
93 84 
 bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
94 
 bin/tests/system/nsupdate/setup.sh            |  7 +-
95 
 bin/tests/system/nsupdate/tests.sh            | 11 ++-
85 
 bin/tests/system/nsupdate/setup.sh            |  6 +-
86 
 bin/tests/system/nsupdate/tests.sh            | 15 +++--
96 87 
 bin/tests/system/rndc/setup.sh                |  2 +-
97 88 
 bin/tests/system/rndc/tests.sh                | 23 ++++---
98 
 bin/tests/system/tsig/clean.sh                |  1 +
99 89 
 bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
90 
 bin/tests/system/tsig/ns1/rndc5.conf.in       | 10 +++
100 91 
 bin/tests/system/tsig/setup.sh                |  5 ++
101 
 bin/tests/system/tsig/tests.sh                | 67 ++++++++++++-------
102 
 bin/tests/system/tsiggss/setup.sh             |  2 +-
92 
 bin/tests/system/tsig/tests.sh                | 65 ++++++++++++-------
103 93 
 bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
104 94 
 bin/tests/system/upforwd/tests.sh             |  2 +-
105 
 bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
106 
 45 files changed, 232 insertions(+), 171 deletions(-)
95 
 34 files changed, 163 insertions(+), 109 deletions(-)
107 96 
 create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
108 97
109 
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
110 
index 0ea6502..026db3f 100644
111 
--- a/bin/tests/system/acl/ns2/named1.conf.in
112 
+++ b/bin/tests/system/acl/ns2/named1.conf.in
113 
@@ -33,12 +33,12 @@ options {
98 
diff -ruN a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
99 
--- a/bin/tests/system/acl/ns2/named1.conf.in	2022-11-08 01:12:59.000000000 +0300
100 
+++ b/bin/tests/system/acl/ns2/named1.conf.in	2022-12-01 06:09:13.933835878 +0300
101 
@@ -35,12 +35,12 @@
114 102 
 };
115 103
116 104 
 key one {
... ... @@ -125,11 +113,10 @@ index 0ea6502..026db3f 100644
113 113 
 	secret "1234abcd8765";
114 114 
 };
115 115
116 
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
117 
index b877880..d8f50be 100644
118 
--- a/bin/tests/system/acl/ns2/named2.conf.in
119 
+++ b/bin/tests/system/acl/ns2/named2.conf.in
120 
@@ -33,12 +33,12 @@ options {
116 
diff -ruN a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
117 
--- a/bin/tests/system/acl/ns2/named2.conf.in	2022-11-08 01:12:59.000000000 +0300
118 
+++ b/bin/tests/system/acl/ns2/named2.conf.in	2022-12-01 06:09:13.933835878 +0300
119 
@@ -35,12 +35,12 @@
121 120 
 };
122 121
123 122 
 key one {
... ... @@ -144,11 +131,10 @@ index b877880..d8f50be 100644
131 131 
 	secret "1234abcd8765";
132 132 
 };
133 133
134 
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
135 
index 0a95062..aa54088 100644
136 
--- a/bin/tests/system/acl/ns2/named3.conf.in
137 
+++ b/bin/tests/system/acl/ns2/named3.conf.in
138 
@@ -33,17 +33,17 @@ options {
134 
diff -ruN a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
135 
--- a/bin/tests/system/acl/ns2/named3.conf.in	2022-11-08 01:12:59.000000000 +0300
136 
+++ b/bin/tests/system/acl/ns2/named3.conf.in	2022-12-01 06:09:13.933835878 +0300
137 
@@ -35,17 +35,17 @@
139 138 
 };
140 139
141 140 
 key one {
... ... @@ -169,11 +155,10 @@ index 0a95062..aa54088 100644
155 155 
 	secret "1234abcd8765";
156 156 
 };
157 157
158 
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
159 
index 7cdcb6e..606a345 100644
160 
--- a/bin/tests/system/acl/ns2/named4.conf.in
161 
+++ b/bin/tests/system/acl/ns2/named4.conf.in
162 
@@ -33,12 +33,12 @@ options {
158 
diff -ruN a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
159 
--- a/bin/tests/system/acl/ns2/named4.conf.in	2022-11-08 01:12:59.000000000 +0300
160 
+++ b/bin/tests/system/acl/ns2/named4.conf.in	2022-12-01 06:09:13.933835878 +0300
161 
@@ -35,12 +35,12 @@
163 162 
 };
164 163
165 164 
 key one {
... ... @@ -188,11 +173,10 @@ index 7cdcb6e..606a345 100644
173 173 
 	secret "1234abcd8765";
174 174 
 };
175 175
176 
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
177 
index 4b4e050..0e679a8 100644
178 
--- a/bin/tests/system/acl/ns2/named5.conf.in
179 
+++ b/bin/tests/system/acl/ns2/named5.conf.in
180 
@@ -34,12 +34,12 @@ options {
176 
diff -ruN a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
177 
--- a/bin/tests/system/acl/ns2/named5.conf.in	2022-11-08 01:12:59.000000000 +0300
178 
+++ b/bin/tests/system/acl/ns2/named5.conf.in	2022-12-01 06:09:13.933835878 +0300
179 
@@ -37,12 +37,12 @@
181 180 
 };
182 181
183 182 
 key one {
... ... @@ -207,11 +191,10 @@ index 4b4e050..0e679a8 100644
191 191 
 	secret "1234abcd8765";
192 192 
 };
193 193
194 
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
195 
index 09f31f2..f88f0d4 100644
196 
--- a/bin/tests/system/acl/tests.sh
197 
+++ b/bin/tests/system/acl/tests.sh
198 
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
194 
diff -ruN a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
195 
--- a/bin/tests/system/acl/tests.sh	2022-11-08 01:12:59.000000000 +0300
196 
+++ b/bin/tests/system/acl/tests.sh	2022-12-01 06:09:13.934835884 +0300
197 
@@ -24,14 +24,14 @@
199 198 
 # key "one" should fail
200 199 
 t=`expr $t + 1`
201 200 
 $DIG $DIGOPTS tsigzone. \
... ... @@ -228,7 +211,7 @@ index 09f31f2..f88f0d4 100644
211 211 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
212 212
213 213 
 copy_setports ns2/named2.conf.in ns2/named.conf
214 
@@ -39,18 +39,18 @@ sleep 5
214 
@@ -41,18 +41,18 @@
215 215 
 # prefix 10/8 should fail
216 216 
 t=`expr $t + 1`
217 217 
 $DIG $DIGOPTS tsigzone. \
... ... @@ -250,7 +233,7 @@ index 09f31f2..f88f0d4 100644
233 233 
 grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
234 234
235 235 
 echo_i "testing nested ACL processing"
236 
@@ -62,31 +62,31 @@ sleep 5
236 
@@ -64,31 +64,31 @@
237 237 
 # should succeed
238 238 
 t=`expr $t + 1`
239 239 
 $DIG $DIGOPTS tsigzone. \
... ... @@ -287,7 +270,7 @@ index 09f31f2..f88f0d4 100644
270 270 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
271 271
272 272 
 t=`expr $t + 1`
273 
@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
273 
@@ -99,7 +99,7 @@
274 274 
 # and other values? right out
275 275 
 t=`expr $t + 1`
276 276 
 $DIG $DIGOPTS tsigzone. \
... ... @@ -296,7 +279,7 @@ index 09f31f2..f88f0d4 100644
279 279 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
280 280
281 281 
 # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
282 
@@ -108,31 +108,31 @@ sleep 5
282 
@@ -110,31 +110,31 @@
283 283 
 # should succeed
284 284 
 t=`expr $t + 1`
285 285 
 $DIG $DIGOPTS tsigzone. \
... ... @@ -333,12 +316,11 @@ index 09f31f2..f88f0d4 100644
316 316 
 grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
317 317
318 318 
 echo_i "testing allow-query-on ACL processing"
319 
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
320 
index 1569913..e9c5c2d 100644
321 
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
322 
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
319 
diff -ruN a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
320 
--- a/bin/tests/system/allow-query/ns2/named10.conf.in	2022-11-08 01:12:59.000000000 +0300
321 
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in	2022-12-01 06:09:13.934835884 +0300
323 322 
@@ -12,7 +12,7 @@
324 
 controls { /* empty */ };
323 
  */
325 324
326 325 
 key one {
327 326 
-	algorithm hmac-md5;
... ... @@ -346,12 +328,11 @@ index 1569913..e9c5c2d 100644
328 328 
 	secret "1234abcd8765";
329 329 
 };
330 330
331 
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
332 
index 18ac91c..2b1c873 100644
333 
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
334 
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
331 
diff -ruN a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
332 
--- a/bin/tests/system/allow-query/ns2/named11.conf.in	2022-11-08 01:12:59.000000000 +0300
333 
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in	2022-12-01 06:09:13.934835884 +0300
335 334 
@@ -12,12 +12,12 @@
336 
 controls { /* empty */ };
335 
  */
337 336
338 337 
 key one {
339 338 
-	algorithm hmac-md5;
... ... @@ -365,12 +346,11 @@ index 18ac91c..2b1c873 100644
346 346 
 	secret "1234efgh8765";
347 347 
 };
348 348
349 
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
350 
index b824844..dd48945 100644
351 
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
352 
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
349 
diff -ruN a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
350 
--- a/bin/tests/system/allow-query/ns2/named12.conf.in	2022-11-08 01:12:59.000000000 +0300
351 
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in	2022-12-01 06:09:13.934835884 +0300
353 352 
@@ -12,7 +12,7 @@
354 
 controls { /* empty */ };
353 
  */
355 354
356 355 
 key one {
357 356 
-	algorithm hmac-md5;
... ... @@ -378,12 +358,11 @@ index b824844..dd48945 100644
358 358 
 	secret "1234abcd8765";
359 359 
 };
360 360
361 
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
362 
index aeb1540..bfce58b 100644
363 
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
364 
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
361 
diff -ruN a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
362 
--- a/bin/tests/system/allow-query/ns2/named30.conf.in	2022-11-08 01:12:59.000000000 +0300
363 
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in	2022-12-01 06:09:13.934835884 +0300
365 364 
@@ -12,7 +12,7 @@
366 
 controls { /* empty */ };
365 
  */
367 366
368 367 
 key one {
369 368 
-	algorithm hmac-md5;
... ... @@ -391,12 +370,11 @@ index aeb1540..bfce58b 100644
370 370 
 	secret "1234abcd8765";
371 371 
 };
372 372
373 
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
374 
index d4b7432..e0f5252 100644
375 
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
376 
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
373 
diff -ruN a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
374 
--- a/bin/tests/system/allow-query/ns2/named31.conf.in	2022-11-08 01:12:59.000000000 +0300
375 
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in	2022-12-01 06:09:13.934835884 +0300
377 376 
@@ -12,12 +12,12 @@
378 
 controls { /* empty */ };
377 
  */
379 378
380 379 
 key one {
381 380 
-	algorithm hmac-md5;
... ... @@ -410,12 +388,11 @@ index d4b7432..e0f5252 100644
388 388 
 	secret "1234efgh8765";
389 389 
 };
390 390
391 
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
392 
index c025938..87afb3f 100644
393 
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
394 
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
391 
diff -ruN a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
392 
--- a/bin/tests/system/allow-query/ns2/named32.conf.in	2022-11-08 01:12:59.000000000 +0300
393 
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in	2022-12-01 06:09:13.935835890 +0300
395 394 
@@ -12,7 +12,7 @@
396 
 controls { /* empty */ };
395 
  */
397 396
398 397 
 key one {
399 398 
-	algorithm hmac-md5;
... ... @@ -423,11 +400,10 @@ index c025938..87afb3f 100644
400 400 
 	secret "1234abcd8765";
401 401 
 };
402 402
403 
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
404 
index d83b376..d726b94 100644
405 
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
406 
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
407 
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
403 
diff -ruN a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
404 
--- a/bin/tests/system/allow-query/ns2/named40.conf.in	2022-11-08 01:12:59.000000000 +0300
405 
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in	2022-12-01 06:09:13.935835890 +0300
406 
@@ -16,12 +16,12 @@
408 407 
 acl badaccept { 10.53.0.1; };
409 408
410 409 
 key one {
... ... @@ -442,11 +418,10 @@ index d83b376..d726b94 100644
418 418 
 	secret "1234efgh8765";
419 419 
 };
420 420
421 
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
422 
index fb6059d..f960156 100644
423 
--- a/bin/tests/system/allow-query/tests.sh
424 
+++ b/bin/tests/system/allow-query/tests.sh
425 
@@ -190,7 +190,7 @@ rndc_reload
421 
diff -ruN a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
422 
--- a/bin/tests/system/allow-query/tests.sh	2022-11-08 01:12:59.000000000 +0300
423 
+++ b/bin/tests/system/allow-query/tests.sh	2022-12-01 06:09:13.935835890 +0300
424 
@@ -184,7 +184,7 @@
426 425
427 426 
 echo_i "test $n: key allowed - query allowed"
428 427 
 ret=0
... ... @@ -455,7 +430,7 @@ index fb6059d..f960156 100644
430 430 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
431 431 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
432 432 
 if [ $ret != 0 ]; then echo_i "failed"; fi
433 
@@ -203,7 +203,7 @@ rndc_reload
433 
@@ -197,7 +197,7 @@
434 434
435 435 
 echo_i "test $n: key not allowed - query refused"
436 436 
 ret=0
... ... @@ -464,7 +439,7 @@ index fb6059d..f960156 100644
439 439 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
440 440 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
441 441 
 if [ $ret != 0 ]; then echo_i "failed"; fi
442 
@@ -216,7 +216,7 @@ rndc_reload
442 
@@ -210,7 +210,7 @@
443 443
444 444 
 echo_i "test $n: key disallowed - query refused"
445 445 
 ret=0
... ... @@ -473,7 +448,7 @@ index fb6059d..f960156 100644
448 448 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
449 449 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
450 450 
 if [ $ret != 0 ]; then echo_i "failed"; fi
451 
@@ -349,7 +349,7 @@ rndc_reload
451 
@@ -343,7 +343,7 @@
452 452
453 453 
 echo_i "test $n: views key allowed - query allowed"
454 454 
 ret=0
... ... @@ -482,7 +457,7 @@ index fb6059d..f960156 100644
457 457 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
458 458 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
459 459 
 if [ $ret != 0 ]; then echo_i "failed"; fi
460 
@@ -362,7 +362,7 @@ rndc_reload
460 
@@ -356,7 +356,7 @@
461 461
462 462 
 echo_i "test $n: views key not allowed - query refused"
463 463 
 ret=0
... ... @@ -491,7 +466,7 @@ index fb6059d..f960156 100644
466 466 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
467 467 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
468 468 
 if [ $ret != 0 ]; then echo_i "failed"; fi
469 
@@ -375,7 +375,7 @@ rndc_reload
469 
@@ -369,7 +369,7 @@
470 470
471 471 
 echo_i "test $n: views key disallowed - query refused"
472 472 
 ret=0
... ... @@ -500,7 +475,7 @@ index fb6059d..f960156 100644
475 475 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
476 476 
 grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
477 477 
 if [ $ret != 0 ]; then echo_i "failed"; fi
478 
@@ -508,7 +508,7 @@ status=`expr $status + $ret`
478 
@@ -502,7 +502,7 @@
479 479 
 n=`expr $n + 1`
480 480 
 echo_i "test $n: zone key allowed - query allowed"
481 481 
 ret=0
... ... @@ -509,7 +484,7 @@ index fb6059d..f960156 100644
484 484 
 grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
485 485 
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
486 486 
 if [ $ret != 0 ]; then echo_i "failed"; fi
487 
@@ -518,7 +518,7 @@ status=`expr $status + $ret`
487 
@@ -512,7 +512,7 @@
488 488 
 n=`expr $n + 1`
489 489 
 echo_i "test $n: zone key not allowed - query refused"
490 490 
 ret=0
... ... @@ -518,7 +493,7 @@ index fb6059d..f960156 100644
493 493 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
494 494 
 grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
495 495 
 if [ $ret != 0 ]; then echo_i "failed"; fi
496 
@@ -528,7 +528,7 @@ status=`expr $status + $ret`
496 
@@ -522,7 +522,7 @@
497 497 
 n=`expr $n + 1`
498 498 
 echo_i "test $n: zone key disallowed - query refused"
499 499 
 ret=0
... ... @@ -527,33 +502,44 @@ index fb6059d..f960156 100644
502 502 
 grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
503 503 
 grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
504 504 
 if [ $ret != 0 ]; then echo_i "failed"; fi
505 
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
506 
index 74b7d37..c353766 100644
507 
--- a/bin/tests/system/catz/ns1/named.conf.in
508 
+++ b/bin/tests/system/catz/ns1/named.conf.in
509 
@@ -61,5 +61,5 @@ zone "catalog4.example" {
505 
diff -ruN a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
506 
--- a/bin/tests/system/catz/ns1/named.conf.in	2022-11-08 01:12:59.000000000 +0300
507 
+++ b/bin/tests/system/catz/ns1/named.conf.in	2022-12-01 06:09:13.935835890 +0300
508 
@@ -63,7 +63,7 @@
510 509
511 510 
 key tsig_key. {
512 511 
 	secret "LSAnCU+Z";
513 512 
-	algorithm hmac-md5;
514 513 
+	algorithm hmac-sha256;
515 514 
 };
516 
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
517 
index ee83efb..35ced08 100644
518 
--- a/bin/tests/system/catz/ns2/named.conf.in
519 
+++ b/bin/tests/system/catz/ns2/named.conf.in
520 
@@ -70,5 +70,5 @@ zone "catalog4.example" {
515
516 
 key next_key. {
517 
diff -ruN a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
518 
--- a/bin/tests/system/catz/ns2/named1.conf.in	2022-11-08 01:12:59.000000000 +0300
519 
+++ b/bin/tests/system/catz/ns2/named1.conf.in	2022-12-01 06:09:13.936835896 +0300
520 
@@ -80,7 +80,7 @@
521 521
522 522 
 key tsig_key. {
523 523 
 	secret "LSAnCU+Z";
524 524 
-	algorithm hmac-md5;
525 525 
+	algorithm hmac-sha256;
526 526 
 };
527 
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
528 
index 21be03e..e57c308 100644
529 
--- a/bin/tests/system/checkconf/bad-tsig.conf
530 
+++ b/bin/tests/system/checkconf/bad-tsig.conf
531 
@@ -11,7 +11,7 @@
527
528 
 key next_key. {
529 
diff -ruN a/bin/tests/system/catz/ns2/named2.conf.in b/bin/tests/system/catz/ns2/named2.conf.in
530 
--- a/bin/tests/system/catz/ns2/named2.conf.in	2022-11-08 01:12:59.000000000 +0300
531 
+++ b/bin/tests/system/catz/ns2/named2.conf.in	2022-12-01 06:09:13.936835896 +0300
532 
@@ -58,5 +58,5 @@
533
534 
 key tsig_key. {
535 
 	secret "LSAnCU+Z";
536 
-	algorithm hmac-md5;
537 
+	algorithm hmac-sha256;
538 
 };
539 
diff -ruN a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
540 
--- a/bin/tests/system/checkconf/bad-tsig.conf	2022-11-08 01:12:59.000000000 +0300
541 
+++ b/bin/tests/system/checkconf/bad-tsig.conf	2022-12-01 06:09:13.936835896 +0300
542 
@@ -13,7 +13,7 @@
532 543
533 544 
 /* Bad secret */
534 545 
 key "badtsig" {
... ... @@ -562,11 +548,10 @@ index 21be03e..e57c308 100644
548 548 
 	secret "jEdD+BPKg==";
549 549 
 };
550 550
551 
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
552 
index 9ab35b3..486551a 100644
553 
--- a/bin/tests/system/checkconf/good.conf
554 
+++ b/bin/tests/system/checkconf/good.conf
555 
@@ -153,6 +153,6 @@ dyndb "name" "library.so" {
551 
diff -ruN a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
552 
--- a/bin/tests/system/checkconf/good.conf	2022-11-08 01:12:59.000000000 +0300
553 
+++ b/bin/tests/system/checkconf/good.conf	2022-12-01 06:09:13.936835896 +0300
554 
@@ -283,6 +283,6 @@
556 555 
 	system;
557 556 
 };
558 557 
 key "mykey" {
... ... @@ -574,476 +559,41 @@ index 9ab35b3..486551a 100644
559 559 
+	algorithm "hmac-sha256";
560 560 
 	secret "qwertyuiopasdfgh";
561 561 
 };
562 
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
563 
index f4e30f5..9f53e31 100644
564 
--- a/bin/tests/system/digdelv/ns2/example.db
565 
+++ b/bin/tests/system/digdelv/ns2/example.db
566 
@@ -38,12 +38,15 @@ foo			SSHFP	2 1 123456789abcdef67890123456789abcdef67890
567 
 ;;
568 
 ;; we are not testing DNSSEC behavior, so we don't care about the semantics
569 
 ;; of the following records.
570 
-dnskey                  300     DNSKEY  256 3 1 (
571 
-                                        AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
572 
-                                        +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
573 
-                                        Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
574 
-                                        b9VIE5x7KNHAYTvTO5d4S8M=
575 
-                                        )
576 
+dnskey                  300     DNSKEY 256 3 8 (
577 
+                    AwEAAaWmCoDpj2K59zcpqnmnQM7IC/XbjS6jIP7uTBR4X7p1bdQJzAeo
578 
+                    EnMhnpnxPp0j+20eZm4847DB2U+HuHy79Mvqd3aozTmfBJvzjKs9qyba
579 
+                    zY/ZHn6BDYxNJiFfjSS/VJ1KuQPDbpCzhm2hbvT5s9nSOaG0WyRk+d+R
580 
+                    qEca11E7ZKkmmNiGlyzMAgfmTTBwgxWBAAhvd9nU1GqD6eQ6Z63hpTc/
581 
+                    KDIHnFTo7pOcZ4z5urIKUMCMcFytedETlEoR5CIWGPdQq2eIEEMfn5ld
582 
+                    QqdEZRHVErD9og8aluJ2s767HZb8LzjCfYgBFoT9/n48T75oZLEKtSkG
583 
+                    /idCeeQlaLU=
584 
+                    )
585
586 
 ; TTL of 3 weeks
587 
 weeks		1814400	A	10.53.0.2
588 
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
589 
index ade45ce..d3aff24 100644
590 
--- a/bin/tests/system/digdelv/tests.sh
591 
+++ b/bin/tests/system/digdelv/tests.sh
592 
@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then
593 
   echo_i "checking dig +rrcomments works for DNSKEY($n)"
594 
   ret=0
595 
   $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
596 
-  grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
597 
+  grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
598 
   check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
599 
   if [ $ret != 0 ]; then echo_i "failed"; fi
600 
   status=`expr $status + $ret`
601 
@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then
602 
   echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
603 
   ret=0
604 
   $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
605 
-  grep "; ZSK; alg = RSAMD5 ; key id = 30795" < dig.out.test$n > /dev/null || ret=1
606 
+  grep "; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
607 
   if [ $ret != 0 ]; then echo_i "failed"; fi
608 
   status=`expr $status + $ret`
609
610 
@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then
611 
   echo_i "checking dig +short +nosplit works($n)"
612 
   ret=0
613 
   $DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
614 
-  grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < dig.out.test$n > /dev/null || ret=1
615 
+  grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < dig.out.test$n > /dev/null || ret=1
616 
   if [ $ret != 0 ]; then echo_i "failed"; fi
617 
   status=`expr $status + $ret`
618
619 
@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then
620 
   echo_i "checking dig +short +rrcomments works($n)"
621 
   ret=0
622 
   $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
623 
-  grep "S8M=  ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
624 
+  grep "aLU=  ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
625 
   if [ $ret != 0 ]; then echo_i "failed"; fi
626 
   status=`expr $status + $ret`
627
628 
@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then
629 
   echo_i "checking dig +short +rrcomments works($n)"
630 
   ret=0
631 
   $DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
632 
-  grep "S8M=  ; ZSK; alg = RSAMD5 ; key id = 30795$" < dig.out.test$n > /dev/null || ret=1
633 
+  grep "aLU=  ; ZSK; alg = RSASHA256 ; key id = 36895$" < dig.out.test$n > /dev/null || ret=1
634 
   if [ $ret != 0 ]; then echo_i "failed"; fi
635 
   status=`expr $status + $ret`
636
637 
@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then
638 
   echo_i "checking delv +rrcomments works for DNSKEY($n)"
639 
   ret=0
640 
   $DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
641 
-  grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
642 
+  grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
643 
   check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
644 
   if [ $ret != 0 ]; then echo_i "failed"; fi
645 
   status=`expr $status + $ret`
646 
@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then
647 
   echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
648 
   ret=0
649 
   $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
650 
-  grep "; ZSK; alg = RSAMD5 ; key id = 30795" < delv.out.test$n > /dev/null || ret=1
651 
+  grep "; ZSK; alg = RSASHA256 ; key id = 36895" < delv.out.test$n > /dev/null || ret=1
652 
   if [ $ret != 0 ]; then echo_i "failed"; fi
653 
   status=`expr $status + $ret`
654
655 
@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then
656 
   echo_i "checking delv +short +rrcomments works ($n)"
657 
   ret=0
658 
   $DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
659 
-  grep "S8M=  ; ZSK; alg = RSAMD5 ; key id = 30795$" < delv.out.test$n > /dev/null || ret=1
660 
+  grep "aLU=  ; ZSK; alg = RSASHA256 ; key id = 36895$" < delv.out.test$n > /dev/null || ret=1
661 
   if [ $ret != 0 ]; then echo_i "failed"; fi
662 
   status=`expr $status + $ret`
663
664 
@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then
665 
   echo_i "checking delv +short +nosplit works ($n)"
666 
   ret=0
667 
   $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
668 
-  grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=" < delv.out.test$n > /dev/null || ret=1
669 
+  grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=" < delv.out.test$n > /dev/null || ret=1
670 
   if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
671 
   f=`awk '{print NF}' < delv.out.test$n`
672 
   test "${f:-0}" -eq 14 || ret=1
673 
@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then
674 
   echo_i "checking delv +short +nosplit +norrcomments works ($n)"
675 
   ret=0
676 
   $DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
677 
-  grep "Z8plc4Rb9VIE5x7KNHAYTvTO5d4S8M=$" < delv.out.test$n > /dev/null || ret=1
678 
+  grep "T9/n48T75oZLEKtSkG/idCeeQlaLU=$" < delv.out.test$n > /dev/null || ret=1
679 
   if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
680 
   f=`awk '{print NF}' < delv.out.test$n`
681 
   test "${f:-0}" -eq 4 || ret=1
682 
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
683 
index 606e7cc..a3a0d60 100755
684 
--- a/bin/tests/system/dlv/ns1/sign.sh
685 
+++ b/bin/tests/system/dlv/ns1/sign.sh
686 
@@ -23,8 +23,8 @@ infile=root.db.in
687 
 zonefile=root.db
688 
 outfile=root.signed
689
690 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
691 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
692 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
693 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
694
695 
 cat $infile $keyname1.key $keyname2.key >$zonefile
696
697 
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
698 
index 9825c57..202c978 100755
699 
--- a/bin/tests/system/dlv/ns2/sign.sh
700 
+++ b/bin/tests/system/dlv/ns2/sign.sh
701 
@@ -24,8 +24,8 @@ zonefile=druz.db
702 
 outfile=druz.pre
703 
 dlvzone=utld.
704
705 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
706 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
707 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
708 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
709
710 
 cat $infile $keyname1.key $keyname2.key >$zonefile
711
712 
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
713 
index 1e39862..4ed19ac 100755
714 
--- a/bin/tests/system/dlv/ns6/sign.sh
715 
+++ b/bin/tests/system/dlv/ns6/sign.sh
716 
@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
717
718 
 echo_i "dlv/ns6/sign.sh"
719
720 
+bits=1024
721 
+
722 
 zone=grand.child1.utld.
723 
 infile=child.db.in
724 
 zonefile=grand.child1.utld.db
725 
 outfile=grand.child1.signed
726
727 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
728 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
729 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
730 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
731
732 
 cat $infile $keyname1.key $keyname2.key >$zonefile
733
734 
@@ -36,8 +38,8 @@ zonefile=grand.child3.utld.db
735 
 outfile=grand.child3.signed
736 
 dlvzone=dlv.utld.
737
738 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
739 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
740 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
741 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
742
743 
 cat $infile $keyname1.key $keyname2.key >$zonefile
744
745 
@@ -51,8 +53,8 @@ zonefile=grand.child4.utld.db
746 
 outfile=grand.child4.signed
747 
 dlvzone=dlv.utld.
748
749 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
750 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
751 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
752 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
753
754 
 cat $infile $keyname1.key $keyname2.key >$zonefile
755
756 
@@ -66,8 +68,8 @@ zonefile=grand.child5.utld.db
757 
 outfile=grand.child5.signed
758 
 dlvzone=dlv.utld.
759
760 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
761 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
762 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
763 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
764
765 
 cat $infile $keyname1.key $keyname2.key >$zonefile
766
767 
@@ -81,8 +83,8 @@ zonefile=grand.child7.utld.db
768 
 outfile=grand.child7.signed
769 
 dlvzone=dlv.utld.
770
771 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
772 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
773 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
774 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
775
776 
 cat $infile $keyname1.key $keyname2.key >$zonefile
777
778 
@@ -96,8 +98,8 @@ zonefile=grand.child8.utld.db
779 
 outfile=grand.child8.signed
780 
 dlvzone=dlv.utld.
781
782 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
783 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
784 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
785 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
786
787 
 cat $infile $keyname1.key $keyname2.key >$zonefile
788
789 
@@ -111,8 +113,8 @@ zonefile=grand.child9.utld.db
790 
 outfile=grand.child9.signed
791 
 dlvzone=dlv.utld.
792
793 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
794 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
795 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
796 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
797
798 
 cat $infile $keyname1.key $keyname2.key >$zonefile
799
800 
@@ -125,8 +127,8 @@ zonefile=grand.child10.utld.db
801 
 outfile=grand.child10.signed
802 
 dlvzone=dlv.utld.
803
804 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
805 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
806 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
807 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
808
809 
 cat $infile $keyname1.key $keyname2.key >$zonefile
810
811 
@@ -138,8 +140,8 @@ infile=child.db.in
812 
 zonefile=grand.child1.druz.db
813 
 outfile=grand.child1.druz.signed
814
815 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
816 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
817 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
818 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
819
820 
 cat $infile $keyname1.key $keyname2.key >$zonefile
821
822 
@@ -153,8 +155,8 @@ zonefile=grand.child3.druz.db
823 
 outfile=grand.child3.druz.signed
824 
 dlvzone=dlv.druz.
825
826 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
827 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
828 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
829 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
830
831 
 cat $infile $keyname1.key $keyname2.key >$zonefile
832
833 
@@ -168,8 +170,8 @@ zonefile=grand.child4.druz.db
834 
 outfile=grand.child4.druz.signed
835 
 dlvzone=dlv.druz.
836
837 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
838 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
839 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
840 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
841
842 
 cat $infile $keyname1.key $keyname2.key >$zonefile
843
844 
@@ -183,8 +185,8 @@ zonefile=grand.child5.druz.db
845 
 outfile=grand.child5.druz.signed
846 
 dlvzone=dlv.druz.
847
848 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
849 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
850 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
851 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
852
853 
 cat $infile $keyname1.key $keyname2.key >$zonefile
854
855 
@@ -198,8 +200,8 @@ zonefile=grand.child7.druz.db
856 
 outfile=grand.child7.druz.signed
857 
 dlvzone=dlv.druz.
858
859 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
860 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
861 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
862 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
863
864 
 cat $infile $keyname1.key $keyname2.key >$zonefile
865
866 
@@ -213,8 +215,8 @@ zonefile=grand.child8.druz.db
867 
 outfile=grand.child8.druz.signed
868 
 dlvzone=dlv.druz.
869
870 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
871 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
872 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
873 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
874
875 
 cat $infile $keyname1.key $keyname2.key >$zonefile
876
877 
@@ -228,8 +230,8 @@ zonefile=grand.child9.druz.db
878 
 outfile=grand.child9.druz.signed
879 
 dlvzone=dlv.druz.
880
881 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
882 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
883 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
884 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
885
886 
 cat $infile $keyname1.key $keyname2.key >$zonefile
562 
diff -ruN a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
563 
--- a/bin/tests/system/feature-test.c	2022-11-08 01:12:59.000000000 +0300
564 
+++ b/bin/tests/system/feature-test.c	2022-12-01 06:09:13.936835896 +0300
565 
@@ -17,6 +17,7 @@
566 
 #include <string.h>
567 
 #include <unistd.h>
887 568
888 
@@ -242,8 +244,8 @@ zonefile=grand.child10.druz.db
889 
 outfile=grand.child10.druz.signed
890 
 dlvzone=dlv.druz.
891
892 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
893 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
894 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
895 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b $bits -n zone $zone 2> /dev/null`
896
897 
 cat $infile $keyname1.key $keyname2.key >$zonefile
898
899 
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
900 
index 13fb924..1ffa279 100644
901 
--- a/bin/tests/system/dnssec/ns2/sign.sh
902 
+++ b/bin/tests/system/dnssec/ns2/sign.sh
903 
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
904 
 infile=in-addr.arpa.db.in
905 
 zonefile=in-addr.arpa.db
906
907 
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
908 
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
909 
+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
910 
+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 1024 -n zone $zone`
911
912 
 cat $infile $keyname1.key $keyname2.key >$zonefile
913 
 $SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
914 
@@ -138,7 +138,7 @@ privzone=private.secure.example
915 
 privinfile=private.secure.example.db.in
916 
 privzonefile=private.secure.example.db
917
918 
-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $privzone`
919 
+privkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $privzone`
920
921 
 cat $privinfile $privkeyname.key >$privzonefile
922
923 
@@ -152,7 +152,7 @@ dlvinfile=dlv.db.in
924 
 dlvzonefile=dlv.db
925 
 dlvsetfile=dlvset-${privzone}${TP}
926
927 
-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $dlvzone`
928 
+dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $dlvzone`
929
930 
 cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
931
932 
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
933 
index ed30460..e6b1126 100644
934 
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
935 
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
936 
@@ -10,5 +10,5 @@
937 
  */
938
939 
 trusted-keys {
940 
-    "." 256 3 1 "AQO6Cl+slAf+iuieDim9L3kujFHQD7s/IOj03ClMOpKYcTXtK4mRpuULVfvWxDi9Ew/gj0xLnnX7z9OJHIxLI+DSrAHd8Dm0XfBEAtVtJSn70GaPZgnLMw1rk5ap2DsEoWk=";
941 
+    "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
942 
 };
943 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
944 
index b31c1b4..a5e237b 100644
945 
--- a/bin/tests/system/dnssec/tests.sh
946 
+++ b/bin/tests/system/dnssec/tests.sh
947 
@@ -3235,8 +3235,8 @@ do
948 
 	   alg=`expr $alg + 1`
949 
 	   continue;;
950 
 	3) size="-b 512";;
951 
-	5) size="-b 512";;
952 
-	6) size="-b 512";;
953 
+	5) size="-b 1024";;
954 
+	6) size="-b 1024";;
955 
 	7) size="-b 512";;
956 
 	8) size="-b 512";;
957 
 	10) size="-b 1024";;
958 
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
959 
index c1249ed..20a3139 100644
960 
--- a/bin/tests/system/feature-test.c
961 
+++ b/bin/tests/system/feature-test.c
962 
@@ -19,6 +19,7 @@
569 
+#include <isc/md.h>
570 
 #include <isc/net.h>
963 571 
 #include <isc/print.h>
964 572 
 #include <isc/util.h>
965 
 #include <isc/net.h>
966 
+#include <isc/md5.h>
967 
 #include <dns/edns.h>
968
969 
 #ifdef WIN32
970 
@@ -47,6 +48,7 @@ usage() {
971 
 	fprintf(stderr, "	--have-geoip2\n");
972 
 	fprintf(stderr, "	--have-libxml2\n");
973 
 	fprintf(stderr, "	--ipv6only=no\n");
974 
+	fprintf(stderr, "       --md5\n");
975 
 	fprintf(stderr, "	--rpz-nsdname\n");
976 
 	fprintf(stderr, "	--rpz-nsip\n");
977 
 	fprintf(stderr, "	--with-idn\n");
978 
@@ -155,6 +157,18 @@ main(int argc, char **argv) {
979 
 #endif
573 
@@ -185,6 +186,19 @@
574 
 #endif /* ifdef DLZ_FILESYSTEM */
980 575 
 	}
981 576
982 577 
+	if (strcmp(argv[1], "--md5") == 0) {
983 
+#ifdef PK11_MD5_DISABLE
984 
+		return (1);
985 
+#else
986 
+		if (isc_md5_available()) {
578 
+		unsigned char digest[ISC_MAX_MD_SIZE];
579 
+		const unsigned char test[] = "test";
580 
+		unsigned int size = sizeof(digest);
581 
+
582 
+		if (isc_md(ISC_MD_MD5, test, sizeof(test),
583 
+		           digest, &size) == ISC_R_SUCCESS) {
987 584 
+			return (0);
988 585 
+		} else {
989 586 
+			return (1);
990 587 
+		}
991 
+#endif
992 588 
+	}
993 589 
+
994 
 	if (strcmp(argv[1], "--rpz-nsip") == 0) {
995 
 #ifdef ENABLE_RPZ_NSIP
590 
 	if (strcmp(argv[1], "--with-idn") == 0) {
591 
 #ifdef HAVE_LIBIDN2
996 592 
 		return (0);
997 
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
998 
index f755581..4a7d890 100755
999 
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
1000 
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
1001 
@@ -21,8 +21,8 @@ infile=signed.db.in
1002 
 zonefile=signed.db.signed
1003 
 outfile=signed.db.signed
1004
1005 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
1006 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
1007 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
1008 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
1009
1010 
 cat $infile $keyname1.key $keyname2.key >$zonefile
1011
1012 
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
1013 
index f755581..4a7d890 100755
1014 
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
1015 
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
1016 
@@ -21,8 +21,8 @@ infile=signed.db.in
1017 
 zonefile=signed.db.signed
1018 
 outfile=signed.db.signed
1019
1020 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
1021 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
1022 
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
1023 
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 1024 -n zone $zone 2> /dev/null`
1024
1025 
 cat $infile $keyname1.key $keyname2.key >$zonefile
1026
1027 
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
1028 
index cfcfe8f..0a1614d 100644
1029 
--- a/bin/tests/system/notify/ns5/named.conf.in
1030 
+++ b/bin/tests/system/notify/ns5/named.conf.in
1031 
@@ -10,17 +10,17 @@
593 
diff -ruN a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
594 
--- a/bin/tests/system/notify/ns5/named.conf.in	2022-11-08 01:12:59.000000000 +0300
595 
+++ b/bin/tests/system/notify/ns5/named.conf.in	2022-12-01 06:09:13.936835896 +0300
596 
@@ -12,17 +12,17 @@
1032 597 
  */
1033 598
1034 599 
 key "a" {
... ... @@ -1064,11 +614,10 @@ index cfcfe8f..0a1614d 100644
614 614 
 	secret "cccccccccccccccccccc";
615 615 
 };
616 616
617 
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
618 
index 1f6e6d0..c08bd25 100644
619 
--- a/bin/tests/system/notify/tests.sh
620 
+++ b/bin/tests/system/notify/tests.sh
621 
@@ -212,16 +212,16 @@ ret=0
617 
diff -ruN a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
618 
--- a/bin/tests/system/notify/tests.sh	2022-11-08 01:12:59.000000000 +0300
619 
+++ b/bin/tests/system/notify/tests.sh	2022-12-01 06:09:13.937835902 +0300
620 
@@ -214,16 +214,16 @@
622 621 
 $NSUPDATE << EOF
623 622 
 server 10.53.0.5 ${PORT}
624 623 
 zone x21
... ... @@ -1088,11 +637,10 @@ index 1f6e6d0..c08bd25 100644
637 637 
 		txt > dig.out.c.ns5.test$n || ret=1
638 638 
 	grep "test string" dig.out.b.ns5.test$n > /dev/null &&
639 639 
 	grep "test string" dig.out.c.ns5.test$n > /dev/null &&
640 
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
641 
index 1d999ad..26b6b7c 100644
642 
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
643 
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
644 
@@ -32,7 +32,7 @@ controls {
640 
diff -ruN a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
641 
--- a/bin/tests/system/nsupdate/ns1/named.conf.in	2022-11-08 01:12:59.000000000 +0300
642 
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in	2022-12-01 06:09:13.937835902 +0300
643 
@@ -39,7 +39,7 @@
645 644 
 };
646 645
647 646 
 key altkey {
... ... @@ -1101,11 +649,10 @@ index 1d999ad..26b6b7c 100644
649 649 
 	secret "1234abcd8765";
650 650 
 };
651 651
652 
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
653 
index 4549184..cb7dccd 100644
654 
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
655 
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
656 
@@ -33,7 +33,7 @@ controls {
652 
diff -ruN a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
653 
--- a/bin/tests/system/nsupdate/ns2/named.conf.in	2022-11-08 01:12:59.000000000 +0300
654 
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in	2022-12-01 06:09:13.937835902 +0300
655 
@@ -34,7 +34,7 @@
657 656 
 };
658 657
659 658 
 key altkey {
... ... @@ -1114,32 +661,29 @@ index 4549184..cb7dccd 100644
661 661 
 	secret "1234abcd8765";
662 662 
 };
663 663
664 
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
665 
index 21805c5..0d3d85c 100644
666 
--- a/bin/tests/system/nsupdate/setup.sh
667 
+++ b/bin/tests/system/nsupdate/setup.sh
668 
@@ -58,7 +58,12 @@ EOF
664 
diff -ruN a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
665 
--- a/bin/tests/system/nsupdate/setup.sh	2022-11-08 01:12:59.000000000 +0300
666 
+++ b/bin/tests/system/nsupdate/setup.sh	2022-12-01 06:09:13.937835902 +0300
667 
@@ -73,7 +73,11 @@
669 668
670 
 $DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
669 
 $DDNSCONFGEN -q -z example.nil > ns1/ddns.key
671 670
672 
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
671 
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
673 672 
+if $FEATURETEST --md5; then
674 
+	$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
673 
+	$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
675 674 
+else
676 675 
+	echo -n > ns1/md5.key
677 676 
+fi
678 
+
679 
 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
680 
 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
681 
 $DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
682 
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
683 
index 4da4849..b3bc807 100755
684 
--- a/bin/tests/system/nsupdate/tests.sh
685 
+++ b/bin/tests/system/nsupdate/tests.sh
686 
@@ -708,7 +708,14 @@ fi
687 
 n=`expr $n + 1`
677 
 $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
678 
 $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
679 
 $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
680 
diff -ruN a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
681 
--- a/bin/tests/system/nsupdate/tests.sh	2022-11-08 01:12:59.000000000 +0300
682 
+++ b/bin/tests/system/nsupdate/tests.sh	2022-12-01 06:09:13.938835909 +0300
683 
@@ -852,7 +852,14 @@
684 
 n=$((n + 1))
688 685 
 ret=0
689 
 echo_i "check TSIG key algorithms ($n)"
686 
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
690 687 
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
691 688 
+if $FEATURETEST --md5
692 689 
+then
... ... @@ -1152,7 +696,7 @@ index 4da4849..b3bc807 100755
696 696 
     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
697 697 
 server 10.53.0.1 ${PORT}
698 698 
 update add ${alg}.keytests.nil. 600 A 10.10.10.3
699 
@@ -716,7 +723,7 @@ send
699 
@@ -860,7 +867,7 @@
700 700 
 END
701 701 
 done
702 702 
 sleep 2
... ... @@ -1161,11 +705,28 @@ index 4da4849..b3bc807 100755
705 705 
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
706 706 
 done
707 707 
 if [ $ret -ne 0 ]; then
708 
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
709 
index 343869e..c30efb0 100644
710 
--- a/bin/tests/system/rndc/setup.sh
711 
+++ b/bin/tests/system/rndc/setup.sh
712 
@@ -37,7 +37,7 @@ make_key () {
708 
@@ -871,7 +878,7 @@
709 
 n=$((n + 1))
710 
 ret=0
711 
 echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
712 
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
713 
+for alg in $ALGS; do
714 
     secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
715 
     $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
716 
 server 10.53.0.1 ${PORT}
717 
@@ -880,7 +887,7 @@
718 
 END
719 
 done
720 
 sleep 2
721 
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
722 
+for alg in $ALGS; do
723 
     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
724 
 done
725 
 if [ $ret -ne 0 ]; then
726 
diff -ruN a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
727 
--- a/bin/tests/system/rndc/setup.sh	2022-11-08 01:12:59.000000000 +0300
728 
+++ b/bin/tests/system/rndc/setup.sh	2022-12-01 06:09:13.938835909 +0300
729 
@@ -40,7 +40,7 @@
713 730 
             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
714 731 
 }
715 732
... ... @@ -1174,11 +735,10 @@ index 343869e..c30efb0 100644
735 735 
 make_key 2 ${EXTRAPORT2} hmac-sha1
736 736 
 make_key 3 ${EXTRAPORT3} hmac-sha224
737 737 
 make_key 4 ${EXTRAPORT4} hmac-sha256
738 
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
739 
index 57e066d..186a723 100644
740 
--- a/bin/tests/system/rndc/tests.sh
741 
+++ b/bin/tests/system/rndc/tests.sh
742 
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
738 
diff -ruN a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
739 
--- a/bin/tests/system/rndc/tests.sh	2022-11-08 01:12:59.000000000 +0300
740 
+++ b/bin/tests/system/rndc/tests.sh	2022-12-01 06:09:13.938835909 +0300
741 
@@ -351,15 +351,20 @@
743 742 
 status=`expr $status + $ret`
744 743
745 744 
 n=`expr $n + 1`
... ... @@ -1208,20 +768,10 @@ index 57e066d..186a723 100644
768 768
769 769 
 n=`expr $n + 1`
770 770 
 echo_i "testing rndc with hmac-sha1 ($n)"
771 
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
772 
index 576ec70..cb7a852 100644
773 
--- a/bin/tests/system/tsig/clean.sh
774 
+++ b/bin/tests/system/tsig/clean.sh
775 
@@ -20,3 +20,4 @@ rm -f */named.run
776 
 rm -f ns*/named.lock
777 
 rm -f Kexample.net.+163+*
778 
 rm -f keygen.out?
779 
+rm -f ns1/named.conf
780 
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
781 
index fbf30c6..f61657d 100644
782 
--- a/bin/tests/system/tsig/ns1/named.conf.in
783 
+++ b/bin/tests/system/tsig/ns1/named.conf.in
784 
@@ -21,10 +21,7 @@ options {
771 
diff -ruN a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
772 
--- a/bin/tests/system/tsig/ns1/named.conf.in	2022-11-08 01:12:59.000000000 +0300
773 
+++ b/bin/tests/system/tsig/ns1/named.conf.in	2022-12-01 06:09:13.938835909 +0300
774 
@@ -23,10 +23,7 @@
785 775 
 	notify no;
786 776 
 };
787 777
... ... @@ -1233,7 +783,7 @@ index fbf30c6..f61657d 100644
783 783
784 784 
 key "sha1" {
785 785 
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
786 
@@ -51,10 +48,7 @@ key "sha512" {
786 
@@ -53,10 +50,7 @@
787 787 
 	algorithm hmac-sha512;
788 788 
 };
789 789
... ... @@ -1245,24 +795,36 @@ index fbf30c6..f61657d 100644
795 795
796 796 
 key "sha1-trunc" {
797 797 
 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
798 
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
799 
index 4dd4a25..aa0f966 100644
800 
--- a/bin/tests/system/tsig/setup.sh
801 
+++ b/bin/tests/system/tsig/setup.sh
802 
@@ -17,3 +17,8 @@ $SHELL clean.sh
803 
 copy_setports ns1/named.conf.in ns1/named.conf
798 
diff -ruN a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
799 
--- a/bin/tests/system/tsig/ns1/rndc5.conf.in	1970-01-01 03:00:00.000000000 +0300
800 
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in	2022-12-01 06:09:13.938835909 +0300
801 
@@ -0,0 +1,10 @@
802 
+# Conditionally included when support for MD5 is available
803 
+key "md5" {
804 
+	secret "97rnFx24Tfna4mHPfgnerA==";
805 
+	algorithm hmac-md5;
806 
+};
807 
+
808 
+key "md5-trunc" {
809 
+	secret "97rnFx24Tfna4mHPfgnerA==";
810 
+	algorithm hmac-md5-80;
811 
+};
812 
diff -ruN a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
813 
--- a/bin/tests/system/tsig/setup.sh	2022-11-08 01:12:59.000000000 +0300
814 
+++ b/bin/tests/system/tsig/setup.sh	2022-12-01 06:09:13.938835909 +0300
815 
@@ -17,3 +17,8 @@
816 
 $SHELL clean.sh
804 817
805 
 test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
818 
 copy_setports ns1/named.conf.in ns1/named.conf
806 819 
+
807 820 
+if $FEATURETEST --md5
808 821 
+then
809 822 
+	cat ns1/rndc5.conf.in >> ns1/named.conf
810 823 
+fi
811 
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
812 
index f731fa6..cade35b 100644
813 
--- a/bin/tests/system/tsig/tests.sh
814 
+++ b/bin/tests/system/tsig/tests.sh
815 
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
824 
diff -ruN a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
825 
--- a/bin/tests/system/tsig/tests.sh	2022-11-08 01:12:59.000000000 +0300
826 
+++ b/bin/tests/system/tsig/tests.sh	2022-12-01 06:09:13.939835915 +0300
827 
@@ -28,20 +28,25 @@
816 828
817 829 
 status=0
818 830
... ... @@ -1302,7 +864,7 @@ index f731fa6..cade35b 100644
864 864 
 fi
865 865
866 866 
 echo_i "fetching using hmac-sha1"
867 
@@ -87,12 +92,17 @@ fi
867 
@@ -89,12 +94,17 @@
868 868 
 #	Truncated TSIG
869 869 
 #
870 870 
 #
... ... @@ -1326,7 +888,7 @@ index f731fa6..cade35b 100644
888 888 
 fi
889 889
890 890 
 echo_i "fetching using hmac-sha1 (trunc)"
891 
@@ -141,12 +151,17 @@ fi
891 
@@ -143,12 +153,17 @@
892 892 
 #	Check for bad truncation.
893 893 
 #
894 894 
 #
... ... @@ -1350,22 +912,10 @@ index f731fa6..cade35b 100644
912 912 
 fi
913 913
914 914 
 echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
915 
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
916 
index 0d21c7b..dbcb7b4 100644
917 
--- a/bin/tests/system/tsiggss/setup.sh
918 
+++ b/bin/tests/system/tsiggss/setup.sh
919 
@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
920
921 
 copy_setports ns1/named.conf.in ns1/named.conf
922
923 
-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
924 
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
925 
 cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
926 
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
927 
index e0a30cd..6a77b1c 100644
928 
--- a/bin/tests/system/upforwd/ns1/named.conf.in
929 
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
930 
@@ -10,7 +10,7 @@
915 
diff -ruN a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
916 
--- a/bin/tests/system/upforwd/ns1/named.conf.in	2022-11-08 01:12:59.000000000 +0300
917 
+++ b/bin/tests/system/upforwd/ns1/named.conf.in	2022-12-01 06:09:13.939835915 +0300
918 
@@ -12,7 +12,7 @@
931 919 
  */
932 920
933 921 
 key "update.example." {
... ... @@ -1374,11 +924,10 @@ index e0a30cd..6a77b1c 100644
924 924 
 	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
925 925 
 };
926 926
927 
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
928 
index b0694bb..9adae82 100644
929 
--- a/bin/tests/system/upforwd/tests.sh
930 
+++ b/bin/tests/system/upforwd/tests.sh
931 
@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
927 
diff -ruN a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
928 
--- a/bin/tests/system/upforwd/tests.sh	2022-11-08 01:12:59.000000000 +0300
929 
+++ b/bin/tests/system/upforwd/tests.sh	2022-12-01 06:09:13.939835915 +0300
930 
@@ -81,7 +81,7 @@
932 931
933 932 
 echo_i "updating zone (signed) ($n)"
934 933 
 ret=0
... ... @@ -1387,22 +936,3 @@ index b0694bb..9adae82 100644
936 936 
 server 10.53.0.3 ${PORT}
937 937 
 update add updated.example. 600 A 10.10.10.1
938 938 
 update add updated.example. 600 TXT Foo
939 
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
940 
new file mode 100644
941 
index 0000000..0682194
942 
--- /dev/null
943 
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
944 
@@ -0,0 +1,10 @@
945 
+# Conditionally included when support for MD5 is available
946 
+key "md5" {
947 
+	secret "97rnFx24Tfna4mHPfgnerA==";
948 
+	algorithm hmac-md5;
949 
+};
950 
+
951 
+key "md5-trunc" {
952 
+	secret "97rnFx24Tfna4mHPfgnerA==";
953 
+	algorithm hmac-md5-80;
954 
+};
... ... ---
955 
2.20.1
956
view file @ d5fe0dbac2
... ... --- /dev/null
... ... +++ b/bind-9.11-kyua-pkcs11.patch
... ... @@ -0,0 +1,58 @@
1 
From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001
2 
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
3 
Date: Tue, 2 Jan 2018 18:13:07 +0100
4 
Subject: [PATCH] Fix pkcs11 variants atf tests
5
6 
Add dns-pkcs11 tests Makefile to configure
7
8 
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
9 
---
10 
 configure.ac                   | 1 +
11 
 lib/Kyuafile                   | 2 ++
12 
 lib/dns-pkcs11/tests/dh_test.c | 3 ++-
13 
 3 files changed, 5 insertions(+), 1 deletion(-)
14
15 
diff --git a/configure.ac b/configure.ac
16 
index d80ae31..0fb9328 100644
17 
--- a/configure.ac
18 
+++ b/configure.ac
19 
@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([
20 
 	lib/dns-pkcs11/include/Makefile
21 
 	lib/dns-pkcs11/include/dns/Makefile
22 
 	lib/dns-pkcs11/include/dst/Makefile
23 
+	lib/dns-pkcs11/tests/Makefile
24 
 	lib/irs/Makefile
25 
 	lib/irs/include/Makefile
26 
 	lib/irs/include/irs/Makefile
27 
diff --git a/lib/Kyuafile b/lib/Kyuafile
28 
index 39ce986..037e5ef 100644
29 
--- a/lib/Kyuafile
30 
+++ b/lib/Kyuafile
31 
@@ -2,8 +2,10 @@ syntax(2)
32 
 test_suite('bind9')
33
34 
 include('dns/Kyuafile')
35 
+include('dns-pkcs11/Kyuafile')
36 
 include('irs/Kyuafile')
37 
 include('isc/Kyuafile')
38 
 include('isccc/Kyuafile')
39 
 include('isccfg/Kyuafile')
40 
 include('ns/Kyuafile')
41 
+include('ns-pkcs11/Kyuafile')
42 
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
43 
index 934e8fd..658d1af 100644
44 
--- a/lib/dns-pkcs11/tests/dh_test.c
45 
+++ b/lib/dns-pkcs11/tests/dh_test.c
46 
@@ -87,7 +87,8 @@ dh_computesecret(void **state) {
47 
 	result = dst_key_computesecret(key, key, &buf);
48 
 	assert_int_equal(result, DST_R_NOTPRIVATEKEY);
49 
 	result = key->func->computesecret(key, key, &buf);
50 
-	assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
51 
+	/* PKCS11 variant gives different result, accept both */
52 
+	assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
53
54 
 	dst_key_free(&key);
55 
 }
56 
--
57 
2.20.1
58
view file @ 1fca60d876
... ... --- a/bind-9.11-oot-manual.patch
... ... +++ /dev/null
... ... @@ -1,256 +0,0 @@
0 
From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001
1 
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
2 
Date: Wed, 25 Jul 2018 12:24:16 +0200
3 
Subject: [PATCH] Use make automatic variables to install updated manuals
4
5 
Make will choose modified manual from build directory or original from source
6 
directory automagically. Take advantage of install tool feature.
7 
Install all files in single command instead of iterating on each of them.
8 
---
9 
 bin/check/Makefile.in   |  8 +++++---
10 
 bin/confgen/Makefile.in |  9 +++++----
11 
 bin/delv/Makefile.in    |  6 ++++--
12 
 bin/dig/Makefile.in     |  8 ++++----
13 
 bin/dnssec/Makefile.in  |  6 ++++--
14 
 bin/named/Makefile.in   | 13 +++++++++----
15 
 bin/pkcs11/Makefile.in  |  9 ++++-----
16 
 bin/python/Makefile.in  |  8 ++++----
17 
 bin/tools/Makefile.in   | 25 +++++++++++++++----------
18 
 9 files changed, 54 insertions(+), 38 deletions(-)
19
20 
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
21 
index c124e80..1174f8d 100644
22 
--- a/bin/check/Makefile.in
23 
+++ b/bin/check/Makefile.in
24 
@@ -83,12 +83,14 @@ installdirs:
25 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
26 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
27
28 
-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
29 
+install-man8: ${MANPAGES}
30 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
31 
+	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
32 
+
33 
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs install-man8
34 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
35 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
36 
 	(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
37 
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
38 
-	(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
39
40 
 uninstall::
41 
 	rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
42 
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
43 
index 87f13dd..7865c0c 100644
44 
--- a/bin/confgen/Makefile.in
45 
+++ b/bin/confgen/Makefile.in
46 
@@ -95,13 +95,14 @@ installdirs:
47 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
48 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
49
50 
-install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
51 
+install-man8: rndc-confgen.8 ddns-confgen.8
52 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
53 
+	(cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
54 
+
55 
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs install-man8
56 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
57 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
58 
-	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
59 
-	${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
60 
 	(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
61 
-	(cd ${DESTDIR}${mandir}/man8; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8)
62
63 
 uninstall::
64 
 	rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
65 
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
66 
index e2d2802..19361a8 100644
67 
--- a/bin/delv/Makefile.in
68 
+++ b/bin/delv/Makefile.in
69 
@@ -63,10 +63,12 @@ installdirs:
70 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
71 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
72
73 
-install:: delv@EXEEXT@ installdirs
74 
+install-man1: delv.1
75 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
76 
+
77 
+install:: delv@EXEEXT@ installdirs install-man1
78 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
79 
 		delv@EXEEXT@ ${DESTDIR}${bindir}
80 
-	${INSTALL_DATA} ${srcdir}/delv.1 ${DESTDIR}${mandir}/man1
81
82 
 uninstall::
83 
 	rm -f ${DESTDIR}${mandir}/man1/delv.1
84 
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
85 
index a9830a9..d7ac0b6 100644
86 
--- a/bin/dig/Makefile.in
87 
+++ b/bin/dig/Makefile.in
88 
@@ -91,16 +91,16 @@ installdirs:
89 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
90 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
91
92 
-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
93 
+install-man1: ${MANPAGES}
94 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
95 
+
96 
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs install-man1
97 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
98 
 		dig@EXEEXT@ ${DESTDIR}${bindir}
99 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
100 
 		host@EXEEXT@ ${DESTDIR}${bindir}
101 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
102 
 		nslookup@EXEEXT@ ${DESTDIR}${bindir}
103 
-	for m in ${MANPAGES}; do \
104 
-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
105 
-	done
106
107 
 uninstall::
108 
 	for m in ${MANPAGES}; do \
109 
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
110 
index 2239ad1..ce0a177 100644
111 
--- a/bin/dnssec/Makefile.in
112 
+++ b/bin/dnssec/Makefile.in
113 
@@ -110,9 +110,11 @@ installdirs:
114 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
115 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
116
117 
-install:: ${TARGETS} installdirs
118 
+install-man8: ${MANPAGES}
119 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
120 
+
121 
+install:: ${TARGETS} installdirs install-man8
122 
 	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
123 
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
124
125 
 uninstall::
126 
 	for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
127 
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
128 
index e1f85a9..d92bc9a 100644
129 
--- a/bin/named/Makefile.in
130 
+++ b/bin/named/Makefile.in
131 
@@ -176,12 +176,17 @@ installdirs:
132 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
133 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
134
135 
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
136 
+install-man5: named.conf.5
137 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
138 
+
139 
+install-man8: named.8 lwresd.8
140 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
141 
+
142 
+install-man: install-man5 install-man8
143 
+
144 
+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
145 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
146 
 	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
147 
-	${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
148 
-	${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
149 
-	${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
150
151 
 uninstall::
152 
 	rm -f ${DESTDIR}${mandir}/man5/named.conf.5
153 
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
154 
index ae90616..a058c91 100644
155 
--- a/bin/pkcs11/Makefile.in
156 
+++ b/bin/pkcs11/Makefile.in
157 
@@ -71,7 +71,10 @@ installdirs:
158 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
159 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
160
161 
-install:: ${TARGETS} installdirs
162 
+install-man8: ${MANPAGES}
163 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
164 
+
165 
+install:: ${TARGETS} installdirs install-man8
166 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ \
167 
 		${DESTDIR}${sbindir}
168 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ \
169 
@@ -80,10 +83,6 @@ install:: ${TARGETS} installdirs
170 
 		${DESTDIR}${sbindir}
171 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ \
172 
 		${DESTDIR}${sbindir}
173 
-	${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
174 
-	${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
175 
-	${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
176 
-	${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8
177
178 
 uninstall::
179 
 	rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
180 
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
181 
index aa678d4..064c404 100644
182 
--- a/bin/python/Makefile.in
183 
+++ b/bin/python/Makefile.in
184 
@@ -47,13 +47,13 @@ installdirs:
185 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
186 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
187
188 
-install:: ${TARGETS} installdirs
189 
+install-man8: ${MANPAGES}
190 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
191 
+
192 
+install:: ${TARGETS} installdirs install-man8
193 
 	${INSTALL_SCRIPT} dnssec-checkds ${DESTDIR}${sbindir}
194 
 	${INSTALL_SCRIPT} dnssec-coverage ${DESTDIR}${sbindir}
195 
 	${INSTALL_SCRIPT} dnssec-keymgr ${DESTDIR}${sbindir}
196 
-	${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
197 
-	${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
198 
-	${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
199 
 	if test -n "${PYTHON}" ; then \
200 
 		if test -n "${DESTDIR}" ; then \
201 
 			${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
202 
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
203 
index 7bf2af4..c395bc7 100644
204 
--- a/bin/tools/Makefile.in
205 
+++ b/bin/tools/Makefile.in
206 
@@ -119,17 +119,27 @@ installdirs:
207 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
208 
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
209
210 
-nzd:
211 
+nzd-man: named-nzd2nzf.8
212 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
213 
+
214 
+nzd: nzd-man
215 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-nzd2nzf@EXEEXT@ \
216 
 		${DESTDIR}${sbindir}
217 
-	${INSTALL_DATA} ${srcdir}/named-nzd2nzf.8 ${DESTDIR}${mandir}/man8
218
219 
-dnstap:
220 
+dnstap-man: dnstap-read.1
221 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
222 
+
223 
+dnstap: dnstap-man
224 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} dnstap-read@EXEEXT@ \
225 
 		${DESTDIR}${bindir}
226 
-	${INSTALL_DATA} ${srcdir}/dnstap-read.1 ${DESTDIR}${mandir}/man1
227
228 
-install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
229 
+install-man1: arpaname.1 named-rrchecker.1 mdig.1
230 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man1
231 
+
232 
+install-man8: named-journalprint.8 nsec3hash.8
233 
+	${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
234 
+
235 
+install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@ install-man1 install-man8
236 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \
237 
 		${DESTDIR}${bindir}
238 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \
239 
@@ -144,13 +154,8 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
240 
 		${DESTDIR}${sbindir}
241 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \
242 
 		${DESTDIR}${bindir}
243 
-	${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
244 
 	${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
245 
-	${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
246 
-	${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1
247 
-	${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
248 
 	${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
249 
-	${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1
250
251 
 uninstall::
252 
 	rm -f ${DESTDIR}${mandir}/man1/mdig.1
... ... ---
253 
2.14.4
254
view file @ 1fca60d876
... ... --- a/bind-9.11-pk11.patch
... ... +++ /dev/null
... ... @@ -1,27 +0,0 @@
0 
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
1 
index 640519a..fc40472 100644
2 
--- a/lib/dns/dst_internal.h
3 
+++ b/lib/dns/dst_internal.h
4 
@@ -59,6 +59,9 @@
5 
 #include <openssl/objects.h>
6 
 #include <openssl/rsa.h>
7 
 #endif
8 
+#if PKCS11CRYPTO
9 
+#include <pk11/pk11.h>
10 
+#endif
11
12 
 ISC_LANG_BEGINDECLS
13
14 
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
15 
index aa8907a..603712a 100644
16 
--- a/lib/isc/include/pk11/internal.h
17 
+++ b/lib/isc/include/pk11/internal.h
18 
@@ -13,6 +13,8 @@
19 
 #ifndef PK11_INTERNAL_H
20 
 #define PK11_INTERNAL_H 1
21
22 
+#include <pk11/pk11.h>
23 
+
24 
 /*! \file pk11/internal.h */
25
26 
 ISC_LANG_BEGINDECLS
view file @ 1fca60d876
... ... --- a/bind-9.11-rh1205168.patch
... ... +++ /dev/null
... ... @@ -1,120 +0,0 @@
0 
From 90416594843a56550e40b11561807786219ce1c4 Mon Sep 17 00:00:00 2001
1 
From: Evan Hunt <each@isc.org>
2 
Date: Mon, 11 Sep 2017 15:01:36 -0700
3 
Subject: [PATCH] remap getaddrinfo() to irs_getgetaddrinfo()
4
5 
The libirs version of getaddrinfo() cannot be called from within BIND9.
6
7 
fix prototypes
8 
---
9 
 lib/irs/include/irs/netdb.h.in | 94 ++++++++++++++++++++++++++++++++++++++++++
10 
 1 file changed, 94 insertions(+)
11
12 
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
13 
index 23dcd37..f36113d 100644
14 
--- a/lib/irs/include/irs/netdb.h.in
15 
+++ b/lib/irs/include/irs/netdb.h.in
16 
@@ -150,6 +150,100 @@ struct addrinfo {
17 
 #define	NI_DGRAM	0x00000010
18
19 
 /*
20 
+ * Define to map into irs_ namespace.
21 
+ */
22 
+
23 
+#define IRS_NAMESPACE
24 
+
25 
+#ifdef IRS_NAMESPACE
26 
+
27 
+/*
28 
+ * Use our versions not the ones from the C library.
29 
+ */
30 
+
31 
+#ifdef getnameinfo
32 
+#undef getnameinfo
33 
+#endif
34 
+#define getnameinfo irs_getnameinfo
35 
+
36 
+#ifdef getaddrinfo
37 
+#undef getaddrinfo
38 
+#endif
39 
+#define getaddrinfo irs_getaddrinfo
40 
+
41 
+#ifdef freeaddrinfo
42 
+#undef freeaddrinfo
43 
+#endif
44 
+#define freeaddrinfo irs_freeaddrinfo
45 
+
46 
+#ifdef gai_strerror
47 
+#undef gai_strerror
48 
+#endif
49 
+#define gai_strerror irs_gai_strerror
50 
+
51 
+#endif
52 
+
53 
+extern int getaddrinfo (const char *name,
54 
+			const char *service,
55 
+			const struct addrinfo *req,
56 
+			struct addrinfo **pai);
57 
+extern int getnameinfo (const struct sockaddr *sa,
58 
+			socklen_t salen, char *host,
59 
+			socklen_t hostlen, char *serv,
60 
+			socklen_t servlen, int flags);
61 
+extern void freeaddrinfo (struct addrinfo *ai);
62 
+extern const char *gai_strerror (int ecode);
63 
+
64 
+/*
65 
+ * Define to map into irs_ namespace.
66 
+ */
67 
+
68 
+#define IRS_NAMESPACE
69 
+
70 
+#ifdef IRS_NAMESPACE
71 
+
72 
+/*
73 
+ * Use our versions not the ones from the C library.
74 
+ */
75 
+
76 
+#ifdef getnameinfo
77 
+#undef getnameinfo
78 
+#endif
79 
+#define getnameinfo irs_getnameinfo
80 
+
81 
+#ifdef getaddrinfo
82 
+#undef getaddrinfo
83 
+#endif
84 
+#define getaddrinfo irs_getaddrinfo
85 
+
86 
+#ifdef freeaddrinfo
87 
+#undef freeaddrinfo
88 
+#endif
89 
+#define freeaddrinfo irs_freeaddrinfo
90 
+
91 
+#ifdef gai_strerror
92 
+#undef gai_strerror
93 
+#endif
94 
+#define gai_strerror irs_gai_strerror
95 
+
96 
+int
97 
+getaddrinfo(const char *hostname, const char *servname,
98 
+	    const struct addrinfo *hints, struct addrinfo **res);
99 
+
100 
+int
101 
+getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
102 
+	    char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen,
103 
+	    char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen,
104 
+	    IRS_GETNAMEINFO_FLAGS_T flags);
105 
+
106 
+void freeaddrinfo (struct addrinfo *ai);
107 
+
108 
+IRS_GAISTRERROR_RETURN_T
109 
+gai_strerror(int ecode);
110 
+
111 
+#endif
112 
+
113 
+/*
114 
  * Tell Emacs to use C mode on this file.
115 
  * Local variables:
116 
  * mode: c
... ... ---
117 
2.9.5
118
view file @ 1fca60d876
... ... --- a/bind-9.11-rh1410433.patch
... ... +++ /dev/null
... ... @@ -1,16 +0,0 @@
0 
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
1 
index 15561ce..e4449b0 100644
2 
--- a/lib/dns/dyndb.c
3 
+++ b/lib/dns/dyndb.c
4 
@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
5 
 		      instname, filename);
6
7 
 	flags = RTLD_NOW|RTLD_LOCAL;
8 
+#if 0
9 
+	/* Shared global namespace is required for dns-pkcs11 library */
10 
 #if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
11 
 	flags |= RTLD_DEEPBIND;
12 
+#endif
13 
 #endif
14
15 
 	handle = dlopen(filename, flags);
view file @ d5fe0dbac2
... ... --- /dev/null
... ... +++ b/bind-9.11-rh1666814.patch
... ... @@ -0,0 +1,29 @@
1 
From d05d116da39c0a5c580ceaac6ba069899b82c5a0 Mon Sep 17 00:00:00 2001
2 
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
3 
Date: Wed, 16 Jan 2019 16:27:33 +0100
4 
Subject: [PATCH] Fix possible crash when loading corrupted file
5
6 
Some values passes internal triggers by coincidence. Fix the check and
7 
check also first_node_offset before even passing it further.
8 
---
9 
 lib/dns/rbt.c | 4 +++-
10 
 1 file changed, 3 insertions(+), 1 deletion(-)
11
12 
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
13 
index 5aee5f6..7f2c2d2 100644
14 
--- a/lib/dns/rbt.c
15 
+++ b/lib/dns/rbt.c
16 
@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
17 
 	rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
18 
 				      header->first_node_offset);
19
20 
-	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
21 
+	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
22 
+	    || header->first_node_offset > filesize) {
23 
+
24 
 		result = ISC_R_INVALIDFILE;
25 
 		goto cleanup;
26 
 	}
27 
--
28 
2.31.1
29
view file @ 1fca60d876
... ... --- a/bind-9.11-rt31459.patch
... ... +++ /dev/null
... ... @@ -1,2122 +0,0 @@
0 
From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001
1 
From: Evan Hunt <each@isc.org>
2 
Date: Tue, 12 Sep 2017 19:05:46 -0700
3 
Subject: [PATCH] rebased rt31459c
4
5 
[rt31459d] update the newer tools
6
7 
[rt31459d] setup entropy in dns_lib_init()
8
9 
[rt31459d] silence compiler warning
10
11 
DNS_OPENSSL_LIBS -> DST_OPENSSL_LIBS
12
13 
Include new unit test
14 
---
15 
 bin/confgen/keygen.c                     |   7 +
16 
 bin/dnssec/dnssec-dsfromkey.c            |   8 +-
17 
 bin/dnssec/dnssec-importkey.c            |   8 +-
18 
 bin/dnssec/dnssec-revoke.c               |   8 +-
19 
 bin/dnssec/dnssec-settime.c              |   8 +-
20 
 bin/dnssec/dnssec-signzone.c             |  11 +-
21 
 bin/dnssec/dnssec-verify.c               |   8 +-
22 
 bin/dnssec/dnssectool.c                  |  11 +-
23 
 bin/named/server.c                       |   6 +
24 
 bin/nsupdate/nsupdate.c                  |  14 +-
25 
 bin/tests/makejournal.c                  |   6 +-
26 
 bin/tests/system/pipelined/pipequeries.c |  20 +-
27 
 bin/tests/system/pipelined/tests.sh      |   4 +-
28 
 bin/tests/system/rsabigexponent/bigkey.c |   4 +
29 
 bin/tests/system/tkey/keycreate.c        |  26 ++-
30 
 bin/tests/system/tkey/keydelete.c        |  26 ++-
31 
 bin/tests/system/tkey/tests.sh           |   8 +-
32 
 bin/tools/mdig.c                         |   3 +-
33 
 configure                                | 250 +++++++++++++----------
34 
 configure.ac                             |  77 ++++++-
35 
 lib/dns/dst_api.c                        |  21 +-
36 
 lib/dns/include/dst/dst.h                |   8 +
37 
 lib/dns/lib.c                            |  15 +-
38 
 lib/dns/openssl_link.c                   |  72 ++++++-
39 
 lib/dns/pkcs11.c                         |  29 ++-
40 
 lib/dns/tests/Kyuafile                   |   1 +
41 
 lib/dns/tests/Makefile.in                |   7 +
42 
 lib/dns/tests/dstrandom_test.c           | 115 +++++++++++
43 
 lib/dns/win32/libdns.def.in              |   7 +
44 
 lib/isc/entropy.c                        |  24 +++
45 
 lib/isc/include/isc/entropy.h            |  12 ++
46 
 lib/isc/include/isc/platform.h.in        |   5 +
47 
 lib/isc/include/isc/types.h              |   2 +
48 
 lib/isc/pk11.c                           |  12 +-
49 
 lib/isc/win32/include/isc/platform.h.in  |   5 +
50 
 win32utils/Configure                     |  28 ++-
51 
 36 files changed, 701 insertions(+), 175 deletions(-)
52 
 create mode 100644 lib/dns/tests/dstrandom_test.c
53
54 
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
55 
index 5015abb..295e16f 100644
56 
--- a/bin/confgen/keygen.c
57 
+++ b/bin/confgen/keygen.c
58 
@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
59 
 		randomfile = NULL;
60 
 		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
61 
 	}
62 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
63 
+	if (randomfile != NULL &&
64 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
65 
+		randomfile = NULL;
66 
+		isc_entropy_usehook(ectx, true);
67 
+	}
68 
+#endif
69 
 	DO("start entropy source", isc_entropy_usebestsource(ectx,
70 
 							     &entropy_source,
71 
 							     randomfile,
72 
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
73 
index d9d6bb9..de4b15f 100644
74 
--- a/bin/dnssec/dnssec-dsfromkey.c
75 
+++ b/bin/dnssec/dnssec-dsfromkey.c
76 
@@ -498,14 +498,14 @@ main(int argc, char **argv) {
77
78 
 	if (ectx == NULL)
79 
 		setup_entropy(mctx, NULL, &ectx);
80 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
81 
-	if (result != ISC_R_SUCCESS)
82 
-		fatal("could not initialize hash");
83 
 	result = dst_lib_init(mctx, ectx,
84 
 			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
85 
 	if (result != ISC_R_SUCCESS)
86 
 		fatal("could not initialize dst: %s",
87 
 		      isc_result_totext(result));
88 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
89 
+	if (result != ISC_R_SUCCESS)
90 
+		fatal("could not initialize hash");
91 
 	isc_entropy_stopcallbacksources(ectx);
92
93 
 	setup_logging(mctx, &log);
94 
@@ -574,8 +574,8 @@ main(int argc, char **argv) {
95 
 	if (dns_rdataset_isassociated(&rdataset))
96 
 		dns_rdataset_disassociate(&rdataset);
97 
 	cleanup_logging(&log);
98 
-	dst_lib_destroy();
99 
 	isc_hash_destroy();
100 
+	dst_lib_destroy();
101 
 	cleanup_entropy(&ectx);
102 
 	dns_name_destroy();
103 
 	if (verbose > 10)
104 
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
105 
index d65a514..04b3094 100644
106 
--- a/bin/dnssec/dnssec-importkey.c
107 
+++ b/bin/dnssec/dnssec-importkey.c
108 
@@ -404,14 +404,14 @@ main(int argc, char **argv) {
109
110 
 	if (ectx == NULL)
111 
 		setup_entropy(mctx, NULL, &ectx);
112 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
113 
-	if (result != ISC_R_SUCCESS)
114 
-		fatal("could not initialize hash");
115 
 	result = dst_lib_init(mctx, ectx,
116 
 			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
117 
 	if (result != ISC_R_SUCCESS)
118 
 		fatal("could not initialize dst: %s",
119 
 		      isc_result_totext(result));
120 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
121 
+	if (result != ISC_R_SUCCESS)
122 
+		fatal("could not initialize hash");
123 
 	isc_entropy_stopcallbacksources(ectx);
124
125 
 	setup_logging(mctx, &log);
126 
@@ -455,8 +455,8 @@ main(int argc, char **argv) {
127 
 	if (dns_rdataset_isassociated(&rdataset))
128 
 		dns_rdataset_disassociate(&rdataset);
129 
 	cleanup_logging(&log);
130 
-	dst_lib_destroy();
131 
 	isc_hash_destroy();
132 
+	dst_lib_destroy();
133 
 	cleanup_entropy(&ectx);
134 
 	dns_name_destroy();
135 
 	if (verbose > 10)
136 
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
137 
index 7d82dbf..10f9359 100644
138 
--- a/bin/dnssec/dnssec-revoke.c
139 
+++ b/bin/dnssec/dnssec-revoke.c
140 
@@ -184,14 +184,14 @@ main(int argc, char **argv) {
141
142 
 	if (ectx == NULL)
143 
 		setup_entropy(mctx, NULL, &ectx);
144 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
145 
-	if (result != ISC_R_SUCCESS)
146 
-		fatal("Could not initialize hash");
147 
 	result = dst_lib_init2(mctx, ectx, engine,
148 
 			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
149 
 	if (result != ISC_R_SUCCESS)
150 
 		fatal("Could not initialize dst: %s",
151 
 		      isc_result_totext(result));
152 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
153 
+	if (result != ISC_R_SUCCESS)
154 
+		fatal("Could not initialize hash");
155 
 	isc_entropy_stopcallbacksources(ectx);
156
157 
 	result = dst_key_fromnamedfile(filename, dir,
158 
@@ -273,8 +273,8 @@ main(int argc, char **argv) {
159
160 
 cleanup:
161 
 	dst_key_free(&key);
162 
-	dst_lib_destroy();
163 
 	isc_hash_destroy();
164 
+	dst_lib_destroy();
165 
 	cleanup_entropy(&ectx);
166 
 	if (verbose > 10)
167 
 		isc_mem_stats(mctx, stdout);
168 
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
169 
index 7afcaee..1cfa511 100644
170 
--- a/bin/dnssec/dnssec-settime.c
171 
+++ b/bin/dnssec/dnssec-settime.c
172 
@@ -380,14 +380,14 @@ main(int argc, char **argv) {
173
174 
 	if (ectx == NULL)
175 
 		setup_entropy(mctx, NULL, &ectx);
176 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
177 
-	if (result != ISC_R_SUCCESS)
178 
-		fatal("Could not initialize hash");
179 
 	result = dst_lib_init2(mctx, ectx, engine,
180 
 			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
181 
 	if (result != ISC_R_SUCCESS)
182 
 		fatal("Could not initialize dst: %s",
183 
 		      isc_result_totext(result));
184 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
185 
+	if (result != ISC_R_SUCCESS)
186 
+		fatal("Could not initialize hash");
187 
 	isc_entropy_stopcallbacksources(ectx);
188
189 
 	if (predecessor != NULL) {
190 
@@ -672,8 +672,8 @@ main(int argc, char **argv) {
191 
 	if (prevkey != NULL)
192 
 		dst_key_free(&prevkey);
193 
 	dst_key_free(&key);
194 
-	dst_lib_destroy();
195 
 	isc_hash_destroy();
196 
+	dst_lib_destroy();
197 
 	cleanup_entropy(&ectx);
198 
 	if (verbose > 10)
199 
 		isc_mem_stats(mctx, stdout);
200 
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
201 
index 319a805..27ae4d4 100644
202 
--- a/bin/dnssec/dnssec-signzone.c
203 
+++ b/bin/dnssec/dnssec-signzone.c
204 
@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
205 
 	if (!pseudorandom)
206 
 		eflags |= ISC_ENTROPY_GOODONLY;
207
208 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
209 
-	if (result != ISC_R_SUCCESS)
210 
-		fatal("could not create hash context");
211 
-
212 
 	result = dst_lib_init2(mctx, ectx, engine, eflags);
213 
 	if (result != ISC_R_SUCCESS)
214 
 		fatal("could not initialize dst: %s",
215 
 		      isc_result_totext(result));
216 
+
217 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
218 
+	if (result != ISC_R_SUCCESS)
219 
+		fatal("could not create hash context");
220 
+
221 
 	isc_stdtime_get(&now);
222
223 
 	if (startstr != NULL) {
224 
@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) {
225 
 	dns_master_styledestroy(&dsstyle, mctx);
226
227 
 	cleanup_logging(&log);
228 
-	dst_lib_destroy();
229 
 	isc_hash_destroy();
230 
+	dst_lib_destroy();
231 
 	cleanup_entropy(&ectx);
232 
 	dns_name_destroy();
233 
 	if (verbose > 10)
234 
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
235 
index 4c293bf..3263cbc 100644
236 
--- a/bin/dnssec/dnssec-verify.c
237 
+++ b/bin/dnssec/dnssec-verify.c
238 
@@ -281,15 +281,15 @@ main(int argc, char *argv[]) {
239 
 	if (ectx == NULL)
240 
 		setup_entropy(mctx, NULL, &ectx);
241
242 
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
243 
-	if (result != ISC_R_SUCCESS)
244 
-		fatal("could not create hash context");
245 
-
246 
 	result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
247 
 	if (result != ISC_R_SUCCESS)
248 
 		fatal("could not initialize dst: %s",
249 
 		      isc_result_totext(result));
250
251 
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
252 
+	if (result != ISC_R_SUCCESS)
253 
+		fatal("could not create hash context");
254 
+
255 
 	isc_stdtime_get(&now);
256
257 
 	rdclass = strtoclass(classname);
258 
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
259 
index 618ec5b..5654435 100644
260 
--- a/bin/dnssec/dnssectool.c
261 
+++ b/bin/dnssec/dnssectool.c
262 
@@ -34,6 +34,7 @@
263 
 #include <isc/heap.h>
264 
 #include <isc/list.h>
265 
 #include <isc/mem.h>
266 
+#include <isc/platform.h>
267 
 #include <isc/print.h>
268 
 #include <isc/string.h>
269 
 #include <isc/time.h>
270 
@@ -235,7 +236,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
271 
 	if (*ectx == NULL) {
272 
 		result = isc_entropy_create(mctx, ectx);
273 
 		if (result != ISC_R_SUCCESS)
274 
-			fatal("could not create entropy object");
275 
+			fatal("could not create entropy object: %s",
276 
+			      isc_result_totext(result));
277 
 		ISC_LIST_INIT(sources);
278 
 	}
279
280 
@@ -244,6 +246,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
281 
 		randomfile = NULL;
282 
 	}
283
284 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
285 
+	if (randomfile != NULL &&
286 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
287 
+		randomfile = NULL;
288 
+		isc_entropy_usehook(*ectx, true);
289 
+	}
290 
+#endif
291 
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
292 
 					   usekeyboard);
293
294 
diff --git a/bin/named/server.c b/bin/named/server.c
295 
index 4e503e5..f27071f 100644
296 
--- a/bin/named/server.c
297 
+++ b/bin/named/server.c
298 
@@ -36,6 +36,7 @@
299 
 #include <isc/lex.h>
300 
 #include <isc/meminfo.h>
301 
 #include <isc/parseint.h>
302 
+#include <isc/platform.h>
303 
 #include <isc/portset.h>
304 
 #include <isc/print.h>
305 
 #include <isc/random.h>
306 
@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server,
307 
 				      "no source of entropy found");
308 
 		} else {
309 
 			const char *randomdev = cfg_obj_asstring(obj);
310 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
311 
+			if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
312 
+				isc_entropy_usehook(ns_g_entropy, true);
313 
+#else
314 
 			int level = ISC_LOG_ERROR;
315 
 			result = isc_entropy_createfilesource(ns_g_entropy,
316 
 							      randomdev);
317 
@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server,
318 
 				}
319 
 				isc_entropy_detach(&ns_g_fallbackentropy);
320 
 			}
321 
+#endif
322 
 #endif
323 
 		}
324
325 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
326 
index bbb3936..0286987 100644
327 
--- a/bin/nsupdate/nsupdate.c
328 
+++ b/bin/nsupdate/nsupdate.c
329 
@@ -272,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
330 
 	if (*ectx == NULL) {
331 
 		result = isc_entropy_create(mctx, ectx);
332 
 		if (result != ISC_R_SUCCESS)
333 
-			fatal("could not create entropy object");
334 
+			fatal("could not create entropy object: %s",
335 
+			      isc_result_totext(result));
336 
 		ISC_LIST_INIT(sources);
337 
 	}
338
339 
@@ -281,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
340 
 		randomfile = NULL;
341 
 	}
342
343 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
344 
+	if (randomfile != NULL &&
345 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
346 
+		randomfile = NULL;
347 
+		isc_entropy_usehook(*ectx, true);
348 
+	}
349 
+#endif
350 
 	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
351 
 					   usekeyboard);
352
353 
@@ -979,11 +987,11 @@ setup_system(void) {
354 
 		}
355 
 	}
356
357 
-	setup_entropy(gmctx, NULL, &entropy);
358 
+	if (entropy == NULL)
359 
+		setup_entropy(gmctx, NULL, &entropy);
360
361 
 	result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE);
362 
 	check_result(result, "isc_hash_create");
363 
-	isc_hash_init();
364
365 
 	result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
366 
 	check_result(result, "dns_dispatchmgr_create");
367 
diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c
368 
index 61a41b0..acc71a1 100644
369 
--- a/bin/tests/makejournal.c
370 
+++ b/bin/tests/makejournal.c
371 
@@ -102,12 +102,12 @@ main(int argc, char **argv) {
372 
 	CHECK(isc_mem_create(0, 0, &mctx));
373 
 	CHECK(isc_entropy_create(mctx, &ectx));
374
375 
-	CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
376 
-	hash_active = true;
377 
-
378 
 	CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
379 
 	dst_active = true;
380
381 
+	CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
382 
+	hash_active = true;
383 
+
384 
 	CHECK(isc_log_create(mctx, &lctx, &logconfig));
385 
 	isc_log_registercategories(lctx, categories);
386 
 	isc_log_setcontext(lctx);
387 
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
388 
index c6ab7f8..f0a6ff2 100644
389 
--- a/bin/tests/system/pipelined/pipequeries.c
390 
+++ b/bin/tests/system/pipelined/pipequeries.c
391 
@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
392
393 
 int
394 
 main(int argc, char *argv[]) {
395 
+	char *randomfile = NULL;
396 
 	isc_sockaddr_t bind_any;
397 
 	struct in_addr inaddr;
398 
 	isc_result_t result;
399 
@@ -222,7 +223,7 @@ main(int argc, char *argv[]) {
400 
 	int c;
401
402 
 	isc_commandline_errprint = false;
403 
-	while ((c = isc_commandline_parse(argc, argv, "p:")) != -1) {
404 
+	while ((c = isc_commandline_parse(argc, argv, "p:r:")) != -1) {
405 
 		switch (c) {
406 
 		case 'p':
407 
 			result = isc_parse_uint16(&port,
408 
@@ -233,6 +234,9 @@ main(int argc, char *argv[]) {
409 
 				exit(1);
410 
 			}
411 
 			break;
412 
+		case 'r':
413 
+			randomfile = isc_commandline_argument;
414 
+			break;
415 
 		case '?':
416 
 			fprintf(stderr, "%s: invalid argument '%c'",
417 
 				argv[0], c);
418 
@@ -275,10 +279,18 @@ main(int argc, char *argv[]) {
419
420 
 	ectx = NULL;
421 
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
422 
-	RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
423 
-	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
424 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
425 
+	if (randomfile != NULL &&
426 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
427 
+		randomfile = NULL;
428 
+		isc_entropy_usehook(ectx, true);
429 
+	}
430 
+#endif
431 
+	if (randomfile != NULL)
432 
+		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
433
434 
 	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
435 
+	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
436
437 
 	taskmgr = NULL;
438 
 	RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
439 
@@ -331,8 +343,8 @@ main(int argc, char *argv[]) {
440 
 	isc_task_detach(&task);
441 
 	isc_taskmgr_destroy(&taskmgr);
442
443 
-	dst_lib_destroy();
444 
 	isc_hash_destroy();
445 
+	dst_lib_destroy();
446 
 	isc_entropy_detach(&ectx);
447
448 
 	isc_log_destroy(&lctx);
449 
diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
450 
index 61f1ff7..ed1302a 100644
451 
--- a/bin/tests/system/pipelined/tests.sh
452 
+++ b/bin/tests/system/pipelined/tests.sh
453 
@@ -19,7 +19,7 @@ status=0
454
455 
 echo_i "check pipelined TCP queries"
456 
 ret=0
457 
-$PIPEQUERIES -p ${PORT} < input > raw || ret=1
458 
+$PIPEQUERIES -p ${PORT} -r $RANDFILE < input > raw || ret=1
459 
 awk '{ print $1 " " $5 }' < raw > output
460 
 sort < output > output-sorted
461 
 $DIFF ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
462 
@@ -43,7 +43,7 @@ status=`expr $status + $ret`
463
464 
 echo_i "check keep-response-order"
465 
 ret=0
466 
-$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
467 
+$PIPEQUERIES -p ${PORT} -r $RANDFILE ++ < inputb > rawb || ret=1
468 
 awk '{ print $1 " " $5 }' < rawb > outputb
469 
 $DIFF refb outputb || ret=1
470 
 if [ $ret != 0 ]; then echo_i "failed"; fi
471 
diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
472 
index 4462f2e..f06268d 100644
473 
--- a/bin/tests/system/rsabigexponent/bigkey.c
474 
+++ b/bin/tests/system/rsabigexponent/bigkey.c
475 
@@ -20,6 +20,7 @@
476 
 #include <isc/buffer.h>
477 
 #include <isc/entropy.h>
478 
 #include <isc/mem.h>
479 
+#include <isc/platform.h>
480 
 #include <isc/print.h>
481 
 #include <isc/region.h>
482 
 #include <isc/stdio.h>
483 
@@ -183,6 +184,9 @@ main(int argc, char **argv) {
484
485 
 	CHECK(isc_mem_create(0, 0, &mctx), "isc_mem_create()");
486 
 	CHECK(isc_entropy_create(mctx, &ectx), "isc_entropy_create()");
487 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
488 
+	isc_entropy_usehook(ectx, true);
489 
+#endif
490 
 	CHECK(isc_entropy_usebestsource(ectx, &source,
491 
 					"../random.data",
492 
 					ISC_ENTROPY_KEYBOARDNO),
493 
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
494 
index 653c951..fe8698e 100644
495 
--- a/bin/tests/system/tkey/keycreate.c
496 
+++ b/bin/tests/system/tkey/keycreate.c
497 
@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
498 
 int
499 
 main(int argc, char *argv[]) {
500 
 	char *ourkeyname;
501 
+	char *randomfile;
502 
 	isc_taskmgr_t *taskmgr;
503 
 	isc_timermgr_t *timermgr;
504 
 	isc_socketmgr_t *socketmgr;
505 
@@ -225,10 +226,21 @@ main(int argc, char *argv[]) {
506
507 
 	RUNCHECK(isc_app_start());
508
509 
+	randomfile = NULL;
510 
+
511 
 	if (argc < 2) {
512 
 		fprintf(stderr, "I:no DH key provided\n");
513 
 		exit(-1);
514 
 	}
515 
+	if (strcmp(argv[1], "-r") == 0) {
516 
+		if (argc < 4) {
517 
+			fprintf(stderr, "I:no DH key provided\n");
518 
+			exit(-1);
519 
+		}
520 
+		randomfile = argv[2];
521 
+		argv += 2;
522 
+		argc -= 2;
523 
+	}
524 
 	ourkeyname = argv[1];
525
526 
 	if (argc >= 3)
527 
@@ -242,14 +254,22 @@ main(int argc, char *argv[]) {
528
529 
 	ectx = NULL;
530 
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
531 
-	RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
532 
-	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
533 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
534 
+	if (randomfile != NULL &&
535 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
536 
+		randomfile = NULL;
537 
+		isc_entropy_usehook(ectx, true);
538 
+	}
539 
+#endif
540 
+	if (randomfile != NULL)
541 
+		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
542
543 
 	log = NULL;
544 
 	logconfig = NULL;
545 
 	RUNCHECK(isc_log_create(mctx, &log, &logconfig));
546
547 
 	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
548 
+	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
549
550 
 	taskmgr = NULL;
551 
 	RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
552 
@@ -328,8 +348,8 @@ main(int argc, char *argv[]) {
553
554 
 	isc_log_destroy(&log);
555
556 
-	dst_lib_destroy();
557 
 	isc_hash_destroy();
558 
+	dst_lib_destroy();
559 
 	isc_entropy_detach(&ectx);
560
561 
 	isc_mem_destroy(&mctx);
562 
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
563 
index 70a40c3..2146f9b 100644
564 
--- a/bin/tests/system/tkey/keydelete.c
565 
+++ b/bin/tests/system/tkey/keydelete.c
566 
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
567 
 int
568 
 main(int argc, char **argv) {
569 
 	char *keyname;
570 
+	char *randomfile;
571 
 	isc_taskmgr_t *taskmgr;
572 
 	isc_timermgr_t *timermgr;
573 
 	isc_socketmgr_t *socketmgr;
574 
@@ -156,10 +157,21 @@ main(int argc, char **argv) {
575
576 
 	RUNCHECK(isc_app_start());
577
578 
+	randomfile = NULL;
579 
+
580 
 	if (argc < 2) {
581 
 		fprintf(stderr, "I:no key to delete\n");
582 
 		exit(-1);
583 
 	}
584 
+	if (strcmp(argv[1], "-r") == 0) {
585 
+		if (argc < 4) {
586 
+			fprintf(stderr, "I:no DH key provided\n");
587 
+			exit(-1);
588 
+		}
589 
+		randomfile = argv[2];
590 
+		argv += 2;
591 
+		argc -= 2;
592 
+	}
593 
 	keyname = argv[1];
594
595 
 	dns_result_register();
596 
@@ -169,14 +181,22 @@ main(int argc, char **argv) {
597
598 
 	ectx = NULL;
599 
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
600 
-	RUNCHECK(isc_entropy_createfilesource(ectx, "../random.data"));
601 
-	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
602 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
603 
+	if (randomfile != NULL &&
604 
+	    strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
605 
+		randomfile = NULL;
606 
+		isc_entropy_usehook(ectx, true);
607 
+	}
608 
+#endif
609 
+	if (randomfile != NULL)
610 
+		RUNCHECK(isc_entropy_createfilesource(ectx, randomfile));
611
612 
 	log = NULL;
613 
 	logconfig = NULL;
614 
 	RUNCHECK(isc_log_create(mctx, &log, &logconfig));
615
616 
 	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
617 
+	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
618
619 
 	taskmgr = NULL;
620 
 	RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
621 
@@ -264,8 +284,8 @@ main(int argc, char **argv) {
622
623 
 	isc_log_destroy(&log);
624
625 
-	dst_lib_destroy();
626 
 	isc_hash_destroy();
627 
+	dst_lib_destroy();
628 
 	isc_entropy_detach(&ectx);
629
630 
 	isc_mem_destroy(&mctx);
631 
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
632 
index 9f90dd7..fad6c83 100644
633 
--- a/bin/tests/system/tkey/tests.sh
634 
+++ b/bin/tests/system/tkey/tests.sh
635 
@@ -33,7 +33,7 @@ for owner in . foo.example.
636 
 do
637 
 	echo "I:creating new key using owner name \"$owner\""
638 
 	ret=0
639 
-	keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
640 
+	keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
641 
 	if [ $ret != 0 ]; then
642 
 		echo "I:failed"
643 
 		status=`expr $status + $ret`
644 
@@ -55,7 +55,7 @@ do
645
646 
 	echo "I:deleting new key"
647 
 	ret=0
648 
-	$KEYDELETE $keyname || ret=1
649 
+	$KEYDELETE -r $RANDFILE $keyname || ret=1
650 
 	if [ $ret != 0 ]; then
651 
 		echo "I:failed"
652 
 	fi
653 
@@ -75,7 +75,7 @@ done
654
655 
 echo "I:creating new key using owner name bar.example."
656 
 ret=0
657 
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
658 
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
659 
 if [ $ret != 0 ]; then
660 
         echo "I:failed"
661 
 	status=`expr $status + $ret`
662 
@@ -116,7 +116,7 @@ status=`expr $status + $ret`
663
664 
 echo "I:recreating the bar.example. key"
665 
 ret=0
666 
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
667 
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
668 
 if [ $ret != 0 ]; then
669 
         echo "I:failed"
670 
 	status=`expr $status + $ret`
671 
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
672 
index bf6dbb6..0416b21 100644
673 
--- a/bin/tools/mdig.c
674 
+++ b/bin/tools/mdig.c
675 
@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) {
676
677 
 	ectx = NULL;
678 
 	RUNCHECK(isc_entropy_create(mctx, &ectx));
679 
+	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
680 
 	RUNCHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
681 
 	RUNCHECK(isc_entropy_getdata(ectx, cookie_secret,
682 
 				     sizeof(cookie_secret), NULL, 0));
683
684 
-	RUNCHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_GOODONLY));
685 
-
686 
 	ISC_LIST_INIT(queries);
687 
 	parse_args(false, argc, argv);
688 
 	if (server == NULL)
689 
diff --git a/configure b/configure
690 
index 6d05371..33689c9 100755
691 
--- a/configure
692 
+++ b/configure
693 
@@ -640,6 +640,7 @@ ac_includes_default="\
694
695 
 ac_subst_vars='LTLIBOBJS
696 
 LIBOBJS
697 
+LIBDIR_SUFFIX
698 
 BUILD_LIBS
699 
 BUILD_LDFLAGS
700 
 BUILD_CPPFLAGS
701 
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
702 
 NZDTARGETS
703 
 NZDSRCS
704 
 NZD_TOOLS
705 
+ISC_PLATFORM_CRYPTORANDOM
706 
 PKCS11_TEST
707 
 PKCS11_ED25519
708 
 PKCS11_GOST
709 
@@ -1047,6 +1049,7 @@ with_eddsa
710 
 with_aes
711 
 enable_openssl_hash
712 
 with_cc_alg
713 
+enable_crypto_rand
714 
 with_lmdb
715 
 with_libxml2
716 
 with_libjson
717 
@@ -1749,6 +1752,7 @@ Optional Features:
718 
   --enable-threads        enable multithreading
719 
   --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
720 
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
721 
+  --enable-crypto-rand    use the crypto provider for random [default=yes]
722 
   --enable-largefile      64-bit file support
723 
   --enable-backtrace      log stack backtrace on abort [default=yes]
724 
   --enable-symtable       use internal symbol table for backtrace
725 
@@ -17144,6 +17148,7 @@ case "$use_openssl" in
726 
 $as_echo "disabled because of native PKCS11" >&6; }
727 
 		DST_OPENSSL_INC=""
728 
 		CRYPTO="-DPKCS11CRYPTO"
729 
+		CRYPTOLIB="pkcs11"
730 
 		OPENSSLECDSALINKOBJS=""
731 
 		OPENSSLECDSALINKSRCS=""
732 
 		OPENSSLEDDSALINKOBJS=""
733 
@@ -17158,6 +17163,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
734 
 $as_echo "no" >&6; }
735 
 		DST_OPENSSL_INC=""
736 
 		CRYPTO=""
737 
+		CRYPTOLIB=""
738 
 		OPENSSLECDSALINKOBJS=""
739 
 		OPENSSLECDSALINKSRCS=""
740 
 		OPENSSLEDDSALINKOBJS=""
741 
@@ -17170,6 +17176,7 @@ $as_echo "no" >&6; }
742 
 	auto)
743 
 		DST_OPENSSL_INC=""
744 
 		CRYPTO=""
745 
+		CRYPTOLIB=""
746 
 		OPENSSLECDSALINKOBJS=""
747 
 		OPENSSLECDSALINKSRCS=""
748 
 		OPENSSLEDDSALINKOBJS=""
749 
@@ -17179,7 +17186,7 @@ $as_echo "no" >&6; }
750 
 		OPENSSLLINKOBJS=""
751 
 		OPENSSLLINKSRCS=""
752 
 		as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
753 
-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
754 
+If you do not want OpenSSL, use --without-openssl" "$LINENO" 5
755 
 		;;
756 
 	*)
757 
 		if test "yes" = "$want_native_pkcs11"
758 
@@ -17210,6 +17217,7 @@ $as_echo "not found" >&6; }
759 
 			as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
760 
 		fi
761 
 		CRYPTO='-DOPENSSL'
762 
+		CRYPTOLIB="openssl"
763 
 		if test "/usr" = "$use_openssl"
764 
 		then
765 
 			DST_OPENSSL_INC=""
766 
@@ -17835,8 +17843,6 @@ fi
767 
 # Use OpenSSL for hash functions
768 
 #
769
770 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5
771 
-$as_echo_n "checking for using OpenSSL for hash functions... " >&6; }
772 
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
773 
 case $want_openssl_hash in
774 
 	yes)
775 
@@ -18211,6 +18217,86 @@ if test "rt" = "$have_clock_gt"; then
776 
 	LIBS="-lrt $LIBS"
777 
 fi
778
779 
+#
780 
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
781 
+#
782 
+
783 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using the crypto library (vs. builtin) for random functions" >&5
784 
+$as_echo_n "checking for using the crypto library (vs. builtin) for random functions... " >&6; }
785 
+# Check whether --enable-crypto-rand was given.
786 
+if test "${enable_crypto_rand+set}" = set; then :
787 
+  enableval=$enable_crypto_rand; want_crypto_rand="$enableval"
788 
+else
789 
+  want_crypto_rand="auto"
790 
+fi
791 
+
792 
+if test "$want_crypto_rand" = "auto"
793 
+then
794 
+	case "$CRYPTOLIB" in
795 
+	"")
796 
+		want_crypto_rand="no"
797 
+		;;
798 
+	pkcs11)
799 
+		want_crypto_rand="yes"
800 
+		;;
801 
+	openssl)
802 
+		saved_cflags="$CFLAGS"
803 
+		saved_libs="$LIBS"
804 
+		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
805 
+		LIBS="$LIBS $DST_OPENSSL_LIBS"
806 
+		if test "$cross_compiling" = yes; then :
807 
+  want_crypto_rand="yes"
808 
+else
809 
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
810 
+/* end confdefs.h.  */
811 
+
812 
+#include <openssl/rand.h>
813 
+
814 
+unsigned char buf[128];
815 
+
816 
+int main()
817 
+{
818 
+	if (RAND_bytes(buf, 128) != 1)
819 
+		return (1);
820 
+	return (0);
821 
+}
822 
+
823 
+_ACEOF
824 
+if ac_fn_c_try_run "$LINENO"; then :
825 
+  want_crypto_rand="yes"
826 
+else
827 
+  want_crypto_rand="no"
828 
+fi
829 
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
830 
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
831 
+fi
832 
+
833 
+		CFLAGS="$saved_cflags"
834 
+		LIBS="$saved_libs"
835 
+		;;
836 
+	*)
837 
+		as_fn_error $? "Unknown crypto library define $CRYPTOLIB" "$LINENO" 5
838 
+		;;
839 
+	esac
840 
+fi
841 
+case $want_crypto_rand in
842 
+	yes)
843 
+		if test "$CRYPTOLIB" = ""
844 
+		then
845 
+			as_fn_error $? "No crypto library for random functions" "$LINENO" 5
846 
+		fi
847 
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$CRYPTOLIB\"" >&5
848 
+$as_echo "\"$CRYPTOLIB\"" >&6; }
849 
+		ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
850 
+		;;
851 
+	no)
852 
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
853 
+$as_echo "no" >&6; }
854 
+		ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
855 
+		;;
856 
+esac
857 
+
858 
+
859 
 #
860 
 # was --with-lmdb specified?
861 
 #
862 
@@ -20441,9 +20527,12 @@ _ACEOF
863 
 if ac_fn_c_try_compile "$LINENO"; then :
864 
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
865 
 $as_echo "size_t for buflen; int for flags" >&6; }
866 
-	 $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T size_t" >>confdefs.h
867 
+	# Changed to solve multilib conflict on Fedora
868 
+	# AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, size_t)
869 
+	# AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
870 
+	 $as_echo "#define IRS_GETNAMEINFO_SOCKLEN_T socklen_t" >>confdefs.h
871
872 
-	 $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T size_t" >>confdefs.h
873 
+	 $as_echo "#define IRS_GETNAMEINFO_BUFLEN_T socklen_t" >>confdefs.h
874
875 
 	 $as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
876
877 
@@ -21758,12 +21847,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
878 
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
879 
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
880 
 if test "yes" = "$use_atomic"; then
881 
-	have_atomic=yes		# set default
882 
-	case "$host" in
883 
-	i[3456]86-*)
884 
-		# XXX: some old x86 architectures actually do not support
885 
-		#      (some of) these operations.  Do we need stricter checks?
886 
-		# The cast to long int works around a bug in the HP C Compiler
887 
+	# The cast to long int works around a bug in the HP C Compiler
888 
 # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
889 
 # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
890 
 # This bug is HP SR number 8606223364.
891 
@@ -21796,6 +21880,11 @@ cat >>confdefs.h <<_ACEOF
892 
 _ACEOF
893
894
895 
+	have_atomic=yes		# set default
896 
+	case "$host" in
897 
+	i[3456]86-*)
898 
+		# XXX: some old x86 architectures actually do not support
899 
+		#      (some of) these operations.  Do we need stricter checks?
900 
 		if test $ac_cv_sizeof_void_p = 8; then
901 
 			arch=x86_64
902 
 			have_xaddq=yes
903 
@@ -21804,39 +21893,6 @@ _ACEOF
904 
 		fi
905 
 	;;
906 
 	x86_64-*|amd64-*)
907 
-		# The cast to long int works around a bug in the HP C Compiler
908 
-# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
909 
-# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
910 
-# This bug is HP SR number 8606223364.
911 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of void *" >&5
912 
-$as_echo_n "checking size of void *... " >&6; }
913 
-if ${ac_cv_sizeof_void_p+:} false; then :
914 
-  $as_echo_n "(cached) " >&6
915 
-else
916 
-  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (void *))" "ac_cv_sizeof_void_p"        "$ac_includes_default"; then :
917 
-
918 
-else
919 
-  if test "$ac_cv_type_void_p" = yes; then
920 
-     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
921 
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
922 
-as_fn_error 77 "cannot compute sizeof (void *)
923 
-See \`config.log' for more details" "$LINENO" 5; }
924 
-   else
925 
-     ac_cv_sizeof_void_p=0
926 
-   fi
927 
-fi
928 
-
929 
-fi
930 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_void_p" >&5
931 
-$as_echo "$ac_cv_sizeof_void_p" >&6; }
932 
-
933 
-
934 
-
935 
-cat >>confdefs.h <<_ACEOF
936 
-#define SIZEOF_VOID_P $ac_cv_sizeof_void_p
937 
-_ACEOF
938 
-
939 
-
940 
 		if test $ac_cv_sizeof_void_p = 8; then
941 
 			arch=x86_64
942 
 			have_xaddq=yes
943 
@@ -21867,6 +21923,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
944 
 $as_echo "$arch" >&6; }
945 
 fi
946
947 
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
948 
+	as_fn_error $? "XADDQ present but disabled by Fedora patch!" "$LINENO" 5
949 
+fi
950 
+
951 
 if test "yes" = "$have_atomic"; then
952 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
953 
 $as_echo_n "checking compiler support for inline assembly code... " >&6; }
954 
@@ -24421,6 +24481,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
955 
 #
956 
 dlzdir='${DLZ_DRIVER_DIR}'
957
958 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for target libdir" >&5
959 
+$as_echo_n "checking for target libdir... " >&6; }
960 
+if test "$cross_compiling" = yes; then :
961 
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
962 
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
963 
+as_fn_error $? "cannot run test program while cross compiling
964 
+See \`config.log' for more details" "$LINENO" 5; }
965 
+else
966 
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
967 
+/* end confdefs.h.  */
968 
+int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}
969 
+_ACEOF
970 
+if ac_fn_c_try_run "$LINENO"; then :
971 
+  target_lib=lib64
972 
+else
973 
+  target_lib=lib
974 
+fi
975 
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
976 
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
977 
+fi
978 
+
979 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: \"$target_lib\"" >&5
980 
+$as_echo "\"$target_lib\"" >&6; }
981 
+
982 
 #
983 
 # Private autoconf macro to simplify configuring drivers:
984 
 #
985 
@@ -24751,11 +24835,11 @@ $as_echo "no" >&6; }
986 
 $as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
987 
 		;;
988 
 	*)
989 
-		if test -d "$use_dlz_mysql/lib/mysql"
990 
+		if test -d $use_dlz_mysql/${target_lib}/mysql
991 
 		then
992 
-			mysql_lib="$use_dlz_mysql/lib/mysql"
993 
+			mysql_lib=$use_dlz_mysql/${target_lib}/mysql
994 
 		else
995 
-			mysql_lib="$use_dlz_mysql/lib"
996 
+			mysql_lib=$use_dlz_mysql/${target_lib}
997 
 		fi
998
999 
 	CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
1000 
@@ -24840,7 +24924,7 @@ $as_echo "" >&6; }
1001 
 			# Check other locations for includes.
1002 
 			# Order is important (sigh).
1003
1004 
-			bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
1005 
+			bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
1006 
 			# include a blank element first
1007 
 			for d in "" $bdb_incdirs
1008 
 			do
1009 
@@ -24865,57 +24949,9 @@ $as_echo "" >&6; }
1010 
 			bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
1011 
 			for d in $bdb_libnames
1012 
 			do
1013 
-				if test "$dd" = "/usr"
1014 
-				then
1015 
-					as_ac_Lib=`$as_echo "ac_cv_lib_$d''_db_create" | $as_tr_sh`
1016 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for db_create in -l$d" >&5
1017 
-$as_echo_n "checking for db_create in -l$d... " >&6; }
1018 
-if eval \${$as_ac_Lib+:} false; then :
1019 
-  $as_echo_n "(cached) " >&6
1020 
-else
1021 
-  ac_check_lib_save_LIBS=$LIBS
1022 
-LIBS="-l$d  $LIBS"
1023 
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
1024 
-/* end confdefs.h.  */
1025 
-
1026 
-/* Override any GCC internal prototype to avoid an error.
1027 
-   Use char because int might match the return type of a GCC
1028 
-   builtin and then its argument prototype would still apply.  */
1029 
-#ifdef __cplusplus
1030 
-extern "C"
1031 
-#endif
1032 
-char db_create ();
1033 
-int
1034 
-main ()
1035 
-{
1036 
-return db_create ();
1037 
-  ;
1038 
-  return 0;
1039 
-}
1040 
-_ACEOF
1041 
-if ac_fn_c_try_link "$LINENO"; then :
1042 
-  eval "$as_ac_Lib=yes"
1043 
-else
1044 
-  eval "$as_ac_Lib=no"
1045 
-fi
1046 
-rm -f core conftest.err conftest.$ac_objext \
1047 
-    conftest$ac_exeext conftest.$ac_ext
1048 
-LIBS=$ac_check_lib_save_LIBS
1049 
-fi
1050 
-eval ac_res=\$$as_ac_Lib
1051 
-	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
1052 
-$as_echo "$ac_res" >&6; }
1053 
-if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
1054 
-  dlz_bdb_libs="-l${d}"
1055 
-fi
1056 
-
1057 
-					if test $dlz_bdb_libs != "yes"
1058 
-					then
1059 
-						break
1060 
-					fi
1061 
-				elif test -f "$dd/lib/lib${d}.so"
1062 
+				if test -f "$dd/${target_lib}/lib${d}.so"
1063 
 				then
1064 
-					dlz_bdb_libs="-L${dd}/lib -l${d}"
1065 
+					dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
1066 
 					break
1067 
 				fi
1068 
 			done
1069 
@@ -25074,10 +25110,10 @@ $as_echo "no" >&6; }
1070 
 		DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
1071 
 		DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
1072 
 	fi
1073 
-	if test -n "-L$use_dlz_ldap/lib -lldap -llber"
1074 
+	if test -n "-L$use_dlz_ldap/${target_lib} -lldap -llber"
1075 
 	then
1076 
-		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/lib -lldap -llber"
1077 
-		DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/lib -lldap -llber"
1078 
+		DLZ_DRIVER_LIBS="$DLZ_DRIVER_LIBS -L$use_dlz_ldap/${target_lib} -lldap -llber"
1079 
+		DLZ_DRIVER_LDAP_LIBS="-L$use_dlz_ldap/${target_lib} -lldap -llber"
1080 
 	fi
1081
1082
1083 
@@ -25163,11 +25199,11 @@ fi
1084 
 		odbcdirs="/usr /usr/local /usr/pkg"
1085 
 		for d in $odbcdirs
1086 
 		do
1087 
-			if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
1088 
+			if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
1089 
 			then
1090 
 				use_dlz_odbc=$d
1091 
 				dlz_odbc_include="-I$use_dlz_odbc/include"
1092 
-				dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
1093 
+				dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
1094 
 				break
1095 
 			fi
1096 
 		done
1097 
@@ -25442,6 +25478,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
1098
1099
1100
1101 
+
1102 
+
1103 
 #
1104 
 # Commands to run at the end of config.status.
1105 
 # Don't just put these into configure, it won't work right if somebody
1106 
@@ -27819,6 +27857,8 @@ report() {
1107 
 	    echo "    IPv6 support (--enable-ipv6)"
1108 
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
1109 
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
1110 
+        test "no" = "$want_crypto_rand" || \
1111 
+                echo "    Crypto provider entropy source (--enable-crypto-rand)"
1112 
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
1113 
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
1114 
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
1115 
@@ -27859,6 +27899,8 @@ report() {
1116 
 	echo "    Very verbose query trace logging (--enable-querytrace)"
1117 
     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
1118
1119 
+    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"
1120 
+
1121 
     echo "    Dynamically loadable zone (DLZ) drivers:"
1122 
     test "no" = "$use_dlz_bdb" || \
1123 
 	echo "        Berkeley DB (--with-dlz-bdb)"
1124 
@@ -27906,6 +27948,8 @@ report() {
1125 
 	echo "    ECDSA algorithm support (--with-ecdsa)"
1126 
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
1127 
 	echo "    EDDSA algorithm support (--with-eddsa)"
1128 
+    test "yes" = "$want_crypto_rand" || \
1129 
+        echo "    Crypto provider entropy source (--enable-crypto-rand)"
1130
1131 
     test "yes" = "$enable_seccomp" || \
1132 
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
1133 
diff --git a/configure.ac b/configure.ac
1134 
index d10cde5..68bead8 100644
1135 
--- a/configure.ac
1136 
+++ b/configure.ac
1137 
@@ -1550,6 +1550,7 @@ case "$use_openssl" in
1138 
 		AC_MSG_RESULT(disabled because of native PKCS11)
1139 
 		DST_OPENSSL_INC=""
1140 
 		CRYPTO="-DPKCS11CRYPTO"
1141 
+		CRYPTOLIB="pkcs11"
1142 
 		OPENSSLECDSALINKOBJS=""
1143 
 		OPENSSLECDSALINKSRCS=""
1144 
 		OPENSSLEDDSALINKOBJS=""
1145 
@@ -1563,6 +1564,7 @@ case "$use_openssl" in
1146 
 		AC_MSG_RESULT(no)
1147 
 		DST_OPENSSL_INC=""
1148 
 		CRYPTO=""
1149 
+		CRYPTOLIB=""
1150 
 		OPENSSLECDSALINKOBJS=""
1151 
 		OPENSSLECDSALINKSRCS=""
1152 
 		OPENSSLEDDSALINKOBJS=""
1153 
@@ -1575,6 +1577,7 @@ case "$use_openssl" in
1154 
 	auto)
1155 
 		DST_OPENSSL_INC=""
1156 
 		CRYPTO=""
1157 
+		CRYPTOLIB=""
1158 
 		OPENSSLECDSALINKOBJS=""
1159 
 		OPENSSLECDSALINKSRCS=""
1160 
 		OPENSSLEDDSALINKOBJS=""
1161 
@@ -1585,7 +1588,7 @@ case "$use_openssl" in
1162 
 		OPENSSLLINKSRCS=""
1163 
 		AC_MSG_ERROR(
1164 
 [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
1165 
-If you don't want OpenSSL, use --without-openssl])
1166 
+If you do not want OpenSSL, use --without-openssl])
1167 
 		;;
1168 
 	*)
1169 
 		if test "yes" = "$want_native_pkcs11"
1170 
@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl])
1171 
 			AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
1172 
 		fi
1173 
 		CRYPTO='-DOPENSSL'
1174 
+		CRYPTOLIB="openssl"
1175 
 		if test "/usr" = "$use_openssl"
1176 
 		then
1177 
 			DST_OPENSSL_INC=""
1178 
@@ -2050,7 +2054,6 @@ fi
1179 
 # Use OpenSSL for hash functions
1180 
 #
1181
1182 
-AC_MSG_CHECKING(for using OpenSSL for hash functions)
1183 
 ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
1184 
 case $want_openssl_hash in
1185 
 	yes)
1186 
@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then
1187 
 	LIBS="-lrt $LIBS"
1188 
 fi
1189
1190 
+#
1191 
+# Use the crypto provider (OpenSSL/PKCS#11) for random functions
1192 
+#
1193 
+
1194 
+AC_MSG_CHECKING(for using the crypto library (vs. builtin) for random functions)
1195 
+AC_ARG_ENABLE(crypto-rand,
1196 
+	[  --enable-crypto-rand    use the crypto provider for random [[default=yes]]],
1197 
+	want_crypto_rand="$enableval", want_crypto_rand="auto")
1198 
+if test "$want_crypto_rand" = "auto"
1199 
+then
1200 
+	case "$CRYPTOLIB" in
1201 
+	"")
1202 
+		want_crypto_rand="no"
1203 
+		;;
1204 
+	pkcs11)
1205 
+		want_crypto_rand="yes"
1206 
+		;;
1207 
+	openssl)
1208 
+		saved_cflags="$CFLAGS"
1209 
+		saved_libs="$LIBS"
1210 
+		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
1211 
+		LIBS="$LIBS $DST_OPENSSL_LIBS"
1212 
+		AC_TRY_RUN([
1213 
+#include <openssl/rand.h>
1214 
+
1215 
+unsigned char buf[128];
1216 
+
1217 
+int main()
1218 
+{
1219 
+	if (RAND_bytes(buf, 128) != 1)
1220 
+		return (1);
1221 
+	return (0);
1222 
+}
1223 
+],
1224 
+		[want_crypto_rand="yes"],
1225 
+		[want_crypto_rand="no"],
1226 
+		[want_crypto_rand="yes"])
1227 
+		CFLAGS="$saved_cflags"
1228 
+		LIBS="$saved_libs"
1229 
+		;;
1230 
+	*)
1231 
+		AC_MSG_ERROR([Unknown crypto library define $CRYPTOLIB])
1232 
+		;;
1233 
+	esac
1234 
+fi
1235 
+case $want_crypto_rand in
1236 
+	yes)
1237 
+		if test "$CRYPTOLIB" = ""
1238 
+		then
1239 
+			AC_MSG_ERROR([No crypto library for random functions])
1240 
+		fi
1241 
+		AC_MSG_RESULT(["$CRYPTOLIB"])
1242 
+		ISC_PLATFORM_CRYPTORANDOM="#define ISC_PLATFORM_CRYPTORANDOM \"$CRYPTOLIB\""
1243 
+		;;
1244 
+	no)
1245 
+		AC_MSG_RESULT(no)
1246 
+		ISC_PLATFORM_CRYPTORANDOM="#undef ISC_PLATFORM_CRYPTORANDOM"
1247 
+		;;
1248 
+esac
1249 
+AC_SUBST(ISC_PLATFORM_CRYPTORANDOM)
1250 
+
1251 
 #
1252 
 # was --with-lmdb specified?
1253 
 #
1254 
@@ -4098,12 +4162,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
1255 
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
1256 
 ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
1257 
 if test "yes" = "$use_atomic"; then
1258 
+	AC_CHECK_SIZEOF([void *])
1259 
 	have_atomic=yes		# set default
1260 
 	case "$host" in
1261 
 	[i[3456]86-*])
1262 
 		# XXX: some old x86 architectures actually do not support
1263 
 		#      (some of) these operations.  Do we need stricter checks?
1264 
-		AC_CHECK_SIZEOF([void *])
1265 
 		if test $ac_cv_sizeof_void_p = 8; then
1266 
 			arch=x86_64
1267 
 			have_xaddq=yes
1268 
@@ -4112,7 +4176,6 @@ if test "yes" = "$use_atomic"; then
1269 
 		fi
1270 
 	;;
1271 
 	x86_64-*|amd64-*)
1272 
-		AC_CHECK_SIZEOF([void *])
1273 
 		if test $ac_cv_sizeof_void_p = 8; then
1274 
 			arch=x86_64
1275 
 			have_xaddq=yes
1276 
@@ -5518,6 +5581,8 @@ report() {
1277 
 	    echo "    IPv6 support (--enable-ipv6)"
1278 
 	test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
1279 
 		echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
1280 
+        test "no" = "$want_crypto_rand" || \
1281 
+                echo "    Crypto provider entropy source (--enable-crypto-rand)"
1282 
 	test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
1283 
 	test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
1284 
 	test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
1285 
@@ -5558,6 +5623,8 @@ report() {
1286 
 	echo "    Very verbose query trace logging (--enable-querytrace)"
1287 
     test "no" = "$with_cmocka" || echo "    CMocka Unit Testing Framework (--with-cmocka)"
1288
1289 
+    echo "    Cryptographic library for DNSSEC: $CRYPTOLIB"
1290 
+
1291 
     echo "    Dynamically loadable zone (DLZ) drivers:"
1292 
     test "no" = "$use_dlz_bdb" || \
1293 
 	echo "        Berkeley DB (--with-dlz-bdb)"
1294 
@@ -5605,6 +5672,8 @@ report() {
1295 
 	echo "    ECDSA algorithm support (--with-ecdsa)"
1296 
     test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
1297 
 	echo "    EDDSA algorithm support (--with-eddsa)"
1298 
+    test "yes" = "$want_crypto_rand" || \
1299 
+        echo "    Crypto provider entropy source (--enable-crypto-rand)"
1300
1301 
     test "yes" = "$enable_seccomp" || \
1302 
 	echo "    Use libseccomp system call filtering (--enable-seccomp)"
1303 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
1304 
index 65bf25d..1eccbe7 100644
1305 
--- a/lib/dns/dst_api.c
1306 
+++ b/lib/dns/dst_api.c
1307 
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
1308 
 #ifdef GSSAPI
1309 
 	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
1310 
 #endif
1311 
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
1312 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
1313 
+	if (dst_entropy_pool != NULL)
1314 
+		isc_entropy_sethook(dst_random_getdata);
1315 
+#endif
1316 
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
1317 
 	dst_initialized = true;
1318 
 	return (ISC_R_SUCCESS);
1319
1320 
@@ -296,11 +302,19 @@ dst_lib_destroy(void) {
1321 
 	for (i = 0; i < DST_MAX_ALGS; i++)
1322 
 		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
1323 
 			dst_t_func[i]->cleanup();
1324 
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
1325 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
1326 
+	if (dst_entropy_pool != NULL) {
1327 
+		isc_entropy_usehook(dst_entropy_pool, false);
1328 
+		isc_entropy_sethook(NULL);
1329 
+	}
1330 
+#endif
1331 
 #ifdef OPENSSL
1332 
 	dst__openssl_destroy();
1333 
 #elif PKCS11CRYPTO
1334 
 	(void) dst__pkcs11_destroy();
1335 
 #endif /* if OPENSSL, elif PKCS11CRYPTO */
1336 
+#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
1337 
 	if (dst__memory_pool != NULL)
1338 
 		isc_mem_detach(&dst__memory_pool);
1339 
 	if (dst_entropy_pool != NULL)
1340 
@@ -2002,13 +2016,17 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
1341 
 		flags &= ~ISC_ENTROPY_GOODONLY;
1342 
 	else
1343 
 		flags |= ISC_ENTROPY_BLOCKING;
1344 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
1345 
+	return (dst_random_getdata(buf, len, NULL, flags));
1346 
+#else
1347 
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
1348 
+#endif
1349 
 #endif /* PKCS11CRYPTO */
1350 
 }
1351
1352 
 unsigned int
1353 
 dst__entropy_status(void) {
1354 
-#ifndef PKCS11CRYPTO
1355 
+#if !defined(PKCS11CRYPTO) && !defined(ISC_PLATFORM_CRYPTORANDOM)
1356 
 #ifdef GSSAPI
1357 
 	unsigned int flags = dst_entropy_flags;
1358 
 	isc_result_t ret;
1359 
@@ -2031,6 +2049,7 @@ dst__entropy_status(void) {
1360 
 #endif
1361 
 	return (isc_entropy_status(dst_entropy_pool));
1362 
 #else
1363 
+	/* Doesn't matter as it is not used in this case. */
1364 
 	return (0);
1365 
 #endif
1366 
 }
1367 
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
1368 
index 1924e74..6813c96 100644
1369 
--- a/lib/dns/include/dst/dst.h
1370 
+++ b/lib/dns/include/dst/dst.h
1371 
@@ -159,6 +159,14 @@ dst_lib_destroy(void);
1372 
  * Releases all resources allocated by DST.
1373 
  */
1374
1375 
+isc_result_t
1376 
+dst_random_getdata(void *data, unsigned int length,
1377 
+		   unsigned int *returned, unsigned int flags);
1378 
+/*%<
1379 
+ * \brief Return data from the crypto random generator.
1380 
+ * Specialization of isc_entropy_getdata().
1381 
+ */
1382 
+
1383 
 bool
1384 
 dst_algorithm_supported(unsigned int alg);
1385 
 /*%<
1386 
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
1387 
index 304814b..60543c4 100644
1388 
--- a/lib/dns/lib.c
1389 
+++ b/lib/dns/lib.c
1390 
@@ -18,6 +18,7 @@
1391 
 #include <stdbool.h>
1392 
 #include <stddef.h>
1393
1394 
+#include <isc/entropy.h>
1395 
 #include <isc/hash.h>
1396 
 #include <isc/mem.h>
1397 
 #include <isc/msgcat.h>
1398 
@@ -78,6 +79,7 @@ static unsigned int references = 0;
1399 
 static void
1400 
 initialize(void) {
1401 
 	isc_result_t result;
1402 
+	isc_entropy_t *ectx = NULL;
1403
1404 
 	REQUIRE(initialize_done == false);
1405
1406 
@@ -88,11 +90,14 @@ initialize(void) {
1407 
 	result = dns_ecdb_register(dns_g_mctx, &dbimp);
1408 
 	if (result != ISC_R_SUCCESS)
1409 
 		goto cleanup_mctx;
1410 
-	result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
1411 
+	result = isc_entropy_create(dns_g_mctx, &ectx);
1412 
 	if (result != ISC_R_SUCCESS)
1413 
 		goto cleanup_db;
1414 
+	result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
1415 
+	if (result != ISC_R_SUCCESS)
1416 
+		goto cleanup_ectx;
1417
1418 
-	result = dst_lib_init(dns_g_mctx, NULL, 0);
1419 
+	result = dst_lib_init(dns_g_mctx, ectx, 0);
1420 
 	if (result != ISC_R_SUCCESS)
1421 
 		goto cleanup_hash;
1422
1423 
@@ -100,11 +105,17 @@ initialize(void) {
1424 
 	if (result != ISC_R_SUCCESS)
1425 
 		goto cleanup_dst;
1426
1427 
+	isc_hash_init();
1428 
+	isc_entropy_detach(&ectx);
1429 
+
1430 
 	initialize_done = true;
1431 
 	return;
1432
1433 
   cleanup_dst:
1434 
 	dst_lib_destroy();
1435 
+  cleanup_ectx:
1436 
+	if (ectx != NULL)
1437 
+		isc_entropy_detach(&ectx);
1438 
   cleanup_hash:
1439 
 	isc_hash_destroy();
1440 
   cleanup_db:
1441 
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
1442 
index 13e838f..ffe0a69 100644
1443 
--- a/lib/dns/openssl_link.c
1444 
+++ b/lib/dns/openssl_link.c
1445 
@@ -31,6 +31,7 @@
1446 
 #include <isc/mem.h>
1447 
 #include <isc/mutex.h>
1448 
 #include <isc/mutexblock.h>
1449 
+#include <isc/platform.h>
1450 
 #include <isc/string.h>
1451 
 #include <isc/thread.h>
1452 
 #include <isc/util.h>
1453 
@@ -46,8 +47,6 @@
1454 
 #include <openssl/engine.h>
1455 
 #endif
1456
1457 
-static RAND_METHOD *rm = NULL;
1458 
-
1459 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1460 
 static isc_mutex_t *locks = NULL;
1461 
 static int nlocks;
1462 
@@ -57,6 +56,9 @@ static int nlocks;
1463 
 static ENGINE *e = NULL;
1464 
 #endif
1465
1466 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
1467 
+static RAND_METHOD *rm = NULL;
1468 
+
1469 
 static int
1470 
 entropy_get(unsigned char *buf, int num) {
1471 
 	isc_result_t result;
1472 
@@ -102,6 +104,7 @@ entropy_add(const void *buf, int num, double entropy) {
1473 
 	return (1);
1474 
 }
1475 
 #endif
1476 
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
1477
1478 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1479 
 static void
1480 
@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
1481 
 isc_result_t
1482 
 dst__openssl_init(const char *engine) {
1483 
 	isc_result_t result;
1484 
-#if !defined(OPENSSL_NO_ENGINE)
1485 
+#if !defined(OPENSSL_NO_ENGINE) && !defined(ISC_PLATFORM_CRYPTORANDOM)
1486 
 	ENGINE *re;
1487 
 #else
1488 
 	UNUSED(engine);
1489 
@@ -222,6 +225,7 @@ dst__openssl_init(const char *engine) {
1490 
 	ERR_load_crypto_strings();
1491 
 #endif
1492
1493 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
1494 
 	rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
1495 
 	if (rm == NULL) {
1496 
 		result = ISC_R_NOMEMORY;
1497 
@@ -233,6 +237,7 @@ dst__openssl_init(const char *engine) {
1498 
 	rm->add = entropy_add;
1499 
 	rm->pseudorand = entropy_getpseudo;
1500 
 	rm->status = entropy_status;
1501 
+#endif
1502
1503 
 #if !defined(OPENSSL_NO_ENGINE)
1504 
 #if !defined(CONF_MFLAGS_DEFAULT_SECTION)
1505 
@@ -266,6 +271,7 @@ dst__openssl_init(const char *engine) {
1506 
 		}
1507 
 	}
1508
1509 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
1510 
 	re = ENGINE_get_default_RAND();
1511 
 	if (re == NULL) {
1512 
 		re = ENGINE_new();
1513 
@@ -278,9 +284,21 @@ dst__openssl_init(const char *engine) {
1514 
 		ENGINE_free(re);
1515 
 	} else
1516 
 		ENGINE_finish(re);
1517 
+#endif
1518 
 #else
1519 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
1520 
 	RAND_set_rand_method(rm);
1521 
+#endif
1522 
 #endif /* !defined(OPENSSL_NO_ENGINE) */
1523 
+
1524 
+	/* Protect ourselves against unseeded PRNG */
1525 
+	if (RAND_status() != 1) {
1526 
+		FATAL_ERROR(__FILE__, __LINE__,
1527 
+			    "OpenSSL pseudorandom number generator "
1528 
+			    "cannot be initialized (see the `PRNG not "
1529 
+			    "seeded' message in the OpenSSL FAQ)");
1530 
+	}
1531 
+
1532 
 	return (ISC_R_SUCCESS);
1533
1534 
 #if !defined(OPENSSL_NO_ENGINE)
1535 
@@ -288,10 +306,14 @@ dst__openssl_init(const char *engine) {
1536 
 	if (e != NULL)
1537 
 		ENGINE_free(e);
1538 
 	e = NULL;
1539 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
1540 
 	mem_free(rm FILELINE);
1541 
 	rm = NULL;
1542 
 #endif
1543 
+#endif
1544 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
1545 
  cleanup_mutexinit:
1546 
+#endif
1547 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1548 
 	CRYPTO_set_locking_callback(NULL);
1549 
 	DESTROYMUTEXBLOCK(locks, nlocks);
1550 
@@ -306,14 +328,17 @@ void
1551 
 dst__openssl_destroy(void) {
1552 
 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
1553 
 	OPENSSL_cleanup();
1554 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
1555 
 	if (rm != NULL) {
1556 
 		mem_free(rm FILELINE);
1557 
 		rm = NULL;
1558 
 	}
1559 
+#endif
1560 
 #else
1561 
 	/*
1562 
 	 * Sequence taken from apps_shutdown() in <apps/apps.h>.
1563 
 	 */
1564 
+#ifndef ISC_PLATFORM_CRYPTORANDOM
1565 
 	if (rm != NULL) {
1566 
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
1567 
 		RAND_cleanup();
1568 
@@ -321,6 +346,7 @@ dst__openssl_destroy(void) {
1569 
 		mem_free(rm FILELINE);
1570 
 		rm = NULL;
1571 
 	}
1572 
+#endif
1573 
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
1574 
 	CONF_modules_free();
1575 
 #endif
1576 
@@ -456,11 +482,45 @@ dst__openssl_getengine(const char *engine) {
1577 
 }
1578 
 #endif
1579
1580 
-#else /* OPENSSL */
1581 
+isc_result_t
1582 
+dst_random_getdata(void *data, unsigned int length,
1583 
+		   unsigned int *returned, unsigned int flags) {
1584 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
1585 
+#ifndef DONT_REQUIRE_DST_LIB_INIT
1586 
+	INSIST(dst__memory_pool != NULL);
1587 
+#endif
1588 
+	REQUIRE(data != NULL);
1589 
+	REQUIRE(length > 0);
1590
1591 
-#include <isc/util.h>
1592 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
1593 
+	if ((flags & ISC_ENTROPY_GOODONLY) == 0) {
1594 
+		if (RAND_pseudo_bytes((unsigned char *)data, (int)length) < 0)
1595 
+			return (dst__openssl_toresult2("RAND_pseudo_bytes",
1596 
+						       DST_R_OPENSSLFAILURE));
1597 
+	} else {
1598 
+		if (RAND_bytes((unsigned char *)data, (int)length) != 1)
1599 
+			return (dst__openssl_toresult2("RAND_bytes",
1600 
+						       DST_R_OPENSSLFAILURE));
1601 
+	}
1602 
+#else
1603 
+	UNUSED(flags);
1604
1605 
-EMPTY_TRANSLATION_UNIT
1606 
+	if (RAND_bytes((unsigned char *)data, (int)length) != 1)
1607 
+		return (dst__openssl_toresult2("RAND_bytes",
1608 
+					       DST_R_OPENSSLFAILURE));
1609 
+#endif
1610 
+	if (returned != NULL)
1611 
+		*returned = length;
1612 
+	return (ISC_R_SUCCESS);
1613 
+#else
1614 
+	UNUSED(data);
1615 
+	UNUSED(length);
1616 
+	UNUSED(returned);
1617 
+	UNUSED(flags);
1618 
+
1619 
+	return (ISC_R_NOTIMPLEMENTED);
1620 
+#endif
1621 
+}
1622
1623 
 #endif /* OPENSSL */
1624 
 /*! \file */
1625 
diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
1626 
index 5a2c502..8eaef53 100644
1627 
--- a/lib/dns/pkcs11.c
1628 
+++ b/lib/dns/pkcs11.c
1629 
@@ -13,12 +13,15 @@
1630
1631 
 #include <config.h>
1632
1633 
+#include <isc/util.h>
1634 
+
1635 
 #include <dns/log.h>
1636 
 #include <dns/result.h>
1637
1638 
 #include <pk11/pk11.h>
1639 
 #include <pk11/internal.h>
1640
1641 
+#include "dst_internal.h"
1642 
 #include "dst_pkcs11.h"
1643
1644 
 isc_result_t
1645 
@@ -34,12 +37,32 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
1646 
 	return (fallback);
1647 
 }
1648
1649 
+isc_result_t
1650 
+dst_random_getdata(void *data, unsigned int length,
1651 
+		   unsigned int *returned, unsigned int flags) {
1652 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
1653 
+	isc_result_t ret;
1654
1655 
-#else /* PKCS11CRYPTO */
1656 
+#ifndef DONT_REQUIRE_DST_LIB_INIT
1657 
+	INSIST(dst__memory_pool != NULL);
1658 
+#endif
1659 
+	REQUIRE(data != NULL);
1660 
+	REQUIRE(length > 0);
1661 
+	UNUSED(flags);
1662
1663 
-#include <isc/util.h>
1664 
+	ret = pk11_rand_bytes(data, (int) length);
1665 
+	if ((ret == ISC_R_SUCCESS) && (returned != NULL))
1666 
+		*returned = length;
1667 
+	return (ret);
1668 
+#else
1669 
+	UNUSED(data);
1670 
+	UNUSED(length);
1671 
+	UNUSED(returned);
1672 
+	UNUSED(flags);
1673
1674 
-EMPTY_TRANSLATION_UNIT
1675 
+	return (ISC_R_NOTIMPLEMENTED);
1676 
+#endif
1677 
+}
1678
1679 
 #endif /* PKCS11CRYPTO */
1680 
 /*! \file */
1681 
diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
1682 
index 937b548..f3c0e38 100644
1683 
--- a/lib/dns/tests/Kyuafile
1684 
+++ b/lib/dns/tests/Kyuafile
1685 
@@ -10,6 +10,7 @@ tap_test_program{name='dh_test'}
1686 
 tap_test_program{name='dispatch_test'}
1687 
 tap_test_program{name='dnstap_test'}
1688 
 tap_test_program{name='dst_test'}
1689 
+tap_test_program{name='dstrandom_test'}
1690 
 tap_test_program{name='geoip_test'}
1691 
 tap_test_program{name='gost_test'}
1692 
 tap_test_program{name='keytable_test'}
1693 
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
1694 
index 90dc3a6..7671e1d 100644
1695 
--- a/lib/dns/tests/Makefile.in
1696 
+++ b/lib/dns/tests/Makefile.in
1697 
@@ -37,6 +37,7 @@ SRCS =		acl_test.c \
1698 
 		dnstap_test.c \
1699 
 		dst_test.c \
1700 
 		dnstest.c \
1701 
+		dstrandom_test.c \
1702 
 		geoip_test.c \
1703 
 		gost_test.c \
1704 
 		keytable_test.c \
1705 
@@ -69,6 +70,7 @@ TARGETS =	acl_test@EXEEXT@ \
1706 
 		dh_test@EXEEXT@ \
1707 
 		dispatch_test@EXEEXT@ \
1708 
 		dnstap_test@EXEEXT@ \
1709 
+		dstrandom_test@EXEEXT@ \
1710 
 		dst_test@EXEEXT@ \
1711 
 		geoip_test@EXEEXT@ \
1712 
 		gost_test@EXEEXT@ \
1713 
@@ -258,6 +260,11 @@ zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
1714 
 		${LDFLAGS} -o $@ zt_test.@O@ dnstest.@O@ \
1715 
 		${DNSLIBS} ${ISCLIBS} ${LIBS}
1716
1717 
+dstrandom_test@EXEEXT@: dstrandom_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
1718 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
1719 
+			dstrandom_test.@O@ ${DNSLIBS} \
1720 
+			${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
1721 
+
1722 
 unit::
1723 
 	sh ${top_builddir}/unit/unittest.sh
1724
1725 
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
1726 
new file mode 100644
1727 
index 0000000..bd3d164
1728 
--- /dev/null
1729 
+++ b/lib/dns/tests/dstrandom_test.c
1730 
@@ -0,0 +1,115 @@
1731 
+/*
1732 
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
1733 
+ *
1734 
+ * This Source Code Form is subject to the terms of the Mozilla Public
1735 
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
1736 
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
1737 
+ *
1738 
+ * See the COPYRIGHT file distributed with this work for additional
1739 
+ * information regarding copyright ownership.
1740 
+ */
1741 
+
1742 
+#include <config.h>
1743 
+
1744 
+#if HAVE_CMOCKA
1745 
+
1746 
+#include <stdarg.h>
1747 
+#include <stddef.h>
1748 
+#include <setjmp.h>
1749 
+
1750 
+#include <stdlib.h>
1751 
+#include <stdio.h>
1752 
+#include <string.h>
1753 
+#include <unistd.h>
1754 
+
1755 
+#define UNIT_TESTING
1756 
+#include <cmocka.h>
1757 
+
1758 
+#include <isc/entropy.h>
1759 
+#include <isc/mem.h>
1760 
+#include <isc/print.h>
1761 
+#include <isc/platform.h>
1762 
+#include <isc/util.h>
1763 
+
1764 
+#include <dst/dst.h>
1765 
+
1766 
+isc_mem_t *mctx = NULL;
1767 
+isc_entropy_t *ectx = NULL;
1768 
+unsigned char buffer[128];
1769 
+
1770 
+/* isc_entropy_getdata() examples */
1771 
+static void
1772 
+isc_entropy_getdata_test(void **state) {
1773 
+	isc_result_t result;
1774 
+	unsigned int returned, status;
1775 
+	const char *randomfile = "testdata/dstrandom/random.data";
1776 
+	int ret;
1777 
+
1778 
+	UNUSED(state);
1779 
+
1780 
+	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
1781 
+	result = isc_mem_create(0, 0, &mctx);
1782 
+	assert_int_equal(result, ISC_R_SUCCESS);
1783 
+	result = isc_entropy_create(mctx, &ectx);
1784 
+	assert_int_equal(result, ISC_R_SUCCESS);
1785 
+	result = dst_lib_init(mctx, ectx, 0);
1786 
+	assert_int_equal(result, ISC_R_SUCCESS);
1787 
+
1788 
+#ifdef ISC_PLATFORM_CRYPTORANDOM
1789 
+	isc_entropy_usehook(ectx, true);
1790 
+
1791 
+	returned = 0;
1792 
+	result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
1793 
+				     &returned, 0);
1794 
+	assert_int_equal(result, ISC_R_SUCCESS);
1795 
+	assert_int_equal(returned, sizeof(buffer));
1796 
+
1797 
+	status = isc_entropy_status(ectx);
1798 
+	assert_int_equal(status, 0);
1799 
+
1800 
+	isc_entropy_usehook(ectx, false);
1801 
+#endif
1802 
+
1803 
+	ret = chdir(TESTS);
1804 
+	assert_int_equal(ret, 0);
1805 
+
1806 
+	result = isc_entropy_createfilesource(ectx, randomfile);
1807 
+	assert_int_equal(result, ISC_R_SUCCESS);
1808 
+
1809 
+	returned = 0;
1810 
+	result = isc_entropy_getdata(ectx, buffer, sizeof(buffer),
1811 
+				     &returned, 0);
1812 
+	assert_int_equal(result, ISC_R_SUCCESS);
1813 
+	assert_int_equal(returned, sizeof(buffer));
1814 
+
1815 
+	status = isc_entropy_status(ectx);
1816 
+	assert_true(status > 0);
1817 
+
1818 
+	dst_lib_destroy();
1819 
+	isc_entropy_detach(&ectx);
1820 
+	assert_null(ectx);
1821 
+
1822 
+	isc_mem_destroy(&mctx);
1823 
+	assert_null(mctx);
1824 
+}
1825 
+
1826 
+int
1827 
+main(void) {
1828 
+	const struct CMUnitTest tests[] = {
1829 
+		cmocka_unit_test(isc_entropy_getdata_test),
1830 
+	};
1831 
+
1832 
+	return (cmocka_run_group_tests(tests, NULL, NULL));
1833 
+}
1834 
+
1835 
+#else /* HAVE_CMOCKA */
1836 
+
1837 
+#include <stdio.h>
1838 
+
1839 
+int
1840 
+main(void) {
1841 
+	printf("1..0 # Skipped: cmocka not available\n");
1842 
+	return (0);
1843 
+}
1844 
+
1845 
+#endif
1846 
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
1847 
index 63be973..40b21fa 100644
1848 
--- a/lib/dns/win32/libdns.def.in
1849 
+++ b/lib/dns/win32/libdns.def.in
1850 
@@ -1485,6 +1485,13 @@ dst_lib_destroy
1851 
 dst_lib_init
1852 
 dst_lib_init2
1853 
 dst_lib_initmsgcat
1854 
+@IF PKCS11
1855 
+dst_random_getdata
1856 
+@ELSE PKCS11
1857 
+@IF OPENSSL
1858 
+dst_random_getdata
1859 
+@END OPENSSL
1860 
+@END PKCS11
1861 
 dst_region_computeid
1862 
 dst_region_computerid
1863 
 dst_result_register
1864 
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
1865 
index 907e470..451544d 100644
1866 
--- a/lib/isc/entropy.c
1867 
+++ b/lib/isc/entropy.c
1868 
@@ -104,11 +104,15 @@ struct isc_entropy {
1869 
 	uint32_t			initialized;
1870 
 	uint32_t			initcount;
1871 
 	isc_entropypool_t		pool;
1872 
+	bool				usehook;
1873 
 	unsigned int			nsources;
1874 
 	isc_entropysource_t	       *nextsource;
1875 
 	ISC_LIST(isc_entropysource_t)	sources;
1876 
 };
1877
1878 
+/*% Global Hook */
1879 
+static isc_entropy_getdata_t hook;
1880 
+
1881 
 /*% Sample Queue */
1882 
 typedef struct {
1883 
 	uint32_t	last_time;	/*%< last time recorded */
1884 
@@ -557,6 +561,11 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
1885
1886 
 	LOCK(&ent->lock);
1887
1888 
+	if (ent->usehook && (hook != NULL)) {
1889 
+		UNLOCK(&ent->lock);
1890 
+		return (hook(data, length, returned, flags));
1891 
+	}
1892 
+
1893 
 	remain = length;
1894 
 	buf = data;
1895 
 	total = 0;
1896 
@@ -708,6 +717,7 @@ isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
1897 
 	ent->refcnt = 1;
1898 
 	ent->initialized = 0;
1899 
 	ent->initcount = 0;
1900 
+	ent->usehook = false;
1901 
 	ent->magic = ENTROPY_MAGIC;
1902
1903 
 	isc_entropypool_init(&ent->pool);
1904 
@@ -1286,3 +1296,17 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
1905 
 	 */
1906 
 	return (final_result);
1907 
 }
1908 
+
1909 
+void
1910 
+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff) {
1911 
+	REQUIRE(VALID_ENTROPY(ectx));
1912 
+
1913 
+	LOCK(&ectx->lock);
1914 
+	ectx->usehook = onoff;
1915 
+	UNLOCK(&ectx->lock);
1916 
+}
1917 
+
1918 
+void
1919 
+isc_entropy_sethook(isc_entropy_getdata_t myhook) {
1920 
+	hook = myhook;
1921 
+}
1922 
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
1923 
index e8733db..c40a18c 100644
1924 
--- a/lib/isc/include/isc/entropy.h
1925 
+++ b/lib/isc/include/isc/entropy.h
1926 
@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
1927 
  *	isc_entropy_createcallbacksource().
1928 
  */
1929
1930 
+void
1931 
+isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
1932 
+/*!<
1933 
+ * \brief Mark/unmark the given entropy structure as being hooked.
1934 
+ */
1935 
+
1936 
+void
1937 
+isc_entropy_sethook(isc_entropy_getdata_t myhook);
1938 
+/*!<
1939 
+ * \brief Set the getdata hook (e.g., for a crypto random generator).
1940 
+ */
1941 
+
1942 
 ISC_LANG_ENDDECLS
1943
1944 
 #endif /* ISC_ENTROPY_H */
1945 
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
1946 
index 61960f1..d22993d 100644
1947 
--- a/lib/isc/include/isc/platform.h.in
1948 
+++ b/lib/isc/include/isc/platform.h.in
1949 
@@ -359,6 +359,11 @@
1950 
  */
1951 
 @ISC_PLATFORM_HAVESTRINGSH@
1952
1953 
+/*
1954 
+ * Define if the random functions are provided by crypto.
1955 
+ */
1956 
+@ISC_PLATFORM_CRYPTORANDOM@
1957 
+
1958 
 /*
1959 
  * Define if the hash functions must be provided by OpenSSL.
1960 
  */
1961 
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
1962 
index da9d66f..4205400 100644
1963 
--- a/lib/isc/include/isc/types.h
1964 
+++ b/lib/isc/include/isc/types.h
1965 
@@ -97,6 +97,8 @@ typedef struct isc_time			isc_time_t;		/*%< Time */
1966 
 typedef struct isc_timer		isc_timer_t;		/*%< Timer */
1967 
 typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
1968
1969 
+typedef isc_result_t (*isc_entropy_getdata_t)(void *, unsigned int,
1970 
+					      unsigned int *, unsigned int);
1971 
 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
1972 
 typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
1973
1974 
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
1975 
index 68aebdc..4b85527 100644
1976 
--- a/lib/isc/pk11.c
1977 
+++ b/lib/isc/pk11.c
1978 
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
1979 
 	ret = isc_stdio_open(randomfile, "r", &stream);
1980 
 	if (ret != ISC_R_SUCCESS)
1981 
 		goto cleanup;
1982 
-	ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
1983 
-	if (ret!= ISC_R_SUCCESS)
1984 
-		goto cleanup;
1985 
+	while (ret == ISC_R_SUCCESS) {
1986 
+		ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
1987 
+		if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
1988 
+			goto cleanup;
1989 
+		(void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
1990 
+	}
1991 
 	ret = isc_stdio_close(stream);
1992 
 	stream = NULL;
1993 
-	if (ret!= ISC_R_SUCCESS)
1994 
+	if (ret != ISC_R_SUCCESS)
1995 
 		goto cleanup;
1996 
-	(void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
1997
1998 
     cleanup:
1999 
 	if (stream != NULL)
2000 
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
2001 
index 8ade705..fa72f9d 100644
2002 
--- a/lib/isc/win32/include/isc/platform.h.in
2003 
+++ b/lib/isc/win32/include/isc/platform.h.in
2004 
@@ -73,6 +73,11 @@
2005 
 #define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
2006 
 #define ISC_PLATFORM_NORETURN_POST
2007
2008 
+/*
2009 
+ * Define if the random functions are provided by crypto.
2010 
+ */
2011 
+@ISC_PLATFORM_CRYPTORANDOM@
2012 
+
2013 
 /*
2014 
  * Define if the hash functions must be provided by OpenSSL.
2015 
  */
2016 
diff --git a/win32utils/Configure b/win32utils/Configure
2017 
index 79d682e..6c78cb2 100644
2018 
--- a/win32utils/Configure
2019 
+++ b/win32utils/Configure
2020 
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
2021 
 my %configdefp;
2022
2023 
 my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP",
2024 
+                 "ISC_PLATFORM_CRYPTORANDOM",
2025 
                  "ISC_PLATFORM_HAVEATOMICSTORE",
2026 
                  "ISC_PLATFORM_HAVEATOMICSTOREQ",
2027 
                  "ISC_PLATFORM_HAVECMPXCHG",
2028 
@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
2029
2030 
 # enable-xxx/disable-xxx
2031
2032 
-my @enablelist = ("developer",
2033 
+my @enablelist = ("crypto-rand",
2034 
+                  "developer",
2035 
                   "fixed-rrset",
2036 
                   "intrinsics",
2037 
                   "isc-spnego",
2038 
@@ -580,6 +582,7 @@ my @help = (
2039 
 "\nOptional Features:\n",
2040 
 "  enable-intrinsics     enable intrinsic/atomic functions [default=yes]\n",
2041 
 "  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
2042 
+"  enable-crypto-rand    use crypto provider for random [default=yes]\n",
2043 
 "  enable-openssl-hash   use OpenSSL for hash functions [default=yes]\n",
2044 
 "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
2045 
 "  enable-filter-aaaa    enable filtering of AAAA records [default=yes]\n",
2046 
@@ -628,7 +631,9 @@ my $want_clean = "no";
2047 
 my $want_unknown = "no";
2048 
 my $unknown_value;
2049 
 my $enable_intrinsics = "yes";
2050 
+my $cryptolib = "";
2051 
 my $enable_native_pkcs11 = "no";
2052 
+my $enable_crypto_rand = "yes";
2053 
 my $enable_openssl_hash = "auto";
2054 
 my $enable_filter_aaaa = "yes";
2055 
 my $enable_isc_spnego = "yes";
2056 
@@ -847,6 +852,10 @@ sub myenable {
2057 
         if ($val =~ /^yes$/i) {
2058 
             $enable_native_pkcs11 = "yes";
2059 
         }
2060 
+    } elsif ($key =~ /^crypto-rand$/i) {
2061 
+        if ($val =~ /^no$/i) {
2062 
+            $enable_crypto_rand = "no";
2063 
+        }
2064 
     } elsif ($key =~ /^openssl-hash$/i) {
2065 
         if ($val =~ /^yes$/i) {
2066 
             $enable_openssl_hash = "yes";
2067 
@@ -1153,6 +1162,11 @@ if ($verbose) {
2068 
     } else {
2069 
         print "native-pkcs11: disabled\n";
2070 
     }
2071 
+    if ($enable_crypto_rand eq "yes") {
2072 
+        print "crypto-rand: enabled\n";
2073 
+    } else {
2074 
+        print "crypto-rand: disabled\n";
2075 
+    }
2076 
     if ($enable_openssl_hash eq "yes") {
2077 
         print "openssl-hash: enabled\n";
2078 
     } else {
2079 
@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") {
2080
2081 
 # enable-native-pkcs11
2082 
 if ($enable_native_pkcs11 eq "yes") {
2083 
+    $cryptolib = "pkcs11";
2084 
     if ($use_openssl eq "auto") {
2085 
         $use_openssl = "no";
2086 
     }
2087 
@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") {
2088 
         $openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
2089 
     }
2090
2091 
+    $cryptolib = "openssl";
2092 
     $configcond{"OPENSSL"} = 1;
2093 
     $configdefd{"CRYPTO"} = "OPENSSL";
2094 
     $configvar{"OPENSSL_PATH"} = "$openssl_path";
2095 
@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") {
2096 
 }
2097
2098
2099 
+# enable-crypto-rand
2100 
+if ($enable_crypto_rand eq "yes") {
2101 
+    if (($use_openssl eq "no") && ($enable_native_pkcs11 eq "no")) {
2102 
+        die "No crypto provider for random functions\n";
2103 
+    }
2104 
+    $configdefp{"ISC_PLATFORM_CRYPTORANDOM"} = "\"$cryptolib\"";
2105 
+}
2106 
+print "Cryptographic library for DNSSEC: $cryptolib";
2107 
+
2108 
 # enable-openssl-hash
2109 
 if ($enable_openssl_hash eq "yes") {
2110 
     if ($use_openssl eq "no") {
2111 
@@ -3665,6 +3690,7 @@ exit 0;
2112 
 #  --enable-developer partially supported
2113 
 #  --enable-newstats (9.9/9.9sub only)
2114 
 #  --enable-native-pkcs11 supported
2115 
+#  --enable-crypto-rand supported
2116 
 #  --enable-openssl-version-check included without a way to disable it
2117 
 #  --enable-openssl-hash supported
2118 
 #  --enable-threads included without a way to disable it
... ... ---
2119 
2.21.1
2120
view file @ d5fe0dbac2
... ... --- /dev/null
... ... +++ b/bind-9.14-config-pkcs11.patch
... ... @@ -0,0 +1,83 @@
1 
From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001
2 
From: Petr Mensik <pemensik@redhat.com>
3 
Date: Fri, 18 Oct 2019 21:30:52 +0200
4 
Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
5
6 
Building two variants with the same common code requires to unset
7 
USE_PKCS11 on part of build. That is not possible with config.h value.
8 
Move it as normal define to CDEFINES.
9 
---
10 
 bin/confgen/Makefile.in |  2 +-
11 
 configure.ac            |  8 ++++++--
12 
 lib/dns/dst_internal.h  | 12 +++++++++---
13 
 3 files changed, 16 insertions(+), 6 deletions(-)
14
15 
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
16 
index 1b7512d..c126bf3 100644
17 
--- a/bin/confgen/Makefile.in
18 
+++ b/bin/confgen/Makefile.in
19 
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
20 
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
21 
 	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
22
23 
-CDEFINES =
24 
+CDEFINES = @USE_PKCS11@
25 
 CWARNINGS =
26
27 
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
28 
diff --git a/configure.ac b/configure.ac
29 
index f5483fe..08a7d8a 100644
30 
--- a/configure.ac
31 
+++ b/configure.ac
32 
@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST])
33 
 AC_SUBST([PKCS11_TOOLS])
34 
 AC_SUBST([PKCS11_MANS])
35
36 
+USE_PKCS11='-DUSE_PKCS11=0'
37 
+USE_OPENSSL='-DUSE_OPENSSL=0'
38 
 AC_SUBST([CRYPTO])
39 
 AS_CASE([$CRYPTO],
40 
-	[pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
41 
-	[AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
42 
+	[pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'],
43 
+	[USE_OPENSSL='-DUSE_OPENSSL=1'])
44 
+AC_SUBST(USE_PKCS11)
45 
+AC_SUBST(USE_OPENSSL)
46
47 
 # preparation for automake
48 
 # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
49 
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
50 
index 2c3b4a3..55e9dc4 100644
51 
--- a/lib/dns/dst_internal.h
52 
+++ b/lib/dns/dst_internal.h
53 
@@ -38,6 +38,13 @@
54 
 #include <isc/stdtime.h>
55 
 #include <isc/types.h>
56
57 
+#ifndef USE_PKCS11
58 
+#define USE_PKCS11 0
59 
+#endif
60 
+#ifndef USE_OPENSSL
61 
+#define USE_OPENSSL (! USE_PKCS11)
62 
+#endif
63 
+
64 
 #if USE_PKCS11
65 
 #include <pk11/pk11.h>
66 
 #include <pk11/site.h>
67 
@@ -116,11 +123,10 @@ struct dst_key {
68 
 		void *generic;
69 
 		dns_gss_ctx_id_t gssctx;
70 
 		DH *dh;
71 
-#if USE_OPENSSL
72 
-		EVP_PKEY *pkey;
73 
-#endif /* if USE_OPENSSL */
74 
 #if USE_PKCS11
75 
 		pk11_object_t *pkey;
76 
+#else
77 
+		EVP_PKEY *pkey;
78 
 #endif /* if USE_PKCS11 */
79 
 		dst_hmac_key_t *hmac_key;
80 
 	} keydata; /*%< pointer to key in crypto pkg fmt */
81 
--
82 
2.26.2
83
view file @ d5fe0dbac2
... ... --- /dev/null
... ... +++ b/bind-9.16-redhat_doc.patch
... ... @@ -0,0 +1,60 @@
1 
From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001
2 
From: Petr Mensik <pemensik@redhat.com>
3 
Date: Wed, 17 Jun 2020 23:17:13 +0200
4 
Subject: [PATCH] Update man named with Red Hat specifics
5
6 
This is almost unmodified text and requires revalidation. Some of those
7 
statements are no longer correct.
8 
---
9 
 bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++
10 
 1 file changed, 35 insertions(+)
11
12 
diff --git a/bin/named/named.rst b/bin/named/named.rst
13 
index 6fd8f87..3cd6350 100644
14 
--- a/bin/named/named.rst
15 
+++ b/bin/named/named.rst
16 
@@ -228,6 +228,41 @@ Files
17 
 ``/var/run/named/named.pid``
18 
    The default process-id file.
19
20 
+Notes
21 
+~~~~~
22 
+
23 
+**Red Hat SELinux BIND Security Profile:**
24 
+
25 
+By default, Red Hat ships BIND with the most secure SELinux policy
26 
+that will not prevent normal BIND operation and will prevent exploitation
27 
+of all known BIND security vulnerabilities. See the selinux(8) man page
28 
+for information about SElinux.
29 
+
30 
+It is not necessary to run named in a chroot environment if the Red Hat
31 
+SELinux policy for named is enabled. When enabled, this policy is far
32 
+more secure than a chroot environment. Users are recommended to enable
33 
+SELinux and remove the bind-chroot package.
34 
+
35 
+*With this extra security comes some restrictions:*
36 
+
37 
+By default, the SELinux policy does not allow named to write outside directory
38 
+/var/named. That directory used to be read-only for named, but write access is
39 
+enabled by default now.
40 
+
41 
+The "named" group must be granted read privelege to
42 
+these files in order for named to be enabled to read them.
43 
+Any file updated by named must be writeable by named user or named group.
44 
+
45 
+Any file created in the zone database file directory is automatically assigned
46 
+the SELinux file context *named_zone_t* .
47 
+
48 
+The Red Hat BIND distribution and SELinux policy creates three directories where
49 
+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
50 
+*/var/named/data*. The service is able to write and file under */var/named* with appropriate
51 
+permissions. They are used for better organisation of zones and backward compatibility.
52 
+Files in these directories are automatically assigned the '*named_cache_t*'
53 
+file context, which SELinux always allows named to write.
54 
+
55 
 See Also
56 
 ~~~~~~~~
57
58 
--
59 
2.26.2
60
view file @ 1fca60d876
... ... --- a/bind-9.3.1rc1-sdb_tools-Makefile.in
... ... +++ /dev/null
... ... @@ -1,63 +0,0 @@
0 
srcdir     =	@srcdir@
1 
VPATH      =	@srcdir@
2 
top_srcdir =	@top_srcdir@
3
4 
VERSION=@BIND9_VERSION@
5
6 
@BIND9_MAKE_INCLUDES@
7
8 
CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
9 
		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
10 
		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES}
11
12 
CDEFINES =	-DBIND9
13
14 
DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
15 
ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
16 
ISCCCLIBS =	../../lib/isccc/libisccc.@A@
17 
ISCLIBS =	../../lib/isc/libisc.@A@
18 
LWRESLIBS =	../../lib/lwres/liblwres.@A@
19 
BIND9LIBS =	../../lib/bind9/libbind9.@A@
20
21 
DNSDEPLIBS =	../../lib/dns/libdns.@A@
22 
ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
23 
ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
24 
ISCDEPLIBS =	../../lib/isc/libisc.@A@
25 
LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
26 
BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
27
28 
DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
29 
		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
30
31 
LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
32 
		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
33
34 
TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@
35
36 
OBJS	=	zone2ldap.@O@ zonetodb.@O@
37
38 
SRCS    =       zone2ldap.c zonetodb.c
39
40 
MANPAGES =      zone2ldap.1
41
42 
EXT_CFLAGS =
43
44 
@BIND9_MAKE_RULES@
45
46 
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
47 
	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
48
49 
zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
50 
	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
51
52 
clean distclean manclean maintainer-clean::
53 
	rm -f ${TARGETS} ${OBJS}
54
55 
installdirs:
56 
	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
57 
	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
58
59 
install:: ${TARGETS} installdirs
60 
	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
61 
	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
62 
	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
view file @ 1fca60d876
... ... --- a/bind-9.3.2b1-fix_sdb_ldap.patch
... ... +++ /dev/null
... ... @@ -1,511 +0,0 @@
0 
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
1 
index 95ab742..5059a17 100644
2 
--- a/bin/sdb_tools/Makefile.in
3 
+++ b/bin/sdb_tools/Makefile.in
4 
@@ -32,11 +32,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
5 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
6 
 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
7
8 
-TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
9 
+TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
10
11 
-OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
12 
+OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
13
14 
-SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c
15 
+SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
16
17 
 MANPAGES =      zone2ldap.1
18
19 
@@ -47,6 +47,9 @@ EXT_CFLAGS =
20 
 zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
21 
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
22
23 
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
24 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
25 
+
26 
 zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
27 
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
28
29 
@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
30 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
31 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
32 
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
33 
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
34 
 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
35 
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
36 
index e0e9207..d59936c 100644
37 
--- a/bin/sdb_tools/zone2ldap.c
38 
+++ b/bin/sdb_tools/zone2ldap.c
39 
@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
40 
 void init_ldap_conn (void);
41
42 
 /* Ldap error checking */
43 
-void ldap_result_check (const char *msg, char *dn, int err);
44 
+void ldap_result_check (const char *msg, const char *dn, int err);
45
46 
 /* Put a hostname into a char ** array */
47 
 char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
48 
@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
49 
 int get_attr_list_size (char **tmp);
50
51 
 /* Get a DN */
52 
-char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag);
53 
+char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
54
55 
 /* Add to RR list */
56 
 void add_to_rr_list (char *dn, char *name, char *type, char *data,
57 
@@ -104,11 +104,26 @@ void
58 
 init_ldap_conn ();
59 
 void usage();
60
61 
-char *argzone, *ldapbase, *binddn, *bindpw = NULL;
62 
-const char *ldapsystem = "localhost";
63 
-static const char *objectClasses[] =
64 
-  { "top", "dNSZone", NULL };
65 
-static const char *topObjectClasses[] = { "top", NULL };
66 
+static char *argzone, *ldapbase, *binddn, *bindpw = NULL;
67 
+
68 
+/* these are needed to placate gcc4's const-ness const-ernations : */
69 
+static char localhost[] = "localhost";
70 
+static char *ldapsystem=&(localhost[0]);
71 
+/* dnszone schema class names: */
72 
+static char topClass    [] ="top";
73 
+static char dNSZoneClass[] ="dNSZone";
74 
+static char objectClass [] ="objectClass";
75 
+static char dcObjectClass[]="dcObject";
76 
+/* dnszone schema attribute names: */
77 
+static char relativeDomainName[]="relativeDomainName";
78 
+static char dNSTTL            []="dNSTTL";
79 
+static char zoneName          []="zoneName";
80 
+static char dc                []="dc";
81 
+static char sameZone          []="@";
82 
+/* LDAPMod mod_values: */
83 
+static char *objectClasses    []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
84 
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
85 
+static char *dn_buffer      [64]={NULL};
86 
 LDAP *conn;
87 
 unsigned int debug = 0;
88
89 
@@ -120,7 +135,7 @@ static void
90 
 fatal(const char *msg) {
91 
   perror(msg);
92 
   if (conn != NULL)
93 
-    ldap_unbind_s(conn);
94 
+    ldap_unbind_ext_s(conn, NULL, NULL);
95 
   exit(1);
96 
 }
97
98 
@@ -132,12 +147,13 @@ main (int argc, char **argv)
99 
   isc_result_t result;
100 
   char *basedn;
101 
   ldap_info *tmp;
102 
-  LDAPMod *base_attrs[2];
103 
-  LDAPMod base;
104 
+  LDAPMod *base_attrs[5];
105 
+  LDAPMod base, dcBase, znBase, rdnBase;
106 
   isc_buffer_t buff;
107 
   char *zonefile=0L;
108 
   char fullbasedn[1024];
109 
   char *ctmp;
110 
+  char *zn, *dcp[2], *znp[2], *rdn[2];
111 
   dns_fixedname_t fixedzone, fixedname;
112 
   dns_rdataset_t rdataset;
113 
   char **dc_list;
114 
@@ -150,7 +166,7 @@ main (int argc, char **argv)
115 
   extern char *optarg;
116 
   extern int optind, opterr, optopt;
117 
   int create_base = 0;
118 
-  int topt;
119 
+  int topt, dcn, zdn, znlen;
120
121 
   if (argc < 2)
122 
     {
123 
@@ -158,7 +174,7 @@ main (int argc, char **argv)
124 
       exit (-1);
125 
     }
126
127 
-  while ((topt = getopt (argc, argv, "D:w:b:z:f:h:?dcv")) != -1)
128 
+  while ((topt = getopt (argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1)
129 
     {
130 
       switch (topt)
131 
 	{
132 
@@ -181,6 +197,9 @@ main (int argc, char **argv)
133 
 	  if (bindpw == NULL)
134 
 	    fatal("strdup");
135 
 	  break;
136 
+	case 'W':
137 
+	  bindpw = getpass("Enter LDAP Password: ");
138 
+	  break;
139 
 	case 'b':
140 
 	  ldapbase = strdup (optarg);
141 
 	  if (ldapbase == NULL)
142 
@@ -302,17 +321,51 @@ main (int argc, char **argv)
143 
 	printf ("Creating base zone DN %s\n", argzone);
144
145 
       dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
146 
-      basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
147 
+      basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
148 
+      if (debug)
149 
+	printf ("base DN %s\n", basedn);
150
151 
-      for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
152 
+      for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
153 
 	{
154 
 	  if ((*ctmp == ',') || (ctmp == &basedn[0]))
155 
 	    {
156 
 	      base.mod_op = LDAP_MOD_ADD;
157 
-	      base.mod_type = (char*)"objectClass";
158 
+	      base.mod_type = objectClass;
159 
 	      base.mod_values = (char**)topObjectClasses;
160 
 	      base_attrs[0] = (void*)&base;
161 
-	      base_attrs[1] = NULL;
162 
+
163 
+	      dcBase.mod_op = LDAP_MOD_ADD;
164 
+	      dcBase.mod_type = dc;
165 
+	      dcp[0]=dc_list[dcn];
166 
+	      dcp[1]=0L;
167 
+	      dcBase.mod_values=dcp;
168 
+	      base_attrs[1] = (void*)&dcBase;
169 
+
170 
+	      znBase.mod_op = LDAP_MOD_ADD;
171 
+	      znBase.mod_type = zoneName;
172 
+	      for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
173 
+		  znlen += strlen(dc_list[zdn])+1;
174 
+	      znp[0] = (char*)malloc(znlen+1);
175 
+	      znp[1] = 0L;
176 
+	      for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
177 
+		  zn+=sprintf(zn,"%s%s",dc_list[zdn],
178 
+			      ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
179 
+		             );
180 
+
181 
+	      znBase.mod_values = znp;
182 
+	      base_attrs[2] = (void*)&znBase;
183 
+
184 
+	      rdnBase.mod_op = LDAP_MOD_ADD;
185 
+	      rdnBase.mod_type = relativeDomainName;
186 
+	      rdn[0] = strdup(sameZone);
187 
+	      rdn[1] = 0L;
188 
+	      rdnBase.mod_values = rdn;
189 
+	      base_attrs[3] = (void*)&rdnBase;
190 
+
191 
+	      dcn++;
192 
+
193 
+	      base.mod_values = topObjectClasses;
194 
+	      base_attrs[4] = NULL;
195
196 
 	      if (ldapbase)
197 
 		{
198 
@@ -329,6 +382,10 @@ main (int argc, char **argv)
199 
 		  else
200 
 		    sprintf (fullbasedn, "%s", ctmp);
201 
 		}
202 
+
203 
+	      if( debug )
204 
+		  printf("Full base dn: %s\n", fullbasedn);
205 
+
206 
 	      result = ldap_add_s (conn, fullbasedn, base_attrs);
207 
 	      ldap_result_check ("initial ldap_add_s", fullbasedn, result);
208 
 	    }
209 
@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
210 
   isc_result_check (result, "dns_rdata_totext");
211 
   data[isc_buffer_usedlength (&buff)] = 0;
212
213 
-  dc_list = hostname_to_dn_list (name, argzone, DNS_OBJECT);
214 
+  dc_list = hostname_to_dn_list ((char*)name, argzone, DNS_OBJECT);
215 
   len = (get_attr_list_size (dc_list) - 2);
216 
-  dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC);
217 
+  dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC, argzone);
218
219 
   if (debug)
220 
     printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
221
222 
-  add_to_rr_list (dn, dc_list[len], type, data, ttl, DNS_OBJECT);
223 
+  add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
224 
 }
225
226
227 
@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
228 
   int attrlist;
229 
   char ldap_type_buffer[128];
230 
   char charttl[64];
231 
-
232 
+  char *zn;
233 
+  int znlen;
234
235 
   if ((tmp = locate_by_dn (dn)) == NULL)
236 
     {
237 
@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
238 
 	    fatal("malloc");
239 
 	}
240 
       tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
241 
-      tmp->attrs[0]->mod_type = (char*)"objectClass";
242 
+      tmp->attrs[0]->mod_type = objectClass;
243
244 
       if (flags == DNS_OBJECT)
245 
-	tmp->attrs[0]->mod_values = (char**)objectClasses;
246 
+	tmp->attrs[0]->mod_values = objectClasses;
247 
       else
248 
 	{
249 
 	  tmp->attrs[0]->mod_values = (char**)topObjectClasses;
250 
@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
251 
 	}
252
253 
       tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
254 
-      tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
255 
+      tmp->attrs[1]->mod_type = relativeDomainName;
256 
       tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
257
258 
       if (tmp->attrs[1]->mod_values == (char **)NULL)
259 
@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
260 
 	 fatal("strdup");
261
262 
       tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
263 
-      tmp->attrs[3]->mod_type = (char*)"dNSTTL";
264 
+      tmp->attrs[3]->mod_type = dNSTTL;
265 
       tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
266
267 
       if (tmp->attrs[3]->mod_values == (char **)NULL)
268 
@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
269 
       if (tmp->attrs[3]->mod_values[0] == NULL)
270 
 	 fatal("strdup");
271
272 
+      znlen=strlen(gbl_zone);
273 
+      if ( gbl_zone[znlen-1] == '.' )
274 
+      { /* ldapdb MUST search by relative zone name */
275 
+	  zn = (char*)malloc(znlen);
276 
+	  memcpy(zn, gbl_zone, znlen-1);
277 
+	  zn[znlen-1]='\0';
278 
+      }else
279 
+      {
280 
+	  zn = gbl_zone;
281 
+      }
282 
+
283 
       tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
284 
-      tmp->attrs[4]->mod_type = (char*)"zoneName";
285 
+      tmp->attrs[4]->mod_type = zoneName;
286 
       tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
287
288 
       if (tmp->attrs[4]->mod_values == (char **)NULL)
289 
 	 fatal("calloc");
290
291 
-      tmp->attrs[4]->mod_values[0] = gbl_zone;
292 
+      tmp->attrs[4]->mod_values[0] = zn;
293 
       tmp->attrs[4]->mod_values[1] = NULL;
294
295 
       tmp->attrs[5] = NULL;
296 
@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
297 
   else
298 
     {
299
300 
-      for (i = 0; tmp->attrs[i] != NULL; i++)
301 
+	for (i = 0; tmp->attrs[i] != NULL; i++)
302 
 	{
303 
 	  sprintf (ldap_type_buffer, "%sRecord", type);
304 
 	  if (!strncmp
305 
@@ -631,44 +700,70 @@ char **
306 
 hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
307 
 {
308 
   char *tmp;
309 
-  static char *dn_buffer[64];
310 
   int i = 0;
311 
-  char *zname;
312 
-  char *hnamebuff;
313 
-
314 
-  zname = strdup (hostname);
315 
-  if (zname == NULL)
316 
-	fatal("strdup");
317 
-
318 
-  if (flags == DNS_OBJECT)
319 
-    {
320 
-
321 
-      if (strlen (zname) != strlen (zone))
322 
-	{
323 
-	  tmp = &zname[strlen (zname) - strlen (zone)];
324 
-	  *--tmp = '\0';
325 
-	  hnamebuff = strdup (zname);
326 
-	  if (hnamebuff == NULL)
327 
-		fatal("strdup");
328 
-	  zname = ++tmp;
329 
-	}
330 
-      else
331 
-	hnamebuff = (char*)"@";
332 
-    }
333 
-  else
334 
-    {
335 
-      zname = zone;
336 
-      hnamebuff = NULL;
337 
-    }
338 
-
339 
-  for (tmp = strrchr (zname, '.'); tmp != (char *) 0;
340 
-       tmp = strrchr (zname, '.'))
341 
-    {
342 
-      *tmp++ = '\0';
343 
-      dn_buffer[i++] = tmp;
344 
-    }
345 
-  dn_buffer[i++] = zname;
346 
-  dn_buffer[i++] = hnamebuff;
347 
+  char *hname=0L, *last=0L;
348 
+  int hlen=strlen(hostname), zlen=(strlen(zone));
349 
+
350 
+/*  printf("hostname: %s zone: %s\n",hostname, zone); */
351 
+  hname=0L;
352 
+  if(flags == DNS_OBJECT)
353 
+  {
354 
+      if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') )
355 
+      {
356 
+	  hname=(char*)malloc(hlen + 1);
357 
+	  hlen += 1;
358 
+	  sprintf(hname, "%s.", hostname);
359 
+	  hostname = hname;
360 
+      }
361 
+      if(strcmp(hostname, zone) == 0)
362 
+      {
363 
+	  if( hname == 0 )
364 
+	      hname=strdup(hostname);
365 
+	  last = strdup(sameZone);
366 
+      }else
367 
+      {
368 
+	  if(  (hlen < zlen)
369 
+	     ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
370 
+	    )
371 
+	  {
372 
+	      if( hname != 0 )
373 
+		  free(hname);
374 
+	      hname=(char*)malloc( hlen + zlen + 1);
375 
+	      if( *zone == '.' )
376 
+		  sprintf(hname, "%s%s", hostname, zone);
377 
+	      else
378 
+		  sprintf(hname,"%s",zone);
379 
+	  }else
380 
+	  {
381 
+	      if( hname == 0 )
382 
+		  hname = strdup(hostname);
383 
+	  }
384 
+	  last = hname;
385 
+      }
386 
+  }else
387 
+  { /* flags == DNS_TOP */
388 
+      hname = strdup(zone);
389 
+      last = hname;
390 
+  }
391 
+
392 
+  for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
393 
+       tmp = strrchr (hname, '.'))
394 
+  {
395 
+      if( *( tmp + 1 ) != '\0' )
396 
+      {
397 
+	  *tmp = '\0';
398 
+	  dn_buffer[i++] = ++tmp;
399 
+      }else
400 
+      { /* trailing '.' ! */
401 
+	  dn_buffer[i++] = strdup(".");
402 
+	  *tmp = '\0';
403 
+	  if( tmp == hname )
404 
+	      break;
405 
+      }
406 
+  }
407 
+  if( ( last != hname ) && (tmp != hname) )
408 
+      dn_buffer[i++] = hname;
409 
+  dn_buffer[i++] = last;
410 
   dn_buffer[i] = NULL;
411
412 
   return dn_buffer;
413 
@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
414 
  * exception of "@"/SOA. */
415
416 
 char *
417 
-build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag)
418 
+build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
419 
 {
420 
   int size;
421 
-  int x;
422 
-  static char dn[1024];
423 
-  char tmp[128];
424 
+  int x, znlen;
425 
+  static char dn[DNS_NAME_MAXTEXT*3/2];
426 
+  char tmp[DNS_NAME_MAXTEXT*3/2];
427 
+  char zn[DNS_NAME_MAXTEXT+1];
428
429 
   bzero (tmp, sizeof (tmp));
430 
   bzero (dn, sizeof (dn));
431 
   size = get_attr_list_size (dc_list);
432 
+  znlen = strlen(zone);
433 
+  if ( zone[znlen-1] == '.' )
434 
+  { /* ldapdb MUST search by relative zone name */
435 
+      memcpy(&(zn[0]),zone,znlen-1);
436 
+      zn[znlen-1]='\0';
437 
+      zone = zn;
438 
+  }
439 
   for (x = size - 2; x > 0; x--)
440 
     {
441 
     if (flag == WI_SPEC)
442 
     {
443 
       if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
444 
-	sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
445 
+	snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
446 
       else if (x == (size - 2))
447 
-	      sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
448 
+	      snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
449 
       else
450 
-	      sprintf(tmp,"dc=%s,", dc_list[x]);
451 
+	      snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
452 
     }
453 
     else
454 
     {
455 
-	    sprintf(tmp, "dc=%s,", dc_list[x]);
456 
+	    snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
457 
     }
458
459
460 
@@ -732,19 +835,18 @@ init_ldap_conn ()
461 
     }
462
463 
   result = ldap_simple_bind_s (conn, binddn, bindpw);
464 
-  ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
465 
+  ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
466 
 }
467
468 
 /* Like isc_result_check, only for LDAP */
469 
 void
470 
-ldap_result_check (const char *msg, char *dn, int err)
471 
+ldap_result_check (const char *msg, const char *dn, int err)
472 
 {
473 
   if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
474 
     {
475 
-      fprintf(stderr, "Error while adding %s (%s):\n",
476 
-		      dn, msg);
477 
-      ldap_perror (conn, dn);
478 
-      ldap_unbind_s (conn);
479 
+      fprintf(stderr, "Error while adding %s (%s):\n%s",
480 
+		      dn, msg, ldap_err2string(err));
481 
+      ldap_unbind_ext_s (conn, NULL, NULL);
482 
       exit (-1);
483 
     }
484 
 }
485 
@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
486 
   int result;
487 
   char dnbuffer[1024];
488
489 
-
490 
   if (ldapbase != NULL)
491 
     sprintf (dnbuffer, "%s,%s", ldinfo->dn, ldapbase);
492 
   else
493 
     sprintf (dnbuffer, "%s", ldinfo->dn);
494
495 
   result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
496 
-  ldap_result_check ("ldap_add_s", dnbuffer, result);
497 
-}
498 
+    ldap_result_check ("ldap_add_s", dnbuffer, result);
499
500 
+}
501
502
503
504 
@@ -776,5 +877,5 @@ void
505 
 usage ()
506 
 {
507 
   fprintf (stderr,
508 
-	   "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
509 
+	   "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] "
510 
 	   "[-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");}
view file @ 1fca60d876
... ... --- a/bind-9.3.2b2-sdbsrc.patch
... ... +++ /dev/null
... ... @@ -1,230 +0,0 @@
0 
diff --git a/contrib/sdb/bdb/bdb.c b/contrib/sdb/bdb/bdb.c
1 
index 23594bb..b3c6619 100644
2 
--- a/contrib/sdb/bdb/bdb.c
3 
+++ b/contrib/sdb/bdb/bdb.c
4 
@@ -43,7 +43,7 @@
5 
 #include <dns/lib.h>
6 
 #include <dns/ttl.h>
7
8 
-#include <named/bdb.h>
9 
+#include "bdb.h"
10 
 #include <named/globals.h>
11 
 #include <named/config.h>
12
13 
diff --git a/contrib/sdb/ldap/zone2ldap.c b/contrib/sdb/ldap/zone2ldap.c
14 
index 07c89bc..23dd873 100644
15 
--- a/contrib/sdb/ldap/zone2ldap.c
16 
+++ b/contrib/sdb/ldap/zone2ldap.c
17 
@@ -63,16 +63,16 @@ typedef struct LDAP_INFO
18 
 ldap_info;
19
20 
 /* usage Info */
21 
-void usage ();
22 
+void usage (void);
23
24 
 /* Add to the ldap dit */
25 
 void add_ldap_values (ldap_info * ldinfo);
26
27 
 /* Init an ldap connection */
28 
-void init_ldap_conn ();
29 
+void init_ldap_conn (void);
30
31 
 /* Ldap error checking */
32 
-void ldap_result_check (char *msg, char *dn, int err);
33 
+void ldap_result_check (const char *msg, char *dn, int err);
34
35 
 /* Put a hostname into a char ** array */
36 
 char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
37 
@@ -88,7 +88,7 @@ void add_to_rr_list (char *dn, char *name, char *type, char *data,
38 
 		     unsigned int ttl, unsigned int flags);
39
40 
 /* Error checking */
41 
-void isc_result_check (isc_result_t res, char *errorstr);
42 
+void isc_result_check (isc_result_t res, const char *errorstr);
43
44 
 /* Generate LDIF Format files */
45 
 void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
46 
@@ -97,11 +97,17 @@ void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
47 
 /* head pointer to the list */
48 
 ldap_info *ldap_info_base = NULL;
49
50 
+ldap_info *
51 
+locate_by_dn (char *dn);
52 
+void
53 
+init_ldap_conn ();
54 
+void usage();
55 
+
56 
 char *argzone, *ldapbase, *binddn, *bindpw = NULL;
57 
-char *ldapsystem = "localhost";
58 
-static char *objectClasses[] =
59 
+const char *ldapsystem = "localhost";
60 
+static const char *objectClasses[] =
61 
   { "top", "dNSZone", NULL };
62 
-static char *topObjectClasses[] = { "top", NULL };
63 
+static const char *topObjectClasses[] = { "top", NULL };
64 
 LDAP *conn;
65 
 unsigned int debug = 0;
66
67 
@@ -128,7 +134,7 @@ main (int argc, char **argv)
68 
   LDAPMod *base_attrs[2];
69 
   LDAPMod base;
70 
   isc_buffer_t buff;
71 
-  char *zonefile;
72 
+  char *zonefile=0L;
73 
   char fullbasedn[1024];
74 
   char *ctmp;
75 
   dns_fixedname_t fixedzone, fixedname;
76 
@@ -304,9 +310,9 @@ main (int argc, char **argv)
77 
 	  if ((*ctmp == ',') || (ctmp == &basedn[0]))
78 
 	    {
79 
 	      base.mod_op = LDAP_MOD_ADD;
80 
-	      base.mod_type = "objectClass";
81 
-	      base.mod_values = topObjectClasses;
82 
-	      base_attrs[0] = &base;
83 
+	      base.mod_type = (char*)"objectClass";
84 
+	      base.mod_values = (char**)topObjectClasses;
85 
+	      base_attrs[0] = (void*)&base;
86 
 	      base_attrs[1] = NULL;
87
88 
 	      if (ldapbase)
89 
@@ -363,7 +369,7 @@ main (int argc, char **argv)
90 
  * I should probably rename this function, as not to cause any
91 
  * confusion with the isc* routines. Will exit on error. */
92 
 void
93 
-isc_result_check (isc_result_t res, char *errorstr)
94 
+isc_result_check (isc_result_t res, const char *errorstr)
95 
 {
96 
   if (res != ISC_R_SUCCESS)
97 
     {
98 
@@ -470,20 +476,20 @@ add_to_rr_list (char *dn, char *name, char *type,
99 
       if (tmp->attrs == (LDAPMod **) NULL)
100 
 	fatal("calloc");
101
102 
-      for (i = 0; i < flags; i++)
103 
+      for (i = 0; i < (int)flags; i++)
104 
 	{
105 
 	  tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
106 
 	  if (tmp->attrs[i] == (LDAPMod *) NULL)
107 
 	    fatal("malloc");
108 
 	}
109 
       tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
110 
-      tmp->attrs[0]->mod_type = "objectClass";
111 
+      tmp->attrs[0]->mod_type = (char*)"objectClass";
112
113 
       if (flags == DNS_OBJECT)
114 
-	tmp->attrs[0]->mod_values = objectClasses;
115 
+	tmp->attrs[0]->mod_values = (char**)objectClasses;
116 
       else
117 
 	{
118 
-	  tmp->attrs[0]->mod_values = topObjectClasses;
119 
+	  tmp->attrs[0]->mod_values = (char**)topObjectClasses;
120 
 	  tmp->attrs[1] = NULL;
121 
 	  tmp->attrcnt = 2;
122 
 	  tmp->next = ldap_info_base;
123 
@@ -492,7 +498,7 @@ add_to_rr_list (char *dn, char *name, char *type,
124 
 	}
125
126 
       tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
127 
-      tmp->attrs[1]->mod_type = "relativeDomainName";
128 
+      tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
129 
       tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
130
131 
       if (tmp->attrs[1]->mod_values == (char **)NULL)
132 
@@ -521,7 +527,7 @@ add_to_rr_list (char *dn, char *name, char *type,
133 
 	 fatal("strdup");
134
135 
       tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
136 
-      tmp->attrs[3]->mod_type = "dNSTTL";
137 
+      tmp->attrs[3]->mod_type = (char*)"dNSTTL";
138 
       tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
139
140 
       if (tmp->attrs[3]->mod_values == (char **)NULL)
141 
@@ -535,7 +541,7 @@ add_to_rr_list (char *dn, char *name, char *type,
142 
 	 fatal("strdup");
143
144 
       tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
145 
-      tmp->attrs[4]->mod_type = "zoneName";
146 
+      tmp->attrs[4]->mod_type = (char*)"zoneName";
147 
       tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
148
149 
       if (tmp->attrs[4]->mod_values == (char **)NULL)
150 
@@ -648,7 +654,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
151 
 	  zname = ++tmp;
152 
 	}
153 
       else
154 
-	hnamebuff = "@";
155 
+	hnamebuff = (char*)"@";
156 
     }
157 
   else
158 
     {
159 
@@ -727,12 +733,12 @@ init_ldap_conn ()
160 
     }
161
162 
   result = ldap_simple_bind_s (conn, binddn, bindpw);
163 
-  ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
164 
+  ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
165 
 }
166
167 
 /* Like isc_result_check, only for LDAP */
168 
 void
169 
-ldap_result_check (char *msg, char *dn, int err)
170 
+ldap_result_check (const char *msg, char *dn, int err)
171 
 {
172 
   if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
173 
     {
174 
diff --git a/contrib/sdb/pgsql/pgsqldb.c b/contrib/sdb/pgsql/pgsqldb.c
175 
index 50d3cba..516eb9f 100644
176 
--- a/contrib/sdb/pgsql/pgsqldb.c
177 
+++ b/contrib/sdb/pgsql/pgsqldb.c
178 
@@ -23,7 +23,7 @@
179 
 #include <string.h>
180 
 #include <stdlib.h>
181
182 
-#include <pgsql/libpq-fe.h>
183 
+#include <libpq-fe.h>
184
185 
 #include <isc/mem.h>
186 
 #include <isc/print.h>
187 
diff --git a/contrib/sdb/pgsql/zonetodb.c b/contrib/sdb/pgsql/zonetodb.c
188 
index b8f5912..ff2d135 100644
189 
--- a/contrib/sdb/pgsql/zonetodb.c
190 
+++ b/contrib/sdb/pgsql/zonetodb.c
191 
@@ -37,7 +37,7 @@
192 
 #include <dns/rdatatype.h>
193 
 #include <dns/result.h>
194
195 
-#include <pgsql/libpq-fe.h>
196 
+#include <libpq-fe.h>
197
198 
 /*
199 
  * Generate a PostgreSQL table from a zone.
200 
@@ -54,6 +54,9 @@ char *dbname, *dbtable;
201 
 char str[10240];
202
203 
 void
204 
+closeandexit(int status);
205 
+
206 
+void
207 
 closeandexit(int status) {
208 
 	if (conn != NULL)
209 
 		PQfinish(conn);
210 
@@ -61,6 +64,9 @@ closeandexit(int status) {
211 
 }
212
213 
 void
214 
+check_result(isc_result_t result, const char *message);
215 
+
216 
+void
217 
 check_result(isc_result_t result, const char *message) {
218 
 	if (result != ISC_R_SUCCESS) {
219 
 		fprintf(stderr, "%s: %s\n", message,
220 
@@ -84,7 +90,8 @@ quotestring(const unsigned char *source, unsigned char *dest) {
221 
 	}
222 
 	*dest++ = 0;
223 
 }
224 
-
225 
+void
226 
+addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata);
227 
 void
228 
 addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) {
229 
 	unsigned char namearray[DNS_NAME_MAXTEXT + 1];
view file @ d5fe0dbac2
... ... --- /dev/null
... ... +++ b/bind-9.5-PIE.patch
... ... @@ -0,0 +1,30 @@
1 
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
2 
index eb622d1..37053a7 100644
3 
--- a/bin/named/Makefile.in
4 
+++ b/bin/named/Makefile.in
5 
@@ -117,8 +117,12 @@ SRCS =		builtin.c config.c control.c \
6 
 		tkeyconf.c tsigconf.c zoneconf.c \
7 
 		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
8
9 
+EXT_CFLAGS = -fpie
10 
+
11 
 @BIND9_MAKE_RULES@
12
13 
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
14 
+
15 
 main.@O@: main.c
16 
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
17 
 		-DVERSION=\"${VERSION}\" \
18 
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
19 
index fd9ca8d..f1c102c 100644
20 
--- a/bin/named/unix/Makefile.in
21 
+++ b/bin/named/unix/Makefile.in
22 
@@ -11,6 +11,8 @@ srcdir =	@srcdir@
23 
 VPATH =		@srcdir@
24 
 top_srcdir =	@top_srcdir@
25
26 
+EXT_CFLAGS = -fpie
27 
+
28 
 @BIND9_MAKE_INCLUDES@
29
30 
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
view file @ 1fca60d876
... ... --- a/bind-9.9.1-P2-multlib-conflict.patch
... ... +++ /dev/null
... ... @@ -1,54 +0,0 @@
0 
diff --git a/config.h.in b/config.h.in
1 
index 4ecaa8f..2f65ccc 100644
2 
--- a/config.h.in
3 
+++ b/config.h.in
4 
@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig);
5 
 #undef PREFER_GOSTASN1
6
7 
 /* The size of `void *', as computed by sizeof. */
8 
-#undef SIZEOF_VOID_P
9 
+/* #undef SIZEOF_VOID_P */
10
11 
 /* Define to 1 if you have the ANSI C header files. */
12 
 #undef STDC_HEADERS
13 
diff --git a/isc-config.sh.in b/isc-config.sh.in
14 
index a8a0a89..b5e94ed 100644
15 
--- a/isc-config.sh.in
16 
+++ b/isc-config.sh.in
17 
@@ -13,7 +13,18 @@ prefix=@prefix@
18 
 exec_prefix=@exec_prefix@
19 
 exec_prefix_set=
20 
 includedir=@includedir@
21 
-libdir=@libdir@
22 
+arch=$(uname -m)
23 
+
24 
+case $arch in
25 
+	x86_64 | amd64 | sparc64 | s390x | ppc64)
26 
+		libdir=/usr/lib64
27 
+		sec_libdir=/usr/lib
28 
+		;;
29 
+	* )
30 
+		libdir=/usr/lib
31 
+		sec_libdir=/usr/lib64
32 
+		;;
33 
+esac
34
35 
 usage()
36 
 {
37 
@@ -132,6 +143,16 @@ if test x"$echo_libs" = x"true"; then
38 
 	if test x"${exec_prefix_set}" = x"true"; then
39 
 		libs="-L${exec_prefix}/lib"
40 
 	else
41 
+		if [ ! -x $libdir/libisc.so ] ; then
42 
+			if [ ! -x $sec_libdir/libisc.so ] ; then
43 
+				echo "Error: ISC libs not found in $libdir"
44 
+				if [ -d $sec_libdir ] ; then
45 
+					echo "Error: ISC libs not found in $sec_libdir"
46 
+				fi
47 
+				exit 1
48 
+			fi
49 
+			libdir=$sec_libdir
50 
+		fi
51 
 		libs="-L${libdir}"
52 
 	fi
53 
 	if test x"$libirs" = x"true" ; then
view file @ 1fca60d876
... ... --- a/bind-95-rh452060.patch
... ... +++ /dev/null
... ... @@ -1,42 +0,0 @@
0 
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
1 
index 7622bcd..f382ad0 100644
2 
--- a/bin/dig/dighost.c
3 
+++ b/bin/dig/dighost.c
4 
@@ -1816,6 +1816,13 @@ clear_query(dig_query_t *query) {
5
6 
 	if (query->timer != NULL)
7 
 		isc_timer_detach(&query->timer);
8 
+
9 
+	if (query->waiting_senddone) {
10 
+		debug("send_done not yet called");
11 
+		query->pending_free = true;
12 
+		return;
13 
+	}
14 
+
15 
 	lookup = query->lookup;
16
17 
 	if (lookup->current_query == query)
18 
@@ -1841,10 +1848,7 @@ clear_query(dig_query_t *query) {
19 
 	isc_mempool_put(commctx, query->recvspace);
20 
 	isc_buffer_invalidate(&query->recvbuf);
21 
 	isc_buffer_invalidate(&query->lengthbuf);
22 
-	if (query->waiting_senddone)
23 
-		query->pending_free = true;
24 
-	else
25 
-		isc_mem_free(mctx, query);
26 
+	isc_mem_free(mctx, query);
27 
 }
28
29 
 /*%
30 
@@ -2897,9 +2901,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
31 
 	isc_event_free(&event);
32
33 
 	if (query->pending_free)
34 
-		isc_mem_free(mctx, query);
35 
+		clear_query(query);
36
37 
-	check_if_done();
38 
+	check_next_lookup(l);
39 
 	UNLOCK_LOOKUP;
40 
 }
41
view file @ 1fca60d876
... ... --- a/bind-96-old-api.patch
... ... +++ /dev/null
... ... @@ -1,23 +0,0 @@
0 
diff -up bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c
1 
--- bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api	2008-11-24 13:28:13.000000000 +0100
2 
+++ bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c	2008-11-24 13:28:23.000000000 +0100
3 
@@ -25,6 +25,7 @@
4 
 /* Using LDAPv3 by default, change this if you want v2 */
5 
 #ifndef LDAPDB_LDAP_VERSION
6 
 #define LDAPDB_LDAP_VERSION 3
7 
+#define LDAP_DEPRECATED 1
8 
 #endif
9
10 
 #include <config.h>
11 
diff -up bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c
12 
--- bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api	2008-11-24 13:29:05.000000000 +0100
13 
+++ bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c	2008-11-24 13:29:14.000000000 +0100
14 
@@ -13,6 +13,8 @@
15 
  * ditched dNSDomain2 schema support. Version 0.3-ALPHA
16 
  */
17
18 
+#define LDAP_DEPRECATED 1
19 
+
20 
 #include <errno.h>
21 
 #include <string.h>
22 
 #include <stdlib.h>
view file @ 1fca60d876
... ... --- a/bind-keygen.c
... ... +++ /dev/null
... ... @@ -1,20 +0,0 @@
0 
#include <stdio.h>
1 
#include <string.h>
2 
int main(int argc, char **argv)
3 
{
4 
	FILE *f=fopen("/dev/urandom", "r");
5 
	char key[61];
6 
	int i=0;
7 
	char tmp;
8 
	memset(key, 0, 61);
9 
	while(i<60) {
10 
		tmp=fgetc(f);
11 
		if((tmp>='a' && tmp<='z') ||
12 
		   (tmp>='A' && tmp<='Z') ||
13 
		   (tmp>='0' && tmp<='9'))
14 
			key[i++]=tmp;
15 
	}
16 
	puts(key);
17 
	fclose(f);
18 
	return(0);
19 
}
view file @ 1fca60d876
... ... --- a/bind-named-chroot-setup.sysconfig
... ... +++ /dev/null
... ... @@ -1,124 +0,0 @@
0 
# Additional directories and files can be bind-mounted into chrooted environment
1 
# You may prefer this approach above straight-forward way of copying files as it
2 
# allows to keep a clear list of mounts that can be reviewed and modified at any
3 
# time, to be sure the files are always up-to-date and to allow direct access to
4 
# certain directories and files outside chroot if required.
5 
#
6 
# A simple example: bind might fail to start with error "no such engine:id=xxxx"
7 
# under some circumstances. Bind uses OpenSSL for DNSSEC. OpenSSL might require
8 
# it's crypto-engines if configured accordingly and it loads it's crypto-engine
9 
# modules after BIND has entered the chroot environment. It looks for it's files
10 
# inside the chroot. We can bind-mount OpenSSL module directory into chroot to
11 
# make sure OpenSSL modules are present.
12 
# We bind-mount /dev/(u)random because OpenSSL requires (pseudo)random number
13 
# generators.
14
15 
ROOTDIR_MOUNT='	/usr/lib/openssl-@openssl_shlib_ver@/engines
16 
		/usr/lib64/openssl-@openssl_shlib_ver@/engines
17 
		/dev/urandom
18 
		/dev/random'
19
20 
# Please note that this example suits both i586 and x86_64 environments. Mount
21 
# script skips non-existant files and directories silently. Be careful as it
22 
# skips non-existant mount points the same way. Make sure mount point exists
23 
# when you add your own entries.
24 
#
25 
# It is also generally a good idea to stop named.service before editing the list
26 
# to let helper script release currently active mounts first.
27
28 
# A more complicated example. Samba 4 and Bind DLZ zones. To be able of reading
29 
# Samba zones Bind requires two things: DLZ module (along with quite a number of
30 
# shared libraries) and direct access to Samba DNS database.
31 
#
32 
# This list is for x86_64 environments - just to keep it short:
33 
#
34 
# ROOTDIR_MOUNT='/etc/samba/smb.conf
35 
# 		/etc/ld.so.conf
36 
#		/etc/ld.so.conf.d
37 
#		/etc/ld.so.cache
38 
#		/usr/lib64/samba
39 
#		/usr/lib64/sasl2
40 
#		/usr/lib64/ldb
41 
#		/usr/lib64/openssl-@openssl_shlib_ver@/engines
42 
#		/usr/lib64/libsamba-hostconfig.so*
43 
#		/usr/lib64/libgensec.so*
44 
#		/usr/lib64/libsamba-util.so*
45 
#		/usr/lib64/libsamba-credentials.so*
46 
#		/usr/lib64/libsamdb.so*
47 
#		/usr/lib64/libldb.so*
48 
#		/usr/lib64/libtalloc.so*
49 
#		/usr/lib64/libndr.so*
50 
#		/usr/lib64/libtevent.so*
51 
#		/usr/lib64/libtevent-util.so*
52 
#		/usr/lib64/libndr-krb5pac.so*
53 
#		/usr/lib64/libgnutls.so*
54 
#		/usr/lib64/libtdb.so*
55 
#		/usr/lib64/libndr-standard.so*
56 
#		/usr/lib64/libndr-nbt.so*
57 
#		/usr/lib64/libp11-kit.so*
58 
#		/usr/lib64/libtasn1.so*
59 
#		/usr/lib64/libnettle.so*
60 
#		/usr/lib64/libhogweed.so*
61 
#		/usr/lib64/libffi.so*
62 
#		/usr/lib64/libdcerpc-binding.so*
63 
#		/usr/lib64/libsmbconf.so*
64 
#		/usr/lib64/libgmp.so*
65 
#		/usr/lib64/libfreebl3.so*
66 
#		/lib64/libpopt.so*
67 
#		/lib64/librt.so*
68 
#		/lib64/libcrypt.so*
69 
#		/lib64/libfreebl3.so*
70 
#		/var/lib/samba/private/dns
71 
#		/var/lib/samba/private/dns.keytab
72 
#		/var/lib/samba/private/sam.ldb.d'
73 
#
74 
# And this one is for i586 environments:
75 
#
76 
# ROOTDIR_MOUNT='/etc/samba/smb.conf
77 
# 		/etc/ld.so.conf
78 
#		/etc/ld.so.conf.d
79 
#		/etc/ld.so.cache
80 
#		/usr/lib/samba
81 
#		/usr/lib/sasl2
82 
#		/usr/lib/ldb
83 
#		/usr/lib/openssl-@openssl_shlib_ver@/engines
84 
#		/usr/lib/libsamba-hostconfig.so*
85 
#		/usr/lib/libgensec.so*
86 
#		/usr/lib/libsamba-util.so*
87 
#		/usr/lib/libsamba-credentials.so*
88 
#		/usr/lib/libsamdb.so*
89 
#		/usr/lib/libldb.so*
90 
#		/usr/lib/libtalloc.so*
91 
#		/usr/lib/libndr.so*
92 
#		/usr/lib/libtevent.so*
93 
#		/usr/lib/libtevent-util.so*
94 
#		/usr/lib/libndr-krb5pac.so*
95 
#		/usr/lib/libgnutls.so*
96 
#		/usr/lib/libtdb.so*
97 
#		/usr/lib/libndr-standard.so*
98 
#		/usr/lib/libndr-nbt.so*
99 
#		/usr/lib/libp11-kit.so*
100 
#		/usr/lib/libtasn1.so*
101 
#		/usr/lib/libnettle.so*
102 
#		/usr/lib/libhogweed.so*
103 
#		/usr/lib/libffi.so*
104 
#		/usr/lib/libdcerpc-binding.so*
105 
#		/usr/lib/libsmbconf.so*
106 
#		/usr/lib/libgmp.so*
107 
#		/usr/lib/libfreebl3.so*
108 
#		/lib/libpopt.so*
109 
#		/lib/librt.so*
110 
#		/lib/libcrypt.so*
111 
#		/lib/libfreebl3.so*
112 
#		/var/lib/samba/private/dns
113 
#		/var/lib/samba/private/dns.keytab
114 
#		/var/lib/samba/private/sam.ldb.d'
115
116 
# Named chroot directory. Default is "/var/lib/named". It is being provisioned
117 
# by named package and holds utterly minimalistic environment. If you are in
118 
# an unlikely position when you have to keep your own chrooted environment you
119 
# may override this path and adopt helper script for your own needs.
120 
# Normally this variable should be left untouched.
121 
#
122 
# ROOTDIR="/var/lib/named"
123
view file @ 1fca60d876
... ... --- a/bind-named-sdb-chroot-setup.service
... ... +++ /dev/null
... ... @@ -1,12 +0,0 @@
0 
[Unit]
1 
Description=Set-up/destroy chroot environment for named-sdb
2 
BindsTo=named-sdb-chroot.service
3 
Wants=named-setup-rndc.service
4 
After=named-setup-rndc.service
5
6
7 
[Service]
8 
Type=oneshot
9 
RemainAfterExit=yes
10 
ExecStart=/usr/sbin/setup-named-chroot.sh /var/named/chroot_sdb on /etc/named-chroot.files
11 
ExecStop=/usr/sbin/setup-named-chroot.sh /var/named/chroot_sdb off /etc/named-chroot.files
view file @ 1fca60d876
... ... --- a/bind-named-sdb-chroot.service
... ... +++ /dev/null
... ... @@ -1,30 +0,0 @@
0 
# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log"
1 
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
2 
# broken when rsyslogd daemon is restarted (due update, for example).
3
4 
[Unit]
5 
Description=Berkeley Internet Name Domain (DNS)
6 
Wants=nss-lookup.target
7 
Requires=named-sdb-chroot-setup.service
8 
Before=nss-lookup.target
9 
After=named-sdb-chroot-setup.service
10 
After=network.target
11
12 
[Service]
13 
Type=forking
14 
Environment=NAMEDCONF=/etc/named.conf
15 
EnvironmentFile=-/etc/sysconfig/named
16 
Environment=KRB5_KTNAME=/etc/named.keytab
17 
PIDFile=/var/named/chroot_sdb/run/named/named.pid
18
19 
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
20 
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS
21
22 
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
23
24 
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
25
26 
PrivateTmp=false
27
28 
[Install]
29 
WantedBy=multi-user.target
view file @ 1fca60d876
... ... --- a/bind-named-sdb.service
... ... +++ /dev/null
... ... @@ -1,26 +0,0 @@
0 
[Unit]
1 
Description=Berkeley Internet Name Domain (DNS)
2 
Wants=nss-lookup.target
3 
Wants=named-setup-rndc.service
4 
Before=nss-lookup.target
5 
After=named-setup-rndc.service
6 
After=network.target
7
8 
[Service]
9 
Type=forking
10 
Environment=NAMEDCONF=/etc/named.conf
11 
Environment=KRB5_KTNAME=/etc/named.keytab
12 
EnvironmentFile=-/etc/sysconfig/named
13 
PIDFile=/run/named/named.pid
14
15 
ExecStartPre=/bin/bash -c 'if [ "$DISABLE_ZONE_CHECKING" != "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
16 
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS
17
18 
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
19
20 
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
21
22 
PrivateTmp=true
23
24 
[Install]
25 
WantedBy=multi-user.target
view file @ 1fca60d876
... ... --- a/bind-named.sysconfig
... ... +++ /dev/null
... ... @@ -1,2 +0,0 @@
0 
# OPTIONS="whatever" -- These additional options will be passed to named
1 
#                       at startup.
view file @ 1fca60d876
... ... --- a/bind.keys
... ... +++ /dev/null
... ... @@ -1,69 +0,0 @@
0 
# The bind.keys file is used to override the built-in DNSSEC trust anchors
1 
# which are included as part of BIND 9.  As of the current release, the only
2 
# trust anchors it contains are those for the DNS root zone ("."), and for
3 
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
4 
# for any other zones MUST be configured elsewhere; if they are configured
5 
# here, they will not be recognized or used by named.
6 
#
7 
# The built-in trust anchors are provided for convenience of configuration.
8 
# They are not activated within named.conf unless specifically switched on.
9 
# To use the built-in root key, set "dnssec-validation auto;" in
10 
# named.conf options.  To use the built-in DLV key, set
11 
# "dnssec-lookaside auto;".  Without these options being set,
12 
# the keys in this file are ignored.
13 
#
14 
# This file is NOT expected to be user-configured.
15 
#
16 
# These keys are current as of Feburary 2017.  If any key fails to
17 
# initialize correctly, it may have expired.  In that event you should
18 
# replace this file with a current version.  The latest version of
19 
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
20
21 
managed-keys {
22 
        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
23 
        #
24 
        # NOTE: The ISC DLV zone is being phased out as of February 2017;
25 
        # the key will remain in place but the zone will be otherwise empty.
26 
        # Configuring "dnssec-lookaside auto;" to activate this key is
27 
        # harmless, but is no longer useful and is not recommended.
28 
        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
29 
                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
30 
                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
31 
                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
32 
                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
33 
                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
34 
                TDN0YUuWrBNh";
35
36 
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
37 
        # for current trust anchor information.
38 
        #
39 
        # These keys are activated by setting "dnssec-validation auto;"
40 
        # in named.conf.
41 
        #
42 
        # This key (19036) is to be phased out starting in 2017. It will
43 
        # remain in the root zone for some time after its successor key
44 
        # has been added. It will remain this file until it is removed from
45 
        # the root zone.
46 
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
47 
                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
48 
                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
49 
                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
50 
                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
51 
                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
52 
                QxA+Uk1ihz0=";
53
54 
        # This key (20326) is to be published in the root zone in 2017.
55 
        # Servers which were already using the old key (19036) should
56 
        # roll seamlessly to this new one via RFC 5011 rollover. Servers
57 
        # being set up for the first time can use the contents of this
58 
        # file as initializing keys; thereafter, the keys in the
59 
        # managed key database will be trusted and maintained
60 
        # automatically.
61 
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
62 
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
63 
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
64 
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
65 
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
66 
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
67 
                R1AkUTV74bU=";
68 
};
view file @ 1fca60d876
... ... --- a/bind.rpmlintrc
... ... +++ /dev/null
... ... @@ -1,5 +0,0 @@
0 
# allow 640 and 750 permissions, they are intentional
1 
addFilter("E: non-standard-dir-perm.*0")
2 
addFilter("E: non-readable.*0")
3 
# not config files
4 
addFilter("W: conffile-without-noreplace-flag /var/named/.*")
view file @ d5fe0dbac2
... ... --- a/bind.spec
... ... +++ b/bind.spec
... ... @@ -1,1183 +1,521 @@
1 
%global openssl_shlib_ver %(cat /usr/include/openssl/opensslv.h | grep '^#' | grep SHLIB_VERSION_NUMBER | grep 'define ' | head -n 1 | awk '{print $NF}' | tr -d '""')
2 
%global docbook_style_xsl_ver 1.79.2
3 
%global optflags %{optflags} -DLIBMARIADB
4 
%define Werror_cflags -Wformat
5 
%define _default_patch_fuzz 5
6
7 
%define dns_major	1112
8 
%define irs_major	161
9 
%define isc_major	1107
10 
%define bind9_major	161
11 
%define lwres_major	161
12 
%define isccc_major	161
13 
%define isccfg_major	163
14 
%define dns_libname	%mklibname dns %{dns_major}
15 
%define irs_libname	%mklibname irs %{irs_major}
16 
%define isc_libname	%mklibname isc %{isc_major}
17 
%define bind9_libname	%mklibname bind9_ %{bind9_major}
18 
%define lwres_libname	%mklibname lwres %{lwres_major}
19 
%define isccc_libname	%mklibname isccc %{isccc_major}
20 
%define isccfg_libname	%mklibname isccfg %{isccfg_major}
21
22 
%define dns_pkcs11_major	%{dns_major}
23 
%define isc_pkcs11_major	%{isc_major}
24 
%define dns_pkcs11_libname	%mklibname dns-pkcs11 %{dns_pkcs11_major}
25 
%define isc_pkcs11_libname	%mklibname isc-pkcs11 %{isc_pkcs11_major}
26
27 
%define dns_export_major	%{dns_major}
28 
%define irs_export_major	%{irs_major}
29 
%define isc_export_major	%{isc_major}
30 
%define isccfg_export_major	%{isccfg_major}
31 
%define dns_export_libname	%mklibname dns-export %{dns_export_major}
32 
%define irs_export_libname	%mklibname irs-export %{irs_export_major}
33 
%define isc_export_libname	%mklibname isc-export %{isc_export_major}
34 
%define isccfg_export_libname	%mklibname isccfg-export %{isccfg_export_major}
35
36 
# libisc-nosym requires to be linked with unresolved symbols
37 
# When libisc-nosym linking is fixed, it can be defined to 1
38 
# Visit https://bugzilla.redhat.com/show_bug.cgi?id=1540300
39 1 
%define _disable_ld_no_undefined 1
40 2
41 
# default options
42 
%bcond_without SDB
3 
#
4 
# Red Hat BIND9 package .spec file
5 
#
6 
# vim:expandtab ts=2:
7
8 
# bcond_without is built by default, unless --without X is passed
9 
# bcond_with is built only when --with X is passed to build
10 
%bcond_with    SYSTEMTEST
11 
%bcond_without GSSTSIG
12 
# it is not possible to build the package without PKCS11 sub-package
13 
# due to extensive changes to Makefiles
14 
%bcond_without PKCS11
15 
%bcond_without JSON
43 16 
%bcond_without DLZ
44 
%bcond_without sdb_ldap
45 
%bcond_without sdb_mysql
46 
%bcond_without gssapi
47 
# pkcs11 support requires a working backend, otherwise bind won't start
48 
# http://blogs.sun.com/janp/
49 
# http://sourceforge.net/projects/opencryptoki
50 
%bcond_without pkcs11
17 
# New MaxMind GeoLite support
18 
%bcond_without GEOIP2
19 
# Disabled temporarily until kyua is fixed on rawhide, bug #1926779
20 
%bcond_with UNITTEST
21 
%bcond_without DNSTAP
22 
%bcond_without LMDB
23 
%bcond_without DOC
24 
%if 0%{?fedora}
25 
# RHEL and ELN do not have all required packages
26 
%bcond_without DOCPDF
27 
%endif
28 
%bcond_with    TSAN
51 29
30 
%{?!bind_uid:  %global bind_uid  25}
31 
%{?!bind_gid:  %global bind_gid  25}
32 
%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
52 33 
%global        bind_dir          /var/named
53 34 
%global        chroot_prefix     %{bind_dir}/chroot
54 
%if %{with SDB}
55 
%global        chroot_sdb_prefix %{bind_dir}/chroot_sdb
56 
%endif
57 35 
%global        chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
58 36 
                                         %{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
59 
                                         %{_libdir}/bind %{_datadir}/GeoIP
37 
                                         %{_libdir}/bind %{_libdir}/named %{_datadir}/GeoIP /proc/sys/net/ipv4
60 38
61 39 
%global        selinuxbooleans   named_write_master_zones=1
62
63 
Summary:	A DNS (Domain Name System) server
64 
Name:		bind
65 
Epoch:		1
66 
Version:	9.11.26
67 
Release:	9
68 
License:	MPLv2.0
69 
Group:		System/Servers
70 
Url:		http://www.isc.org/products/BIND/
71 
Source0:	http://ftp.isc.org/isc/bind9/%{version}/%{name}-%{version}.tar.gz
72 
Source1:	bind.rpmlintrc
73 
Source2:	named.sysconfig
74 
Source3:	named.logrotate
75 
Source7:	bind-9.3.1rc1-sdb_tools-Makefile.in
76 
Source12:	README.sdb_pgsql
77 
Source13:	zonetodb-compat.sh
78 
# updated bind.keys from https://downloads.isc.org/isc/bind9/keys/9.11/
79 
Source14:	bind.keys
80 
Source25:	named.conf.sample
81 
Source30:	ldap2zone.c
82 
Source31:	ldap2zone.1
83 
Source32:	named-sdb.8
84 
Source33:	zonetodb.1
85 
Source34:	zone2sqlite.1
86 
Source36:	trusted-key.key
87 
Source38: 	bind-named-chroot.service
88 
Source39:	bind-named-sdb.service
89 
Source40:	bind-named-sdb-chroot.service
90 
Source41:	setup-named-chroot.sh
91 
Source42:	generate-rndc-key.sh
92 
Source43:	named.rwtab
93 
Source45:	bind-named-sdb-chroot-setup.service
94 
Source46:	bind-named-setup-rndc.service
95 
Source47:	named-pkcs11.service
96 
Source48:	setup-named-softhsm.sh
97 
Source49: 	named-chroot.files
98 
Source50:	random.data
99
100 
Source51:	bind-manpages.tar.bz2
101 
Source52:	bind-dhcp-dynamic-dns-examples.tar.bz2
102 
# https://sourceforge.net/projects/mysql-bind/files/mysql-bind/mysql-bind-0.2%20src/mysql-bind.tar.gz
103 
Source53:	mysql-bind.tar.gz
104 
# (oe) http://bind9-ldap.bayour.com/bind-sdb-ldap-1.0.tar.gz
105 
Source54:	bind-sdb-ldap-1.0.tar.bz2
106
107 
Source58:	bind-named.service
108 
Source59:	bind-named-chroot-setup.service
109 
Source60:	bind-named.sysconfig
110 
Source61:	bind-keygen.c
111 
Source62:	bind-named-chroot-setup.sysconfig
112 
Source63:	ftp://ftp.internic.net/domain/named.cache
113 
Source90:	named.sysusers.conf
114 
Source91:	named.tmpfiles.conf
115 
Source100:	bogon_acl.conf
116 
Source101:	hosts
117 
Source102:	localdomain.zone
118 
Source103:	localhost.zone
119 
Source104:	logging.conf
120 
Source105:	named.broadcast
121 
Source106:	named.conf
122 
Source107:	named.ip6.local
123 
Source108:	named.local
124 
Source109:	named.zero
125 
Source111:	rndc.key
126 
Source112:	trusted_networks_acl.conf
127 
Source113:	named.iscdlv.key
128
129 
# From Fedora
130 
Source114:	named.rfc1912.zones
131 
Source115:	named.root.key
132
133 
# From CentOS
134 
Source116:	named.localhost
135 
Source117:	named.loopback
136 
Source118:	named.empty
137 
Source119:	ftp://ftp.internic.net/domain/named.root
40 
## The order of libs is important. See lib/Makefile.in for details
41 
%define bind_export_libs isc dns isccfg irs
42 
%{!?_export_dir:%global _export_dir /bind9-export/}
43 
# libisc-nosym requires to be linked with unresolved symbols
44 
# When libisc-nosym linking is fixed, it can be defined to 1
45 
# Visit https://bugzilla.redhat.com/show_bug.cgi?id=1540300
46 
%undefine _strict_symbol_defs_build
47 
#
48 
# significant changes:
49 
# no more isc-config.sh and bind9-config
50 
# lib*.so.X versions of selected libraries no longer provided,
51 
# lib*-%%{version}-RH.so is provided as an internal implementation detail
52
53
54 
Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
55 
Group:    System/Servers
56 
Name:     bind
57 
License:  MPLv2.0
58 
Version:  9.16.35
59 
Release:  1
60 
Epoch:    1
61 
Url:      https://www.isc.org/downloads/bind/
62 
#
63 
Source0:  https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.tar.xz
64 
Source1:  named.sysconfig
65 
Source3:  named.logrotate
66 
Source4:  https://downloads.isc.org/isc/pgpkeys/codesign2021.txt
67 
Source16: named.conf
68 
# Refresh by command: dig @a.root-servers.net. +tcp +norec
69 
# or from URL
70 
Source17: https://www.internic.net/domain/named.root
71 
Source18: named.localhost
72 
Source19: named.loopback
73 
Source20: named.empty
74 
Source23: named.rfc1912.zones
75 
Source25: named.conf.sample
76 
Source27: named.root.key
77 
Source35: bind.tmpfiles.d
78 
Source36: trusted-key.key
79 
Source37: named.service
80 
Source38: named-chroot.service
81 
Source41: setup-named-chroot.sh
82 
Source42: generate-rndc-key.sh
83 
Source43: named.rwtab
84 
Source44: named-chroot-setup.service
85 
Source46: named-setup-rndc.service
86 
Source47: named-pkcs11.service
87 
Source48: setup-named-softhsm.sh
88 
Source49: named-chroot.files
138 89
139 90 
# Common patches
140 
Patch72:	bind-9.5-dlz-64bit.patch
141 
Patch101:	bind-96-old-api.patch
142 
Patch102:	bind-95-rh452060.patch
143 
Patch112:	bind97-rh645544.patch
144 
Patch130:	bind-9.9.1-P2-dlz-libdb.patch
145 
Patch131:	bind-9.9.1-P2-multlib-conflict.patch
146 
Patch133:	bind99-rh640538.patch
147 
Patch134:	bind97-rh669163.patch
148
149 
Patch136:	bind-9.10-dist-native-pkcs11.patch
150 
# [ISC-Bugs #42525] non-portable use of strlcat in contrib/sdb/ldap/zone2ldap.c
151 
# introduced by https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=fc9f0ac5778f78003a7acc957a23711811fec122
152 
Patch137:	bind-9.10-use-of-strlcat.patch
153 
Patch140:	bind-9.11-rh1410433.patch
154 
Patch145:	bind-9.11-rh1205168.patch
155 
# Avoid conflicts with OpenSSL PKCS11 engine
156 
Patch150:	bind-9.11-engine-pkcs11.patch
157 
# [ISC-Bugs #46853] commit cb616c6d5c2ece1fac37fa6e0bca2b53d4043098 ISC 4851
158 
Patch153:	bind-9.11-export-suffix.patch
159 
Patch154:	bind-9.11-oot-manual.patch
160 
Patch155:	bind-9.11-pk11.patch
161 
Patch156:	bind-9.11-fips-code.patch
162 
Patch157:	bind-9.11-fips-tests.patch
163 
Patch158:	bind-9.11-rt31459.patch
164 
Patch170:	bind-9.11-feature-test-named.patch
165 
# SDB patches
166 
Patch11:	bind-9.3.2b2-sdbsrc.patch
167 
# Rediffed from Fedora ~28
168 
Patch301:	bind-9.10-sdb.patch
169 
# needs inpection
170 
Patch13: 	bind-9.3.2b1-fix_sdb_ldap.patch
171
172 
BuildRequires:	autoconf2.5
173 
BuildRequires:	bzip2
174 
BuildRequires:	docbook-style-xsl
175 
BuildRequires:	file
176 
BuildRequires:	kyua
177 
BuildRequires:	libtool
178 
BuildRequires:	openldap
179 
# for %%selinux_set_boolean macro
180 
BuildRequires:	selinux-policy
181 
BuildRequires:	softhsm
182 
# I backported %%sysusers_create_package and %%tmpfiles_create_package
183 
BuildRequires:	systemd >= 230-14
184 
BuildRequires:	xsltproc
185 
%if %{with sdb_ldap}
186 
BuildRequires:	db18-devel
187 
BuildRequires:	openldap-devel
91 
Patch10: bind-9.5-PIE.patch
92 
Patch16: bind-9.16-redhat_doc.patch
93 
Patch72: bind-9.5-dlz-64bit.patch
94 
Patch106:bind93-rh490837.patch
95 
Patch112:bind97-rh645544.patch
96 
Patch130:bind-9.9.1-P2-dlz-libdb.patch
97 
# Make PKCS11 used only for pkcs11 parts
98 
Patch135:bind-9.14-config-pkcs11.patch
99 
# Fedora specific patch to distribute native-pkcs#11 functionality
100 
Patch136:bind-9.10-dist-native-pkcs11.patch
101 
# Do not use isc-pkcs11.
102 
Patch149:bind-9.11-kyua-pkcs11.patch
103
104 
Patch157:bind-9.11-fips-tests.patch
105 
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/2689
106 
Patch164:bind-9.11-rh1666814.patch
107
108 
%{?systemd_ordering}
109 
Requires:       coreutils
110 
Requires(pre):  shadow-utils
111 
Requires(post): shadow-utils
112 
Requires(post): grep
113 
Requires:       bind-libs = %{EVRD}
114 
# This wild require should satisfy %%selinux_set_boolean macro only
115 
# in case it needs to be used
116 
Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
117 
Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
118 
Recommends:     bind-utils bind-dnssec-utils
119 
BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
120 
BuildRequires:  libidn2-devel, libxml2-devel
121 
BuildRequires:  selinux-policy
122 
# needed for %%{__python3} macro
123 
BuildRequires:  python3-devel
124 
BuildRequires:  python3-ply
125 
BuildRequires:  findutils sed
126 
BuildRequires:  gnupg2
127 
BuildRequires:  libuv-devel
128 
%if %{with DLZ}
129 
BuildRequires:  openldap-devel
130 
BuildRequires:  pkgconfig(libpq)
131 
BuildRequires:  sqlite-devel, mariadb-connector-c-devel
188 132 
%endif
189 
BuildRequires:	readline-devel
190 
BuildRequires:	pkgconfig(cmocka)
191 
BuildRequires:	pkgconfig(geoip)
192 
BuildRequires:	pkgconfig(json-c)
193 
%if %{with gssapi}
194 
BuildRequires:	pkgconfig(krb5-gssapi)
133 
%if %{with UNITTEST}
134 
# make unit dependencies
135 
BuildRequires:  libcmocka-devel kyua
195 136 
%endif
196 
BuildRequires:	pkgconfig(libidn)
197 
BuildRequires:	pkgconfig(libidn2)
198 
BuildRequires:	pkgconfig(libpq)
199 
BuildRequires:	pkgconfig(libcap) >= 2.10
200 
BuildRequires:	pkgconfig(libxml-2.0)
201 
BuildRequires:	pkgconfig(libxslt)
202 
%if %{with sdb_mysql}
203 
BuildRequires:	pkgconfig(mariadb)
137 
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
138 
BuildRequires:  softhsm
204 139 
%endif
205 
BuildRequires:	pkgconfig(openssl)
206 
BuildRequires:	pkgconfig(python3)
207 
BuildRequires:	pkgconfig(sqlite3)
208 
BuildRequires:	pkgconfig(zlib)
209 
BuildRequires:	pythonegg(ply)
210 
BuildRequires:	python3egg(ply)
211
212 
# This wild require should satisfy %%selinux_set_boolean macro only
213 
# in case it needs to be used
214 
%if %{rpm4}
215 
# urpmi does not support boolean RPM dependencies
216 
Requires(post):	((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
217 
Requires(post):	((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
140 
%if %{with SYSTEMTEST}
141 
# bin/tests/system dependencies
142 
BuildRequires:  perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long)
143 
# manual configuration requires this tool
144 
BuildRequires:  iproute
218 145 
%endif
219 
Requires:	bind-utils >= %{EVRD}
220 
# takes care of MDV Bug #: 62829
221 
Requires:	openssl-engines
222 
Requires:	%{dns_libname} = %{EVRD}
223 
Requires:	%{irs_libname} = %{EVRD}
224 
Requires:	%{isc_libname} = %{EVRD}
225 
Requires:	%{bind9_libname} = %{EVRD}
226 
Requires:	%{lwres_libname} = %{EVRD}
227 
Requires:	%{isccc_libname} = %{EVRD}
228 
Requires:	%{isccfg_libname} = %{EVRD}
229 
# for generate-rndc-key.sh
230 
Requires:	initscripts
231 
%if %{with SDB}
232 
# for /etc/openldap/schema/dnszone.schema
233 
Requires:	openldap-schemas-extra
146 
%if %{with GSSTSIG}
147 
BuildRequires:  krb5-devel
234 148 
%endif
235 
Requires(pre):	/bin/systemd-sysusers
236
237 
%description
238 
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
239 
(domain Name System) protocols. BIND includes a DNS server (named),
240 
which resolves host names to IP addresses, and a resolver library
241 
(routines for applications to use when interfacing with DNS).
242
243 
%files
244 
%defattr(-,root,root,-)
245 
%if %{with DLZ}
246 
%dir %{_libdir}/bind
247 
%{_libdir}/bind/dlz_filesystem_dynamic.so
248 
%{_libdir}/bind/dlz_mysql_dynamic.so
249 
%{_libdir}/bind/dlz_mysqldyn_mod.so
250 
%{_libdir}/bind/dlz_ldap_dynamic.so
251 
%{_libdir}/bind/dlz_sqlite3_dynamic.so
149 
%if %{with LMDB}
150 
BuildRequires:  lmdb-devel
252 151 
%endif
253 
%if %{with SDB}
254 
%{_unitdir}/named-sdb.service
255 
%{_mandir}/man1/ldap2zone.1*
256 
%{_mandir}/man1/zone2ldap.1*
257 
%{_mandir}/man1/zonetodb.1*
258 
%{_mandir}/man1/zone2sqlite.1*
259 
%{_mandir}/man1/zonetodb-pgsql.1*
260 
%{_mandir}/man8/named-sdb.8*
261 
%doc contrib/sdb/ldap/README.ldap contrib/sdb/ldap/INSTALL.ldap contrib/sdb/pgsql/README.sdb_pgsql
262 
%{_bindir}/zonetodb-pgsql
263 
%{_sbindir}/named-sdb
264 
%{_bindir}/zone2sqlite
265 
 %if %{with sdb_ldap}
266 
#doc zone2ldap/zone2ldap.README ldap2zone/README.ldap2zone ldap2zone/dnszone-schema.txt
267 
%{_bindir}/zone2ldap
268 
%{_bindir}/ldap2zone
269 
%{_bindir}/zonetodb
270 
 %endif
271 
 %if %{with sdb_mysql}
272 
%{_bindir}/zonetodb-mysql
273 
%doc contrib/sdb/mysql/ChangeLog.mysql contrib/sdb/mysql/README.mysql
274 
%{_mandir}/man1/zonetodb-mysql.1*
275 
 %endif
152 
%if %{with JSON}
153 
BuildRequires:  json-c-devel
276 154 
%endif
277 
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
278 
%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
279 
%{_sysusersdir}/named.conf
280 
%{_tmpfilesdir}/named.conf
281 
%{_sysconfdir}/rwtab.d/named
282 
%{_unitdir}/named.service
283 
%{_unitdir}/named-setup-rndc.service
284 
%{_sbindir}/named-journalprint
285 
%{_sbindir}/named-checkconf
286 
%{_bindir}/named-rrchecker
287 
%{_bindir}/mdig
288 
%{_sbindir}/lwresd
289 
%{_sbindir}/named
290 
%{_sbindir}/rndc*
291 
%{_sbindir}/generate-rndc-key
292 
%{_mandir}/man1/mdig.1.*
293 
%{_mandir}/man1/named-rrchecker.1.*
294 
%{_mandir}/man5/named.conf.5*
295 
%{_mandir}/man5/rndc.conf.5*
296 
%{_mandir}/man8/rndc.8*
297 
%{_mandir}/man8/named.8*
298 
%{_mandir}/man8/lwresd.8*
299 
%{_mandir}/man8/named-c*.8*
300 
%{_mandir}/man8/rndc-confgen.8*
301 
%{_mandir}/man8/named-j*.8*
302 
%doc CHANGES README COPYRIGHT
303 
%{_sbindir}/dns-keygen
304 
%{_sbindir}/dnssec*
305 
%{_mandir}/man8/dnssec*.8*
306 
%exclude %{_sbindir}/dnssec*pkcs11
307 
%exclude %{_mandir}/man8/dnssec*-pkcs11.8**
308 
#{_sbindir}/rndc-confgen
309 
%config(noreplace) %{_sysconfdir}/logrotate.d/named
310
311 
%defattr(0640,root,named,0750)
312 
%dir %{_sysconfdir}/named
313 
%dir %{_sysconfdir}/crypto-policies/back-ends
314 
%config(noreplace) %{_sysconfdir}/named.conf
315 
%config(noreplace) %{_sysconfdir}/named.rfc1912.zones
316 
%config(noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
317 
%defattr(0660,root,named,01770)
318 
%dir %{_localstatedir}/named
319 
%defattr(0660,named,named,0770)
320 
%dir %{_localstatedir}/named/slaves
321 
%dir %{_localstatedir}/named/data
322 
%dir %{_localstatedir}/named/dynamic
323 
%ghost %{_localstatedir}/log/named.log
324 
%defattr(0640,root,named,0750)
325 
%config %{_localstatedir}/named/named.ca
326 
%config %{_localstatedir}/named/named.localhost
327 
%config %{_localstatedir}/named/named.loopback
328 
%config %{_localstatedir}/named/named.empty
329 
%ghost %config(noreplace) %{_sysconfdir}/rndc.key
330 
# ^- rndc.key now created on first install only if it does not exist
331 
%ghost %config(noreplace) %{_sysconfdir}/rndc.conf
332 
# ^- The default rndc.conf which uses rndc.key is in named's default internal config -
333 
#    so rndc.conf is not necessary.
334 
%config(noreplace) %{_sysconfdir}/bind.keys
335 
%config(noreplace) %{_sysconfdir}/named.iscdlv.key
336
337 
#files chroot
338 
%defattr(-,root,root,-)
339 
%{_sbindir}/setup-named-chroot.sh
340 
%config(noreplace) %{_sysconfdir}/named-chroot.files
341 
%{_unitdir}/named-chroot.service
342 
%{_unitdir}/named-chroot-setup.service
343 
%defattr(0664,root,named,-)
344 
%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null
345 
%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random
346 
%ghost %dev(c,1,9) %verify(not mtime) %{chroot_prefix}/dev/urandom
347 
%ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero
348 
%defattr(0640,root,named,0750)
349 
%dir %{chroot_prefix}
350 
%dir %{chroot_prefix}/dev
351 
%dir %{chroot_prefix}%{_sysconfdir}
352 
%dir %{chroot_prefix}%{_sysconfdir}/named
353 
%dir %{chroot_prefix}%{_sysconfdir}/pki
354 
%dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys
355 
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies
356 
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends
357 
%dir %{chroot_prefix}%{_localstatedir}
358 
%dir %{chroot_prefix}/run
359 
%ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf
360 
%defattr(0660,root,named,01770)
361 
%dir %{chroot_prefix}%{_localstatedir}/named
362 
%defattr(-,root,root,-)
363 
%dir %{chroot_prefix}/usr
364 
%dir %{chroot_prefix}/%{_libdir}
365 
%dir %{chroot_prefix}/%{_libdir}/bind
366 
%dir %{chroot_prefix}/%{_datadir}
367 
%dir %{chroot_prefix}/%{_datadir}/GeoIP
368 
%defattr(0660,named,named,0770)
369 
%dir %{chroot_prefix}%{_localstatedir}/tmp
370 
%dir %{chroot_prefix}%{_localstatedir}/log
371 
%defattr(-,named,named,-)
372 
%dir %{chroot_prefix}/run/named
373 
#{_sbindir}/named-chroot.sh
374 
%{chroot_prefix}%{_localstatedir}/run
375 
%if %{with SDB}
376 
#files sdb-chroot
377 
%defattr(-,root,root,-)
378 
%{_unitdir}/named-sdb-chroot.service
379 
%{_unitdir}/named-sdb-chroot-setup.service
380 
%defattr(0664,root,named,-)
381 
%ghost %dev(c,1,3) %verify(not mtime) %{chroot_sdb_prefix}/dev/null
382 
%ghost %dev(c,1,8) %verify(not mtime) %{chroot_sdb_prefix}/dev/random
383 
%ghost %dev(c,1,9) %verify(not mtime) %{chroot_sdb_prefix}/dev/urandom
384 
%ghost %dev(c,1,5) %verify(not mtime) %{chroot_sdb_prefix}/dev/zero
385 
%defattr(0640,root,named,0750)
386 
%dir %{chroot_sdb_prefix}
387 
%dir %{chroot_sdb_prefix}/dev
388 
%dir %{chroot_sdb_prefix}%{_sysconfdir}
389 
%dir %{chroot_sdb_prefix}%{_sysconfdir}/named
390 
%dir %{chroot_sdb_prefix}%{_sysconfdir}/pki
391 
%dir %{chroot_sdb_prefix}%{_sysconfdir}/pki/dnssec-keys
392 
%dir %{chroot_sdb_prefix}%{_sysconfdir}/crypto-policies
393 
%dir %{chroot_sdb_prefix}%{_sysconfdir}/crypto-policies/back-ends
394 
%dir %{chroot_sdb_prefix}%{_localstatedir}
395 
%dir %{chroot_sdb_prefix}/run
396 
%ghost %config(noreplace) %{chroot_sdb_prefix}%{_sysconfdir}/named.conf
397 
%defattr(0660,root,named,01770)
398 
%dir %{chroot_sdb_prefix}%{_localstatedir}/named
399 
%defattr(-,root,root,-)
400 
%dir %{chroot_sdb_prefix}/usr
401 
%dir %{chroot_sdb_prefix}/%{_libdir}
402 
%dir %{chroot_sdb_prefix}/%{_libdir}/bind
403 
%dir %{chroot_sdb_prefix}/%{_datadir}/GeoIP
404 
%defattr(0660,named,named,0770)
405 
%dir %{chroot_sdb_prefix}%{_localstatedir}/tmp
406 
%dir %{chroot_sdb_prefix}%{_localstatedir}/log
407 
%defattr(-,named,named,-)
408 
%dir %{chroot_sdb_prefix}/run/named
409 
%{chroot_sdb_prefix}%{_localstatedir}/run
155 
%if %{with GEOIP2}
156 
BuildRequires:  libmaxminddb-devel
157 
%endif
158 
%if %{with DNSTAP}
159 
BuildRequires:  fstrm-devel
160 
BuildRequires:  pkgconfig(libprotobuf-c)
161 
BuildRequires:  protobuf-c
162 
%endif
163 
# Needed to regenerate dig.1 manpage
164 
%if %{with DOC}
165 
BuildRequires:  python3-sphinx python3-sphinx_rtd_theme
166 
BuildRequires:  doxygen
167 
%endif
168 
%if %{with DOCPDF}
169 
# Because remaining issues with COPR, allow turning off PDF (re)generation
170 
BuildRequires:  python3-sphinx-latex latexmk texlive-xetex texlive-xindy
171 
%endif
172 
%if %{with TSAN}
173 
BuildRequires: libtsan
410 174 
%endif
411 175
176 
%description
177 
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
178 
(Domain Name System) protocols. BIND includes a DNS server (named),
179 
which resolves host names to IP addresses; a resolver library
180 
(routines for applications to use when interfacing with DNS); and
181 
tools for verifying that the DNS server is operating properly.
412 182
413 
%pre
414 
%sysusers_create_package named %{SOURCE90}
415
416 
%post
417 
%tmpfiles_create named.conf
418 
if [ -e /etc/rndc.key ] && grep -q "_MY_KEY_" /etc/rndc.key; then
419 
	MYKEY="`%{_sbindir}/dns-keygen`"
420 
	perl -pi -e "s|_MY_KEY_|$MYKEY|g" %{_sysconfdir}/rndc.key
421 
fi
422 
if [ -e "%{_sysconfdir}/selinux/config" ]; then
423 
  %selinux_set_booleans -s targeted %{selinuxbooleans}
424 
  %selinux_set_booleans -s mls %{selinuxbooleans}
425 
fi
426 
if [ "$1" -eq 1 ]; then
427 
  # Initial installation
428 
  [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
429 
  # rndc.key has to have correct perms and ownership, CVE-2007-6283
430 
  [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
431 
  [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
432 
else
433 
  # Upgrade, use invalid shell
434 
  if getent passwd named | grep ':/bin/false$' >/dev/null; then
435 
    /usr/sbin/usermod -s /sbin/nologin named
436 
  fi
437 
  # Checkconf will parse out comments
438 
  if %{_sbindir}/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
439 
  then
440 
    echo "Replacing obsolete named.iscdlv.key with named.root.key..."
441 
    if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then
442 
      sed -e 's/named\.iscdlv\.key/named.root.key/' \
443 
        /etc/named.conf.rpmbackup > /etc/named.conf || \
444 
      mv /etc/named.conf.rpmbackup /etc/named.conf
445 
    fi
446 
  fi
447 
fi
448
449 
# Fix permissions on existing device files on upgrade
450 
%define chroot_fix_devices() \
451 
if [ $1 -gt 1 ]; then \
452 
  for DEV in "%{1}/dev"/{null,random,zero}; do \
453 
    if [ -e "$DEV" -a "$(stat --printf="%G %a" "$DEV")" = "root 644" ]; \
454 
    then \
455 
      chmod 0664 "$DEV" \
456 
      chgrp named "$DEV" \
457 
    fi \
458 
  done \
459 
fi
460
461 
%chroot_fix_devices %{chroot_prefix}
462 
%chroot_fix_devices %{chroot_sdb_prefix}
463
464 
# services without [Install] section are not listed here
465 
%systemd_post named.service
466 
%systemd_post named-chroot.service
467 
%systemd_post named-sdb.service
468 
%systemd_post named-sdb-chroot.service
469
470 
%posttrans
471 
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
472 
  [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1;
473 
fi;
474 
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
475 
  [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_sdb_prefix}/dev/* > /dev/null 2>&1;
476 
fi;
477
478 
%preun
479 
%systemd_preun named.service
480 
%systemd_preun named-chroot.service
481 
%systemd_preun named-sdb.service
482 
%systemd_preun named-sdb-chroot.service
483
484 
%postun
485 
# XXX is restart really needed?! Will not chroot break?!
486 
%systemd_postun_with_restart named.service
487 
%systemd_postun_with_restart named-chroot.service
488 
%systemd_postun_with_restart named-sdb.service
489 
%systemd_postun_with_restart named-sdb-chroot.service
490 183 
#----------------------------------------------------------------------
184 
%if %{with PKCS11}
185 
%package pkcs11
186 
Summary: Bind with native PKCS#11 functionality for crypto
187 
Requires: bind = %{EVRD}
188 
Requires: bind-libs = %{EVRD}
189 
Requires: bind-pkcs11-libs = %{EVRD}
190 
Recommends: softhsm
491 191
492 
%package -n %{dns_libname}
493 
Summary:	It's libdns shared library for bind DNS
494 
Group:		System/Libraries
495
496 
%description -n %{dns_libname}
497 
This package contains the libdns shared library for bind DNS.
498
499 
%files -n %{dns_libname}
500 
%doc README COPYRIGHT
501 
%{_libdir}/libdns.so.%{dns_major}*
192 
%description pkcs11
193 
This is a version of BIND server built with native PKCS#11 functionality.
194 
It is important to have SoftHSM v2+ installed and some token initialized.
195 
For other supported HSM modules please check the BIND documentation.
502 196
503 197 
#----------------------------------------------------------------------
504 198
505 
%package -n %{irs_libname}
506 
Summary:	It's libirs shared library for bind DNS
507 
Group:		System/Libraries
508
509 
%description -n %{irs_libname}
510 
This package contains the libirs shared library for bind DNS.
511 
compiled with native pkcs11
199 
%package pkcs11-utils
200 
Summary: Bind tools with native PKCS#11 for using DNSSEC
201 
Requires: bind-pkcs11-libs = %{EVRD}
202 
Requires: bind-dnssec-doc = %{EVRD}
512 203
513 
%files -n %{irs_libname}
514 
%doc README COPYRIGHT
515 
%{_libdir}/libirs.so.%{irs_major}*
204 
%description pkcs11-utils
205 
This is a set of PKCS#11 utilities that when used together create rsa
206 
keys in a PKCS11 keystore. Also utilities for working with DNSSEC
207 
compiled with native PKCS#11 functionality are included.
516 208
517 209 
#----------------------------------------------------------------------
518 210
519 
%package -n %{isc_libname}
520 
Summary:	It's libisc shared library for bind DNS
521 
Group:		System/Libraries
522
523 
%description -n %{isc_libname}
524 
This package contains the libisc shared library for bind DNS.
211 
%package pkcs11-libs
212 
Summary: Bind libraries compiled with native PKCS#11
213 
Requires: bind-license = %{EVRD}
214 
Requires: bind-libs = %{EVRD}
525 215
526 
%files -n %{isc_libname}
527 
%doc README COPYRIGHT
528 
%{_libdir}/libisc.so.%{isc_major}*
216 
%description pkcs11-libs
217 
This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
218 
functionality.
529 219
530 220 
#----------------------------------------------------------------------
531 221
532 
%package -n %{bind9_libname}
533 
Summary:	It's libbind9 shared library for bind DNS
534 
Group:		System/Libraries
535
536 
%description -n %{bind9_libname}
537 
This package contains the libbind9 shared libraries for bind DNS.
222 
%package pkcs11-devel
223 
Summary: Development files for Bind libraries compiled with native PKCS#11
224 
Requires: bind-pkcs11-libs = %{EVRD}
225 
Requires: bind-devel = %{EVRD}
538 226
539 
%files -n %{bind9_libname}
540 
%doc README COPYRIGHT
541 
%{_libdir}/libbind9.so.%{bind9_major}*
227 
%description pkcs11-devel
228 
This a set of development files for BIND libraries (dns, isc) compiled
229 
with native PKCS#11 functionality.
230 
%endif
542 231
543 232 
#----------------------------------------------------------------------
544 233
545 
%package -n %{lwres_libname}
546 
Summary:	It's liblwres shared library for bind DNS
547 
Group:		System/Libraries
548
549 
%description -n %{lwres_libname}
550 
This package contains the liblwres shared libraries for bind DNS.
234 
%package libs
235 
Summary: Libraries used by the BIND DNS packages
236 
Requires: bind-license = %{EVRD}
237 
Provides: bind-libs-lite = %{EVRD}
551 238
552 
%files -n %{lwres_libname}
553 
%doc README COPYRIGHT
554 
%{_libdir}/liblwres.so.%{lwres_major}*
239 
%description libs
240 
Contains heavyweight version of BIND suite libraries used by both named DNS
241 
server and utilities in bind-utils package.
555 242
556 243 
#----------------------------------------------------------------------
557 244
558 
%package -n %{isccc_libname}
559 
Summary:	It's libisccc shared library for bind DNS
560 
Group:		System/Libraries
245 
%package license
246 
Summary:  License of the BIND DNS suite
247 
BuildArch:noarch
561 248
562 
%description -n %{isccc_libname}
563 
This package contains the libisccc shared libraries for bind DNS.
564
565 
%files -n %{isccc_libname}
566 
%doc README COPYRIGHT
567 
%{_libdir}/libisccc.so.%{isccc_major}*
249 
%description license
250 
Contains license of the BIND DNS suite.
568 251
569 252 
#----------------------------------------------------------------------
570 253
571 
%package -n %{isccfg_libname}
572 
Summary:	It's libisccfg shared library for bind DNS
573 
Group:		System/Libraries
254 
%package utils
255 
Summary: Utilities for querying DNS name servers
256 
Requires: bind-libs = %{EVRD}
257 
# For compatibility with Debian package
258 
Provides: dnsutils = %{EVRD}
574 259
575 
%description -n %{isccfg_libname}
576 
This package contains the libisccfg shared library for bind DNS.
260 
%description utils
261 
Bind-utils contains a collection of utilities for querying DNS (Domain
262 
Name System) name servers to find out information about Internet
263 
hosts. These tools will provide you with the IP addresses for given
264 
host names, as well as other information about registered domains and
265 
network addresses.
577 266
578 
%files -n %{isccfg_libname}
579 
%doc README COPYRIGHT
580 
%{_libdir}/libisccfg.so.%{isccfg_major}*
267 
You should install bind-utils if you need to get information from DNS name
268 
servers.
581 269
582 270 
#----------------------------------------------------------------------
583 271
584 
%package libs
585 
Summary:	Libraries used by the BIND DNS packages
586 
Group:		System/Libraries
587 
Requires:	%{bind9_libname} = %{EVRD}
588 
Requires:	%{lwres_libname} = %{EVRD}
589 
Requires:	%{isccc_libname} = %{EVRD}
272 
%package dnssec-utils
273 
Summary: DNSSEC keys and zones management utilities
274 
Requires: bind-libs = %{EVRD}
275 
Recommends: bind-utils
276 
Requires: python3-bind = %{EVRD}
277 
Requires: bind-dnssec-doc = %{EVRD}
590 278
591 
%description libs
592 
Contains heavyweight version of BIND suite libraries used by both named DNS
593 
server and utilities in bind-utils package.
279 
%description dnssec-utils
280 
Bind-dnssec-utils contains a collection of utilities for editing
281 
DNSSEC keys and BIND zone files. These tools provide generation,
282 
revocation and verification of keys and DNSSEC signatures in zone files.
594 283
595 
%files libs
596 
%doc COPYRIGHT
284 
You should install bind-dnssec-utils if you need to sign a DNS zone
285 
or maintain keys for it.
597 286
598 287 
#----------------------------------------------------------------------
599 288
600 
%package libs-lite
601 
Summary:	Libraries for working with the DNS protocol
602 
Group:		System/Libraries
603 
Requires:	%{dns_libname} = %{EVRD}
604 
Requires:	%{irs_libname} = %{EVRD}
605 
Requires:	%{isc_libname} = %{EVRD}
606 
Requires:	%{isccfg_libname} = %{EVRD}
607
608 
%description libs-lite
609 
Contains lite version of BIND suite libraries which are used by various
610 
programs to work with DNS protocol.
289 
%package dnssec-doc
290 
Summary: Manual pages of DNSSEC utilities
291 
Requires: bind-license = %{EVRD}
292 
BuildArch: noarch
611 293
612 
%files libs-lite
613 
%doc COPYRIGHT
294 
%description dnssec-doc
295 
Bind-dnssec-doc contains manual pages for bind-dnssec-utils.
614 296
615 297 
#----------------------------------------------------------------------
616 298
617 299 
%package devel
618 
Summary:	Include files and libraries needed for bind DNS development
619 
Group:		Development/C
620 
Requires:	bind-libs = %{EVRD}
621 
Requires:	bind-lite-devel = %{EVRD}
300 
Summary:  Header files and libraries needed for bind-dyndb-ldap
301 
Provides: bind-lite-devel = %{EVRD}
302 
Requires: bind-libs = %{EVRD}
303 
Requires: openssl-devel libxml2-devel
304 
Requires: libcap-devel
305 
%if %{with GSSTSIG}
306 
Requires: krb5-devel
307 
%endif
308 
%if %{with LMDB}
309 
Requires: lmdb-devel
310 
%endif
311 
%if %{with JSON}
312 
Requires:  json-c-devel
313 
%endif
314 
%if %{with DNSTAP}
315 
Requires:  fstrm-devel
316 
Requires:  pkgconfig(libprotobuf-c)
317 
Requires:  protobuf-c
318 
%endif
319 
%if %{with GEOIP2}
320 
Requires:  libmaxminddb-devel
321 
%endif
622 322
623 323 
%description devel
624 
The bind-devel package contains all the include files and the
625 
library required for DNS (Domain Name Service) development for
626 
BIND versions 9.x.x.
627
628 
%files devel
629 
%doc CHANGES README
630 
%{_libdir}/libbind9.so
631 
%{_libdir}/libisccc.so
632 
%{_libdir}/liblwres.so
633 
%dir %{_includedir}/bind9
634 
%{_includedir}/bind9/config.h
635 
%{_includedir}/bind9/bind9
636 
%{_includedir}/bind9/isccc
637 
%{_includedir}/bind9/lwres
638 
%{_mandir}/man1/isc-config.sh.1*
639 
%{_mandir}/man1/bind9-config.1*
640 
%{_mandir}/man3/lwres*.3*
641 
%{_bindir}/bind9-config
642 
%{_bindir}/isc-config.sh
324 
The bind-devel package contains full version of the header files and libraries
325 
required for building bind-dyndb-ldap. Upstream no longer supports nor recommends
326 
bind libraries for third party applications.
643 327
644 328 
#----------------------------------------------------------------------
645 329
646 
%package lite-devel
647 
Summary:	Lite version of h-files and libraries needed for BIND DNS develop
648 
Group:		Development/C
649 
Requires:	bind-libs-lite = %{EVRD}
330 
%package chroot
331 
Summary:        A chroot runtime environment for the ISC BIND DNS server, named(8)
332 
Prefix:         %{chroot_prefix}
333 
# grep is required due to setup-named-chroot.sh script
334 
Requires:       grep
335 
Requires:       bind = %{EVRD}
650 336
651 
%description lite-devel
652 
The bind-devel package contains all the include files and the
653 
library required for DNS (Domain Name Service) development for
654 
BIND versions 9.x.x.
655
656 
%files lite-devel
657 
%doc CHANGES README
658 
%{_libdir}/libdns.so
659 
%{_libdir}/libirs.so
660 
%{_libdir}/libisc.so
661 
%{_libdir}/libisccfg.so
662 
%dir %{_includedir}/bind9
663 
%{_includedir}/bind9/dns
664 
%{_includedir}/bind9/dst
665 
%{_includedir}/bind9/irs
666 
%{_includedir}/bind9/isc
667 
%dir %{_includedir}/bind9/pk11
668 
%{_includedir}/bind9/pk11/site.h
669 
%{_includedir}/bind9/isccfg
337 
%description chroot
338 
This package contains a tree of files which can be used as a
339 
chroot(2) jail for the named(8) program from the BIND package.
340 
Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
670 341
671 342 
#----------------------------------------------------------------------
672 343
673 
%package utils
674 
Summary:	Utilities for querying DNS name servers
675 
Group:		Networking/Other
676 
Requires:	bind-libs = %{EVRD}
677 
Requires:	bind-libs-lite = %{EVRD}
678 
Requires:	python3-bind = %{EVRD}
679
680 
%description utils
681 
Bind-utils contains a collection of utilities for querying DNS (Domain
682 
Name Service) name servers to find out information about Internet hosts.
683 
These tools will provide you with the IP addresses for given host names,
684 
as well as other information about registered domains and network
685 
addresses.
344 
%if %{with DLZ}
345 
%package dlz-filesystem
346 
Summary: BIND server filesystem DLZ module
347 
Requires: bind = %{EVRD}
686 348
687 
%files utils
688 
%doc README COPYRIGHT
689 
%{_bindir}/delv
690 
%{_bindir}/dig
691 
%{_bindir}/host
692 
%{_bindir}/nslookup
693 
%{_bindir}/nsupdate
694 
%{_bindir}/arpaname
695 
%{_sbindir}/ddns-confgen
696 
%{_sbindir}/genrandom
697 
%{_sbindir}/nsec3hash
698 
%{_sbindir}/isc-hmac-fixup
699 
%{_sbindir}/tsig-keygen
700 
%{_sbindir}/named-checkzone
701 
%{_sbindir}/named-compilezone
702 
%{_mandir}/man1/arpaname.1.*
703 
%{_mandir}/man1/delv.1.*
704 
%{_mandir}/man1/host.1*
705 
%{_mandir}/man1/dig.1*
706 
%{_mandir}/man1/nslookup.1*
707 
%{_mandir}/man1/nsupdate.1*
708 
%{_mandir}/man8/ddns-confgen.8.*
709 
%{_mandir}/man8/genrandom.8.*
710 
%{_mandir}/man8/tsig-keygen.8.*
711 
%{_mandir}/man8/nsec3hash.8.*
712 
%{_mandir}/man8/isc-hmac-fixup.8.*
713 
%{_mandir}/man5/resolver.5*
714 
%{_mandir}/man5/resolv.5*
715 
%{_sysconfdir}/trusted-key.key
349 
%description dlz-filesystem
350 
Dynamic Loadable Zones filesystem module for BIND server.
716 351
717 352 
#----------------------------------------------------------------------
718 353
719 
%package -n %{dns_export_libname}
720 
Summary:	It's libdns-export shared library for bind DNS
721 
Group:		System/Libraries
722
723 
%description -n %{dns_export_libname}
724 
This package contains the libdns-export shared library for bind DNS.
354 
%package dlz-ldap
355 
Summary: BIND server ldap DLZ module
356 
Requires: bind = %{EVRD}
725 357
726 
%files -n %{dns_export_libname}
727 
%doc README COPYRIGHT
728 
%{_libdir}/bind9-export/libdns-export.so.%{dns_export_major}*
358 
%description dlz-ldap
359 
Dynamic Loadable Zones LDAP module for BIND server.
729 360
730 361 
#----------------------------------------------------------------------
731 362
732 
%package -n %{irs_export_libname}
733 
Summary:	It's libirs-export shared library for bind DNS
734 
Group:		System/Libraries
363 
%package dlz-mysql
364 
Summary: BIND server mysql and mysqldyn DLZ modules
365 
Requires: bind = %{EVRD}
366 
Provides: %{name}-dlz-mysqldyn = %{EVRD}
735 367
736 
%description -n %{irs_export_libname}
737 
This package contains the libirs-export shared library for bind DNS.
738 
compiled with native pkcs11
739
740 
%files -n %{irs_export_libname}
741 
%doc README COPYRIGHT
742 
%{_libdir}/bind9-export/libirs-export.so.%{irs_export_major}*
368 
%description dlz-mysql
369 
Dynamic Loadable Zones MySQL module for BIND server.
370 
Contains also mysqldyn module with dynamic DNS updates (DDNS) support.
743 371
744 372 
#----------------------------------------------------------------------
745 373
746 
%package -n %{isc_export_libname}
747 
Summary:	It's libisc-export shared library for bind DNS
748 
Group:		System/Libraries
749
750 
%description -n %{isc_export_libname}
751 
This package contains the libisc-export shared library for bind DNS.
374 
%package dlz-sqlite3
375 
Summary: BIND server sqlite3 DLZ module
376 
Requires: bind = %{EVRD}
752 377
753 
%files -n %{isc_export_libname}
754 
%doc README COPYRIGHT
755 
%{_libdir}/bind9-export/libisc-export.so.%{isc_export_major}*
378 
%description dlz-sqlite3
379 
Dynamic Loadable Zones sqlite3 module for BIND server.
380 
%endif
756 381
757 382 
#----------------------------------------------------------------------
758 383
759 
%package -n %{isccfg_export_libname}
760 
Summary:	It's libisccfg-export shared library for bind DNS
761 
Group:		System/Libraries
762
763 
%description -n %{isccfg_export_libname}
764 
This package contains the libisccfg-export shared library for bind DNS.
384 
%package -n python3-bind
385 
Summary:   A module allowing rndc commands to be sent from Python programs
386 
Requires:  bind-license = %{EVRD}
387 
Requires:  python3 python3-ply
388 
BuildArch: noarch
389 
Provides:  python3-bind
390 
Provides:  python3-isc
765 391
766 
%files -n %{isccfg_export_libname}
767 
%doc README COPYRIGHT
768 
%{_libdir}/bind9-export/libisccfg-export.so.%{isccfg_export_major}*
392 
%description -n python3-bind
393 
This package provides a module which allows commands to be sent to rndc directly from Python programs.
769 394
770 395 
#----------------------------------------------------------------------
771 396
772 
%package export-libs
773 
Summary:	ISC libs for DHCP application
774 
Group:		System/Libraries
775 
Requires:	%{dns_export_libname} = %{EVRD}
776 
Requires:	%{irs_export_libname} = %{EVRD}
777 
Requires:	%{isc_export_libname} = %{EVRD}
778 
Requires:	%{isccfg_export_libname} = %{EVRD}
397 
%if %{with DOC}
398 
%package doc
399 
Summary:   BIND 9 Administrator Reference Manual
400 
Requires:  bind-license = %{EVRD}
401 
Requires:  python3-sphinx_rtd_theme
402 
BuildArch: noarch
779 403
780 
%description export-libs
404 
%description doc
781 405 
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
782 
(Domain Name System) protocols. This package set contains only export
783 
version of BIND libraries, that are used for building ISC DHCP.
406 
(Domain Name System) protocols. BIND includes a DNS server (named),
407 
which resolves host names to IP addresses; a resolver library
408 
(routines for applications to use when interfacing with DNS); and
409 
tools for verifying that the DNS server is operating properly.
784 410
785 
%files export-libs
786 
%doc COPYRIGHT
787 
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf
788
789 
#----------------------------------------------------------------------
790
791 
%package export-devel
792 
Summary:	Header files and libraries needed for BIND export libraries
793 
Group:		Development/C
794 
Requires:	bind-export-libs = %{EVRD}
795 
Requires:	openssl-devel
796 
Requires:	libcap-devel
797
798 
%description export-devel
799 
This package contains export version of the header files and libraries
800 
required for development with ISC BIND. These headers and libraries
801 
are used for building ISC DHCP.
802
803 
%files export-devel
804 
%{_libdir}/bind9-export/libdns-export.so
805 
%{_libdir}/bind9-export/libirs-export.so
806 
%{_libdir}/bind9-export/libisc-export.so
807 
%{_libdir}/bind9-export/libisccfg-export.so
808 
%dir %{_includedir}/bind9-export
809 
%{_includedir}/bind9-export/dns
810 
%{_includedir}/bind9-export/dst
811 
%{_includedir}/bind9-export/irs
812 
%{_includedir}/bind9-export/isc
813 
%dir %{_includedir}/bind9-export/pk11
814 
%{_includedir}/bind9-export/pk11/site.h
815 
%{_includedir}/bind9-export/isccfg
816 
%{_includedir}/bind9-export/config.h
817 
%{_mandir}/man1/isc-export-config.sh.1*
818 
%{_mandir}/man1/bind9-export-config.1*
819 
%attr(0755,root,root) %{_bindir}/isc-export-config.sh
820 
%{_bindir}/bind9-export-config
821
822 
#----------------------------------------------------------------------
823
824 
%if %{with pkcs11}
825
826 
%package -n %{dns_pkcs11_libname}
827 
Summary:	Bind libdns-pkcs11 compiled with native pkcs11
828 
Group:		System/Libraries
829
830 
%description -n %{dns_pkcs11_libname}
831 
This package contains the libdns-pkcs11 shared library for bind DNS.
832
833 
%files -n %{dns_pkcs11_libname}
834 
%doc README COPYRIGHT
835 
%{_libdir}/libdns-pkcs11.so.%{dns_pkcs11_major}*
836
837 
#----------------------------------------------------------------------
838
839 
%package -n %{isc_pkcs11_libname}
840 
Summary:	Bind libisc-pkcs11 compiled with native pkcs11
841 
Group:		System/Libraries
842
843 
%description -n %{isc_pkcs11_libname}
844 
This package contains the libisc-pkcs11 shared library for bind DNS.
845
846 
%files -n %{isc_pkcs11_libname}
847 
%doc README COPYRIGHT
848 
%{_libdir}/libisc-pkcs11.so.%{isc_pkcs11_major}*
849
850 
#----------------------------------------------------------------------
851
852 
%package pkcs11-libs
853 
Summary:	Bind libraries compiled with native pkcs11
854 
Group:		System/Libraries
855 
Requires:	bind-libs = %{EVRD}
856 
Requires:	%{dns_pkcs11_libname} = %{EVRD}
857 
Requires:	%{isc_pkcs11_libname} = %{EVRD}
858
859 
%description pkcs11-libs
860 
This is a set of BIND libraries (dns, isc) compiled with native pkcs11
861 
functionality.
862
863 
%files pkcs11-libs
864 
%doc COPYRIGHT
865
866 
#----------------------------------------------------------------------
867
868 
%package pkcs11-devel
869 
Summary:	Development files for Bind libraries compiled with native pkcs11
870 
Group:		Development/C
871
872 
%description pkcs11-devel
873 
This a set of development files for BIND libraries (dns, isc) compiled
874 
with native pkcs11 functionality.
875
876 
%files pkcs11-devel
877 
%doc CHANGES README
878 
%dir %{_includedir}/bind9/pk11
879 
%{_includedir}/bind9/pk11/*.h
880 
%exclude %{_includedir}/bind9/pk11/site.h
881 
%{_includedir}/bind9/pkcs11
882 
%{_libdir}/libdns-pkcs11.so
883 
%{_libdir}/libisc-pkcs11.so
884 
%endif
885
886 
#----------------------------------------------------------------------
887
888 
%package pkcs11
889 
Summary:	Bind with native pkcs11 functionality for crypto
890 
Group:		System/Base
891 
Requires:	bind = %{EVRD}
892 
Requires:	bind-libs = %{EVRD}
893 
Requires:	bind-libs-lite = %{EVRD}
894 
Requires:	bind-pkcs11-libs = %{EVRD}
895 
Recommends:	softhsm
896
897 
%description pkcs11
898 
This is a version of BIND server built with native pkcs11 functionality.
899 
It is important to have SoftHSM v2+ installed and some token initialized.
900 
For other supported HSM modules please check the BIND documentation.
901 
This version of BIND binary is supported only in setup with the IPA server.
902
903 
%files pkcs11
904 
%doc README COPYRIGHT
905 
%{_sbindir}/named-pkcs11
906 
%{_unitdir}/named-pkcs11.service
907 
%{_mandir}/man8/named-pkcs11.8*
908 
%{_sbindir}/setup-named-softhsm
909
910 
%post pkcs11
911 
# Initial installation
912 
%systemd_post named-pkcs11.service
913
914 
%preun pkcs11
915 
# Package removal, not upgrade
916 
%systemd_preun named-pkcs11.service
917
918 
%postun pkcs11
919 
# Package upgrade, not uninstall
920 
%systemd_postun_with_restart named-pkcs11.service
921
922 
#----------------------------------------------------------------------
923
924 
%package pkcs11-utils
925 
Summary:	Bind tools with native PKCS11 for using DNSSEC
926 
Group:		System/Base
927 
Requires:	bind-pkcs11-libs = %{EVRD}
928
929 
%description pkcs11-utils
930 
This is a set of PKCS11 utilities that when used together create rsa
931 
keys in a PKCS11 keystore. Also utilities for working with DNSSEC
932 
compiled with native PKCS11 functionality are included.
933
934 
%files pkcs11-utils
935 
%doc README COPYRIGHT
936 
%{_sbindir}/dnssec*pkcs11
937 
%{_sbindir}/pkcs11-destroy
938 
%{_sbindir}/pkcs11-keygen
939 
%{_sbindir}/pkcs11-list
940 
%{_sbindir}/pkcs11-tokens
941 
%{_mandir}/man8/pkcs11*.8*
942 
%{_mandir}/man8/dnssec*-pkcs11.8*
943 
%exclude %{_mandir}/man8/dnssec-coverage.8*
944 
%exclude %{_mandir}/man8/dnssec-keymgr.8*
945
946 
#----------------------------------------------------------------------
947
948 
%package -n python3-bind
949 
Summary:	A module allowing rndc commands to be sent from Python programs
950 
Group:		Development/Python
951 
Requires:	python3egg(ply)
952 
BuildArch:	noarch
953
954 
%description -n python3-bind
955 
This package provides a module which allows commands to be sent to rndc
956 
directly from Python programs.
957
958 
%files -n python3-bind
959 
%doc README COPYRIGHT
960 
%{python3_sitelib}/*.egg-info
961 
%{python3_sitelib}/isc
962
963 
#----------------------------------------------------------------------
964
965 
%package doc
966 
Summary:	Documentation for BIND
967 
Group:		Books/Other
968
969 
%description doc
970 
The bind-devel package contains the documentation for BIND.
971
972 
%files doc
973 
%doc doc/misc/ doc/html
974 
%doc doc/dhcp-dynamic-dns-examples doc/chroot doc/trustix
411 
This package contains BIND 9 Administrator Reference Manual
412 
in HTML and PDF format.
413 
%end
414
415 
%endif
975 416
976 417 
#----------------------------------------------------------------------
977 418
978 419 
%prep
979 
%setup -q -a51 -a52 -a53 -a54
980 
# -a55 -a56
420 
%setup -q
981 421
982 422 
# Common patches
423 
%patch10 -p1 -b .PIE
424 
%patch16 -p1 -b .redhat_doc
983 425 
%patch72 -p1 -b .64bit
984 
%patch102 -p1 -b .rh452060
426 
%patch106 -p1 -b .rh490837
985 427 
%patch112 -p1 -b .rh645544
986 428 
%patch130 -p1 -b .libdb
987 
%patch131 -p1 -b .multlib-conflict
988 
%patch140 -p1 -b .rh1410433
989 
%patch145 -p1 -b .rh1205168
990 
%patch153 -p1 -b .export_suffix
991 
%patch154 -p1 -b .oot-man
992 
%patch155 -p1 -b .pk11-internal
993 
%patch156 -p1 -b .fips-code
994 429 
%patch157 -p1 -b .fips-tests
995 
%patch158 -p1 -b .rt31459
996 
%patch170 -p1 -b .featuretest-named
430 
%patch164 -p1 -b .rh1666814
997 431
998 
%if %{with pkcs11}
432 
%if %{with PKCS11}
433 
%patch135 -p1 -b .config-pkcs11
999 434 
cp -r bin/named{,-pkcs11}
1000 435 
cp -r bin/dnssec{,-pkcs11}
1001 
cp -r lib/isc{,-pkcs11}
1002 436 
cp -r lib/dns{,-pkcs11}
437 
cp -r lib/ns{,-pkcs11}
1003 438 
%patch136 -p1 -b .dist_pkcs11
1004 
%patch150 -p1 -b .engine-pkcs11
1005 
%endif
1006
1007 
mkdir lib/dns/tests/testdata/dstrandom
1008 
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
1009
1010 
%if %{with sdb_ldap}
1011 
%patch101 -p1 -b .old-api
1012 
mkdir bin/named-sdb
1013 
cp -r bin/named/* bin/named-sdb
1014 
%patch11 -p1 -b .sdbsrc
1015 
# SDB ldap
1016 
cp -fp contrib/sdb/ldap/ldapdb.[ch] bin/named-sdb
1017 
# SDB postgreSQL
1018 
cp -fp contrib/sdb/pgsql/pgsqldb.[ch] bin/named-sdb
1019 
# SDB sqlite
1020 
cp -fp contrib/sdb/sqlite/sqlitedb.[ch] bin/named-sdb
1021 
# SDB Berkeley DB - needs to be ported to DB4!
1022 
#cp -fp contrib/sdb/bdb/bdb.[ch] bin/named_sdb
1023 
# SDB dir
1024 
cp -fp contrib/sdb/dir/dirdb.[ch] bin/named-sdb
1025 
# SDB tools
1026 
mkdir -p bin/sdb_tools
1027 
cp -fp %{SOURCE30} bin/sdb_tools/ldap2zone.c
1028 
cp -fp %{SOURCE7} bin/sdb_tools/Makefile.in
1029 
#cp -fp contrib/sdb/bdb/zone2bdb.c bin/sdb_tools
1030 
cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools
1031 
cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools/
1032 
cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools
1033 
%patch301 -p1 -b .sdb
1034 
%patch13 -p1 -b .fix_sdb_ldap
1035 
%patch137 -p1 -b .strlcat_fix
439 
%patch149 -p1 -b .kyua-pkcs11
1036 440 
%endif
1037 441
1038 
%patch133 -p1 -b .rh640538
1039 
%patch134 -p1 -b .rh669163
1040 
###
1041
1042 
%if %{with sdb_mysql}
1043 
mv mysql-bind contrib/sdb/mysql
1044 
cp contrib/sdb/mysql/mysqldb.c bin/named
1045 
cp contrib/sdb/mysql/mysqldb.h bin/named/include
442 
# Sparc and s390 arches need to use -fPIE
443 
%ifarch sparcv9 sparc64 s390 s390x
444 
for i in bin/named/{,unix}/Makefile.in; do
445 
  sed -i 's|fpie|fPIE|g' $i
446 
done
1046 447 
%endif
1047 448
1048 
#install updated bind.keys file
1049 
cp -f %{SOURCE14} bind.keys
1050
1051 
cp %{SOURCE61} keygen.c
1052 
cp %{SOURCE63} named.cache
1053
1054 
mkdir -p caching-nameserver
1055 
cp %{SOURCE100} caching-nameserver/bogon_acl.conf
1056 
cp %{SOURCE101} caching-nameserver/hosts
1057 
cp %{SOURCE102} caching-nameserver/localdomain.zone
1058 
cp %{SOURCE103} caching-nameserver/localhost.zone
1059 
cp %{SOURCE104} caching-nameserver/logging.conf
1060 
cp %{SOURCE105} caching-nameserver/named.broadcast
1061 
cp %{SOURCE106} caching-nameserver/named.conf
1062 
cp %{SOURCE107} caching-nameserver/named.ip6.local
1063 
cp %{SOURCE108} caching-nameserver/named.local
1064 
cp %{SOURCE109} caching-nameserver/named.zero
1065 
cp %{SOURCE111} caching-nameserver/rndc.key
1066 
cp %{SOURCE112} caching-nameserver/trusted_networks_acl.conf
1067 
cp %{SOURCE113} caching-nameserver/named.iscdlv.key
1068
1069
1070 
# strip away annoying ^M
1071 
find . -type f|xargs file|grep 'CRLF'|cut -d: -f1|xargs perl -p -i -e 's/\r//'
1072 
find . -type f|xargs file|grep 'text'|cut -d: -f1|xargs perl -p -i -e 's/\r//'
449 
sed -e 's|"$TOP/config.guess"|"$TOP_SRCDIR/config.guess"|' -i bin/tests/system/ifconfig.sh
450 
:;
1073 451
1074 
mkdir -p ../export-libs
1075 
cp -rf * ../export-libs/
1076 
mv -f ../export-libs ./
1077 452
1078 453 
%build
1079 
%serverbuild
1080 
# it does not work with -fPIE and someone added that to the serverbuild macro...
1081 
CFLAGS=`echo $CFLAGS|sed -e 's|-fPIE||g'`
1082 
CXXFLAGS=`echo $CXXFLAGS|sed -e 's|-fPIE||g'`
1083
1084 
export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
454 
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
455 
%if %{with TSAN}
456 
  CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
457 
%endif
458 
export CFLAGS
1085 459 
export STD_CDEFINES="$CPPFLAGS"
1086 460
1087 
echo RELEASEVER="-%{release}-ROSA" >> version
1088 461
1089 
autoreconf -if
462 
sed -i -e \
463 
's/RELEASEVER=\(.*\)/RELEASEVER=\1-RH/' \
464 
version
1090 465
1091 
# Workaround problems when both libjsoncpp-devel and libjson-c-devel are installed
1092 
export CFLAGS="$CFLAGS -DHAVE_JSON_C=1"
466 
libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
1093 467
1094 
# backwards compatibility for contrib/
1095 
export CFLAGS="$CFLAGS -DISC_TRUE=true -DISC_FALSE=false"
468 
mkdir build
1096 469
1097 
# Workaround missing <isc/atomic.h>
1098 
pushd ./lib/isc/
1099 
%ifarch %{ix86} %{x86_64} %{armx}
1100 
ln -sr noatomic/include/isc/atomic.h include/isc/atomic.h
470 
LIBDIR_SUFFIX=
471 
export LIBDIR_SUFFIX
472 
%configure \
473 
  --with-python=%{__python3} \
474 
  --with-libtool \
475 
  --localstatedir=%{_var} \
476 
  --with-pic \
477 
  --disable-static \
478 
  --includedir=%{_includedir}/bind9 \
479 
  --with-tuning=large \
480 
  --with-libidn2 \
481 
%if %{with GEOIP2}
482 
  --with-maxminddb \
1101 483 
%endif
1102 
popd
1103
1104 
%if %{with DLZ}
1105 
# DLZ modules do not support oot builds. Copy files into build
1106 
mkdir -p build/contrib/dlz
1107 
cp -frp contrib/dlz/modules build/contrib/dlz/modules
484 
%if %{with PKCS11}
485 
  --enable-native-pkcs11 \
486 
  --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
1108 487 
%endif
1109
1110 
%configure \
1111 
	--with-python=%{__python3} \
1112 
	--localstatedir=%{_localstatedir} \
1113 
	--enable-threads \
1114 
	--enable-largefile \
1115 
	--enable-ipv6 \
1116 
	--enable-filter-aaaa \
1117 
	--enable-epoll \
1118 
	--with-openssl=%{_prefix} \
1119 
%if %{with gssapi}
1120 
	--with-gssapi=%{_prefix} \
1121 
	--disable-isc-spnego \
488 
  --with-dlopen=yes \
489 
%if %{with GSSTSIG}
490 
  --with-gssapi=yes \
1122 491 
%endif
1123 
	--with-randomdev=/dev/random \
1124 
	--with-libxml2=yes \
1125 
%if %{with SDB}
1126 
	--with-dlopen=yes \
1127 
	--with-dlz-ldap=yes \
1128 
	--with-dlz-postgres=yes \
1129 
	--with-dlz-mysql=yes \
1130 
	--with-dlz-filesystem=yes \
492 
%if %{with LMDB}
493 
  --with-lmdb=yes \
494 
%else
495 
  --with-lmdb=no \
1131 496 
%endif
1132 
	--with-dlz-odbc=no \
1133 
	--with-dlz-bdb=no \
1134 
	--with-lmdb=no \
1135 
	--with-dlz-stub=yes \
1136 
	--enable-fixed-rrset \
1137 
	--with-geoip \
1138 
	--with-gost=no \
1139 
	--with-pic \
1140 
	--disable-static \
1141 
	--with-libidn2 \
1142 
	--with-libtool \
1143 
	--with-tuning=large \
1144 
	--includedir=%{_includedir}/bind9 \
1145 
%if %{with pkcs11}
1146 
	--with-pkcs11=%{_libdir}/softhsm/libsofthsm2.so \
1147 
	--enable-native-pkcs11 \
497 
%if %{with JSON}
498 
  --without-libjson --with-json-c \
1148 499 
%endif
1149 
	--with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets-%{docbook_style_xsl_ver} \
1150 
	--enable-full-report
1151
1152 
%make
1153
1154 
### xsltproc doesn't find properly configured files
1155 
### and use ones from source tree
1156 
### copy generated files to the original location
1157 
#cp -rv doc/* ../doc/
1158
1159 
%if %{with sdb_mysql}
1160 
pushd contrib/sdb/mysql
1161 
gcc $CFLAGS -I%{_includedir}/mysql -I../../../lib/dns/include -I../../../lib/dns/sec/dst/include \
1162 
	-I../../../lib/isc/include -I../../../lib/isc/unix/include -I../../../lib/isc/pthreads/include \
1163 
	-lkrb5 -lgssapi_krb -c zonetodb.c
1164 
gcc $CFLAGS $LDFLAGS -o zonetodb-mysql zonetodb.o \
1165 
	../../../lib/dns/.libs/libdns.so -lcrypto -lpthread ../../../lib/isc/.libs/libisc.so \
1166 
	-lmysqlclient -lresolv %{?_with_gssapi:`krb5-config --libs gssapi`} -lxml2 -lGeoIP -lkrb5 -lgssapi_krb5 -ljson-c
1167 
popd
500 
%if %{with DNSTAP}
501 
  --enable-dnstap \
502 
%endif
503 
%if %{with UNITTEST}
504 
  --with-cmocka \
505 
%endif
506 
  --enable-fixed-rrset \
507 
  --enable-full-report \
508 
;
509
510 
%if %{with DOCPDF}
511 
# avoid using home for pdf latex files
512 
export TEXMFVAR="`pwd`"
513 
export TEXMFCONFIG="`pwd`"
514 
fmtutil-user --listcfg || :
515 
fmtutil-user --missing || :
1168 516 
%endif
1169 517
1170 
# the same for PostgreSQL
1171 
pushd contrib/sdb/pgsql
1172 
gcc $CFLAGS -I%{_includedir}/pgsql -I../../../lib/dns/include -I../../../lib/dns/sec/dst/include \
1173 
	-I../../../lib/isc/include -I../../../lib/isc/unix/include -I../../../lib/isc/pthreads/include \
1174 
	-lkrb5 -lgssapi_krb -c zonetodb.c
1175 
gcc $CFLAGS $LDFLAGS -o zonetodb-pgsql zonetodb.o \
1176 
	../../../lib/dns/.libs/libdns.so -lcrypto -lpthread ../../../lib/isc/.libs/libisc.so \
1177 
	-lpq -lresolv %{?_with_gssapi:`krb5-config --libs gssapi`} -lxml2 -lGeoIP -lkrb5 -lgssapi_krb5 -ljson-c
1178 
popd
1179
1180 
gcc $CFLAGS -o dns-keygen keygen.c
518 
%make_build
1181 519
1182 520 
# Regenerate dig.1 manpage
1183 521 
pushd bin/dig
... ... @@ -1187,260 +525,583 @@ pushd bin/python
525 525 
make man
526 526 
popd
527 527
528 
%if %{with DOC}
529 
  make doc
530 
%endif
531
528 532 
%if %{with DLZ}
529 533 
  pushd contrib/dlz/modules
534 
  for DIR in mysql mysqldyn; do
535 
    sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \
536 
        -e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \
537 
        $DIR/Makefile.in > $DIR/Makefile
538 
  done
530 539 
  for DIR in filesystem ldap mysql mysqldyn sqlite3; do
531 540 
    make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
532 541 
  done
533 542 
  popd
534 543 
%endif
535 544
536 
## Create export libs ##
537 
pushd export-libs
538 
cp isc-config.sh.1 isc-export-config.sh.1
539 
export LIBDIR_SUFFIX=/bind9-export/
540 
## minimal subset of options to make clients aka dhcp working
541 
%configure \
542 
	--with-libtool \
543 
	--with-cmocka \
544 
	--disable-static \
545 
	--disable-epoll \
546 
	--disable-kqueue \
547 
	--libdir=%{_libdir}/bind9-export \
548 
	--includedir=%{_includedir}/bind9-export \
549 
	--disable-threads \
550 
	--enable-openssl-hash \
551 
%if %{with gssapi}
552 
	--with-gssapi=%{_prefix} \
553 
	--disable-isc-spnego \
545 
%check
546 
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
547 
  # Tests require initialization of pkcs11 token
548 
  eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
554 549 
%endif
555 
	--enable-fixed-rrset \
556 
	--disable-rpz-nsip \
557 
	--disable-rpz-nsdname \
558 
	--with-gost=no \
559 
	--without-lmdb \
560 
	--without-libxml2 \
561 
	--without-libjson \
562 
	--without-zlib \
563 
	--without-dlopen \
564 
	--enable-full-report
565
566 
mv isc-config.sh isc-export-config.sh
567
568 
sed -i \
569 
-e '/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
570 
-e 's/isc-config.sh/isc-export-config.sh/g' \
571 
-e 's/bind9-config/bind9-export-config/g' \
572 
Makefile
573 550
574 
sed -i -e \
575 
"/^SUBDIRS =/s/.*/SUBDIRS = isc dns isccfg irs/i" \
576 
lib/Makefile
551 
%if %{with TSAN}
552 
export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
553 
%endif
577 554
578 
#sed -i -e \
579 
#'/^SUBDIRS =/s/atf-src//i' \
580 
#unit/Makefile
555 
%if %{with UNITTEST}
556 
  pushd build
557 
  CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l)
558 
  if [ "$CPUS" -gt 16 ]; then
559 
    ORIGFILES=$(ulimit -n)
560 
    ulimit -n 4096 || : # Requires on some machines with many cores
561 
  fi
562 
  make unit
563 
  e=$?
564 
  if [ "$e" -ne 0 ]; then
565 
    echo "ERROR: this build of BIND failed 'make unit'. Aborting."
566 
    exit $e;
567 
  fi;
568 
  [ "$CPUS" -gt 16 ] && ulimit -n $ORIGFILES || :
569 
  popd
570 
## End of UNITTEST
571 
%endif
581 572
582 
for lib in isc dns isccfg irs
583 
do
584 
	find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \;
585 
	sed -e "s/-l${lib}\([^[:alpha:]]\)/-l${lib}-export\1/g" \
586 
		-e "s/lib${lib}\./lib${lib}-export\./g" \
587 
		-i isc-export-config.sh
588 
done;
573 
%if %{with SYSTEMTEST}
574 
# Runs system test if ip addresses are already configured
575 
# or it is able to configure them
576 
if perl bin/tests/system/testsock.pl
577 
then
578 
  CONFIGURED=already
579 
else
580 
  CONFIGURED=
581 
  sh bin/tests/system/ifconfig.sh up
582 
  perl bin/tests/system/testsock.pl && CONFIGURED=build
583 
fi
584 
if [ -n "$CONFIGURED" ]
585 
then
586 
  set -e
587 
  pushd bin/tests
588 
  chown -R ${USER} . # Can be unknown user
589 
  %make_build test 2>&1 | tee test.log
590 
  e=$?
591 
  popd
592 
  [ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down
593 
  if [ "$e" -ne 0 ]; then
594 
    echo "ERROR: this build of BIND failed 'make test'. Aborting."
595 
    exit $e;
596 
  fi;
597 
else
598 
  echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.'
599 
fi
600 
%endif
601 
:
589 602
590 
%make
591 
# Do not try pkcs11 and lwres in export libs
592 
sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d'  -e '/^\s*include(.*isccc/ d' \
593 
	-i lib/Kyuafile
603 
%install
604 
# Build directory hierarchy
605 
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
606 
mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/{bind,named}
607 
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named/{slaves,data,dynamic}
608 
mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8}
609 
mkdir -p ${RPM_BUILD_ROOT}/run/named
610 
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log
594 611
595 
#sh unit/unittest.sh
612 
#chroot
613 
for D in %{chroot_create_directories}
614 
do
615 
  mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}${D}
616 
done
596 617
618 
# create symlink as it is on real filesystem
619 
pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var
620 
ln -s ../run run
597 621 
popd
598 
## End of export libs
599 622
600 
#%%check
601 
## run the test suite
602 
#make check
623 
# these are required to prevent them being erased during upgrade of previous
624 
touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf
625 
#end chroot
626
627 
%make_install
603 628
604 
%install
629 
# Remove unwanted files
630 
rm -f ${RPM_BUILD_ROOT}/etc/bind.keys
631
632 
# Systemd unit files
633 
mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}
634 
install -m 644 %{SOURCE37} ${RPM_BUILD_ROOT}%{_unitdir}
635 
install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
636 
install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
637 
install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
638
639 
%if %{with PKCS11}
640 
install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
641 
%else
642 
# Not packaged without PKCS11
643 
find ${RPM_BUILD_ROOT}%{_includedir}/bind9/pk11 ${RPM_BUILD_ROOT}%{_includedir}/bind9/pkcs11 \
644 
  -name '*.h' \! -name site.h -delete
605 645
606 
# make some directories
607 
install -d %{buildroot}%{_initrddir}
608 
install -d %{buildroot}%{_sysconfdir}/sysconfig
609 
install -d %{buildroot}%{_sysconfdir}/rwtab.d
610 
install -d %{buildroot}%{_sysusersdir}
611 
install -d %{buildroot}%{_tmpfilesdir}
612
613 
# From "Hide configuration"
614 
install -d %{buildroot}%{_sysconfdir}/logrotate.d
615 
install -d %{buildroot}%{_sysconfdir}/crypto-policies/back-ends
616 
install -d %{buildroot}%{_localstatedir}/named/{slaves,data,dynamic}
617 
install -d %{buildroot}%{_localstatedir}/log
618 
# Ghost config files:
619 
touch %{buildroot}%{_localstatedir}/log/named.log
620 
touch %{buildroot}%{_sysconfdir}/rndc.conf
621 
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/named
622
623 
install -m0640 %{SOURCE106} %{buildroot}%{_sysconfdir}/named.conf
624 
install -m0644 %{SOURCE90} %{buildroot}%{_sysusersdir}/named.conf
625 
install -m0644 %{SOURCE91} %{buildroot}%{_tmpfilesdir}/named.conf
626
627 
install -m0644 %{SOURCE43} %{buildroot}%{_sysconfdir}/rwtab.d/named
628
629 
%makeinstall_std
630
631 
ln -snf named %{buildroot}%{_sbindir}/lwresd
632
633 
#mkdir -p %{buildroot}%{_libexecdir}
634 
install -m 755 %{SOURCE42} %{buildroot}%{_sbindir}/generate-rndc-key
635 
install -m 755 %{SOURCE41} %{buildroot}%{_sbindir}/setup-named-chroot.sh
636
637 
mkdir -p %{buildroot}%{_unitdir}
638 
install -m0644 %{SOURCE46} %{buildroot}%{_unitdir}/named-setup-rndc.service
639 
install -m0644 %{SOURCE58} %{buildroot}%{_unitdir}/named.service
640 
install -m0644 %{SOURCE38} %{buildroot}%{_unitdir}/named-chroot.service
641 
install -m0644 %{SOURCE59} %{buildroot}%{_unitdir}/named-chroot-setup.service
642 
install -m0644 %{SOURCE39} %{buildroot}%{_unitdir}/named-sdb.service
643 
install -m0644 %{SOURCE40} %{buildroot}%{_unitdir}/named-sdb-chroot.service
644 
install -m0644 %{SOURCE45} %{buildroot}%{_unitdir}/named-sdb-chroot-setup.service
645 
%if %{with pkcs11}
646 
install -m0644 %{SOURCE47} %{buildroot}%{_unitdir}
647 
install -m0755 %{SOURCE48} %{buildroot}%{_sbindir}/setup-named-softhsm
648 646 
%endif
649 
install -m0644 %{SOURCE60} %{buildroot}%{_sysconfdir}/sysconfig/named
650 
#cat %{SOURCE62} | sed -e 's,@openssl_shlib_ver@,%{openssl_shlib_ver},g' > %{buildroot}%{_sysconfdir}/sysconfig/named-chroot-setup
651 
cat %{SOURCE49} | sed -e 's,@openssl_shlib_ver@,%{openssl_shlib_ver},g' > %{buildroot}%{_sysconfdir}/named-chroot.files
652 
#install -m 644 %{SOURCE49} %{buildroot}%{_sysconfdir}/named-chroot.files
653 
#install -m0755 %{SOURCE57} %{buildroot}%{_sbindir}
654
655 
%if %{with sdb_mysql}
656 
install -m0755 contrib/sdb/mysql/zonetodb-mysql %{buildroot}%{_sbindir}/zonetodb-mysql
657 
cp contrib/sdb/mysql/ChangeLog contrib/sdb/mysql/ChangeLog.mysql
658 
cp contrib/sdb/mysql/README contrib/sdb/mysql/README.mysql
647
648 
mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
649 
install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
650 
install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh
651
652 
%if %{with PKCS11}
653 
install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
659 654 
%endif
660 
install -m0755 contrib/sdb/pgsql/zonetodb-pgsql %{buildroot}%{_sbindir}/zonetodb-pgsql
655
656 
install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
657 
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
658 
install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named
659 
install -m 644 %{SOURCE49} ${RPM_BUILD_ROOT}%{_sysconfdir}/named-chroot.files
661 660
662 661 
%if %{with DLZ}
663 
  pushd build/contrib/dlz/modules
664 
  for DIR in filesystem ldap sqlite3; do
665 
    make -C $DIR DESTDIR="%{buildroot}" libdir=%{_libdir}/bind install
666 
  done
667 
  popd
668 662 
  pushd contrib/dlz/modules
669 
  for DIR in mysql mysqldyn; do
670 
    make -C $DIR DESTDIR="%{buildroot}" libdir=%{_libdir}/bind install
663 
  for DIR in filesystem ldap mysql mysqldyn sqlite3; do
664 
    %make_install -C $DIR libdir=%{_libdir}/named
671 665 
  done
666 
  pushd ${RPM_BUILD_ROOT}/%{_libdir}/bind
667 
    cp -s ../named/dlz_*.so .
668 
  popd
669 
  mkdir -p doc/{mysql,mysqldyn}
670 
  cp -p mysqldyn/testing/README doc/mysqldyn/README.testing
671 
  cp -p mysqldyn/testing/* doc/mysqldyn
672 
  cp -p mysql/testing/* doc/mysql
672 673 
  popd
673 674 
%endif
674 675
675 
install -m0755 dns-keygen %{buildroot}%{_sbindir}/dns-keygen
676
677
678
679 
install -m 640 %{SOURCE111} %{buildroot}%{_sysconfdir}/rndc.key
680 
install -m 640 %{SOURCE113} %{buildroot}%{_sysconfdir}/
681
682 
install -m 644 %{SOURCE114} %{buildroot}%{_sysconfdir}/
683 
install -m 644 %{SOURCE115} %{buildroot}%{_sysconfdir}/
684 
install -m 644 %{SOURCE36} %{buildroot}%{_sysconfdir}/
685 
mkdir -p %{buildroot}%{_sysconfdir}/named
686
687 
mkdir -p %{buildroot}%{_localstatedir}/named/{data,dynamic,slaves}
688 
mkdir -p %{buildroot}%{_localstatedir}/log
689 
install -m 644 %{SOURCE116} %{buildroot}%{_localstatedir}/named/
690 
install -m 644 %{SOURCE117} %{buildroot}%{_localstatedir}/named/
691 
install -m 644 %{SOURCE118} %{buildroot}%{_localstatedir}/named/
692 
install -m 644 %{SOURCE119} %{buildroot}%{_localstatedir}/named/named.ca
693
694 
# pkcs11 versions manpages
695 
%if %{with pkcs11}
696 
pushd %{buildroot}%{_mandir}/man8
697 
ln -s named.8.xz named-pkcs11.8.xz
698 
ln -s dnssec-checkds.8.xz dnssec-checkds-pkcs11.8.xz
699 
ln -s dnssec-dsfromkey.8.xz dnssec-dsfromkey-pkcs11.8.xz
700 
ln -s dnssec-importkey.8.xz dnssec-importkey-pkcs11.8.xz
701 
ln -s dnssec-keyfromlabel.8.xz dnssec-keyfromlabel-pkcs11.8.xz
702 
ln -s dnssec-keygen.8.xz dnssec-keygen-pkcs11.8.xz
703 
ln -s dnssec-revoke.8.xz dnssec-revoke-pkcs11.8.xz
704 
ln -s dnssec-settime.8.xz dnssec-settime-pkcs11.8.xz
705 
ln -s dnssec-signzone.8.xz dnssec-signzone-pkcs11.8.xz
706 
ln -s dnssec-verify.8.xz dnssec-verify-pkcs11.8.xz
707 
ln -s dnssec-coverage.8.xz dnssec-coverage-pkcs11.8.xz
676 
# Install isc/errno2result.h header
677 
install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc
678
679 
# Remove libtool .la files:
680 
find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
681
682 
# PKCS11 versions manpages
683 
%if %{with PKCS11}
684 
pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
685 
ln -s named.8.gz named-pkcs11.8.gz
686 
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
687 
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
688 
ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
689 
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
690 
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
691 
ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
692 
ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz
693 
ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz
694 
ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
708 695 
popd
709 696 
%endif
710 697
711 
# Files required to run test-suite outside of build tree:
712 
cp -fp config.h %{buildroot}%{_includedir}/bind9
698 
# 9.16.4 installs even manual pages for tools not generated
699 
%if %{without DNSTAP}
700 
rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true
701 
%endif
702 
%if %{without LMDB}
703 
rm -f ${RPM_BUILD_ROOT}%{_mandir}/man8/named-nzd2nzf.8* || true
704 
%endif
713 705
714 
pushd export-libs
715 
%make DESTDIR=%{buildroot} install
716 
mkdir -p %{buildroot}%{_sysconfdir}/ld.so.conf.d
717 
echo "%{_libdir}/bind9-export/" > %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-export-%{_arch}.conf
718 
cp -fp config.h %{buildroot}%{_includedir}/bind9-export/
719 
rm -rf %{buildroot}%{_includedir}/bind9-export/pkcs11/
720 
rm -f %{buildroot}%{_includedir}/bind9-export/pk11/{constants,internal,pk11,result}.h
706 
pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
707 
ln -s ddns-confgen.8.gz tsig-keygen.8.gz
708 
ln -s named-checkzone.8.gz named-compilezone.8.gz
721 709 
popd
722 710
723 
# Install isc/errno2result.h header
724 
install -m0644 lib/isc/unix/errno2result.h %{buildroot}%{_includedir}/bind9/isc
725
726 
echo "; Use \"dig @A.ROOT-SERVERS.NET . ns\" to update this file if it's outdated." > named.cache.tmp
727 
cat named.cache >> named.cache.tmp
728
729 
# fix man pages
730 
install -m0644 man5/resolver.5 %{buildroot}%{_mandir}/man5/
731 
ln -s resolver.5 %{buildroot}%{_mandir}/man5/resolv.5
732
733 
# SDB manpages
734 
%if %{with SDB}
735 
mkdir -p %{buildroot}%{_mandir}/man1/
736 
install -m 644 %{SOURCE31} %{buildroot}%{_mandir}/man1/ldap2zone.1
737 
install -m 644 %{SOURCE32} %{buildroot}%{_mandir}/man8/named-sdb.8
738 
install -m 644 %{SOURCE33} ${RPM_BUILD_ROOT}%{_mandir}/man1/zonetodb.1
739 
cat %{SOURCE33} | sed -e 's,PostgreSQL,MySQL,g' -e 's,zonetodb ,zonetodb-mysql ,g' > %{buildroot}%{_mandir}/man1/zonetodb-mysql.1
740 
cat %{SOURCE33} | sed -e 's,zonetodb ,zonetodb-pgsql ,g' > %{buildroot}%{_mandir}/man1/zonetodb-pgsql.1
741 
install -m 644 %{SOURCE34} %{buildroot}%{_mandir}/man1/zone2sqlite.1
742 
mkdir -p %{buildroot}/etc/openldap/schema
743 
install -m 644 %{SOURCE12} contrib/sdb/pgsql/
744
745 
# relocate most utils to /usr/bin from /usr/sbin
746 
for i in zonetodb ldap2zone zone2ldap zone2sqlite zonetodb-mysql zonetodb-pgsql ; do
747 
mv -v %{buildroot}%{_sbindir}/$i %{buildroot}%{_bindir}/ ; done
748 
rm -f %{buildroot}%{_sbindir}/zonetodb
749 
install -m0755 %{SOURCE13} %{buildroot}%{_bindir}/zonetodb
711 
%if %{with DOC}
712 
mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir}
713 
cp -a doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir}
714 
rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees}
715 
# Backward compatible link to 9.11 documentation
716 
(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html)
717 
# Share static data from original sphinx package
718 
for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/*
719 
do
720 
  BASE=$(basename -- "$DIR")
721 
  BINDTHEMEDIR="${RPM_BUILD_ROOT}%{_pkgdocdir}/html/_static/$BASE"
722 
  if [ -d "$BINDTHEMEDIR" ]; then
723 
    rm -rf "$BINDTHEMEDIR"
724 
    ln -s "$DIR" "$BINDTHEMEDIR"
725 
  fi
726 
done
727 
%endif
728 
%if %{with DOCPDF}
729 
cp -a doc/arm/Bv9ARM.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir}
750 730 
%endif
751 731
752 
rm -rf doc/html
753 
install -d doc/html
754 
for i in `find . -type f |grep .html |sed -e 's#\/%{name}-%{version}##'|grep -v contrib`; do cp -f $i doc/html/; done
732 
# Ghost config files:
733 
touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log
734
735 
# configuration files:
736 
install -m 640 %{SOURCE16} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
737 
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
738 
install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
739 
install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
740 
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named
741
742 
# data files:
743 
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
744 
install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
745 
install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
746 
install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
747 
install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
748 
install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
749
750 
# sample bind configuration files for %%doc:
751 
mkdir -p sample/etc sample/var/named/{data,slaves}
752 
install -m 644 %{SOURCE25} sample/etc/named.conf
753 
# Copy default configuration to %%doc to make it usable from system-config-bind
754 
install -m 644 %{SOURCE16} named.conf.default
755 
install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones
756 
install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20}  sample/var/named
757 
install -m 644 %{SOURCE17} sample/var/named/named.ca
758 
for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do
759 
  echo '@ in soa localhost. root 1 3H 15M 1W 1D
760 
  ns localhost.' > sample/var/named/$f;
761 
done
762 
:;
755 763
756 
# this is just sick...
757 
touch %{buildroot}%{_sysconfdir}/crypto-policies/back-ends/bind.config
764 
mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
765 
install -m 644 %{SOURCE35} ${RPM_BUILD_ROOT}%{_tmpfilesdir}/named.conf
758 766
759 
#chroot
760 
for D in %{chroot_create_directories}
761 
do
762 
  mkdir -p %{buildroot}/%{chroot_prefix}${D}
763 
done
764 
# create symlink as it is on real filesystem
765 
pushd %{buildroot}/%{chroot_prefix}/var
766 
ln -s ../run run
767 
popd
768 
# these are required to prevent them being erased during upgrade of previous
769 
touch %{buildroot}/%{chroot_prefix}/%{_sysconfdir}/named.conf
770 
#end chroot
767 
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d
768 
install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
771 769
772 
%if %{with SDB}
773 
for D in %{chroot_create_directories}
774 
do
775 
  mkdir -p %{buildroot}/%{chroot_sdb_prefix}${D}
776 
done
777 
# create symlink as it is on real filesystem
778 
pushd %{buildroot}/%{chroot_sdb_prefix}/var
779 
ln -s ../run run
780 
popd
770 
%pre
771 
if [ "$1" -eq 1 ]; then
772 
  /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
773 
  /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
774 
fi;
775 
:;
781 776
782 
# these are required to prevent them being erased during upgrade of previous
783 
touch %{buildroot}/%{chroot_sdb_prefix}%{_sysconfdir}/named.conf
777 
%post
778 
%?ldconfig
779 
if [ -e "%{_sysconfdir}/selinux/config" ]; then
780 
  %selinux_set_booleans -s targeted %{selinuxbooleans}
781 
  %selinux_set_booleans -s mls %{selinuxbooleans}
782 
fi
783 
if [ "$1" -eq 1 ]; then
784 
  # Initial installation
785 
  [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
786 
  # rndc.key has to have correct perms and ownership, CVE-2007-6283
787 
  [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
788 
  [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
789 
else
790 
  # Upgrade, use invalid shell
791 
  if getent passwd named | grep ':/bin/false$' >/dev/null; then
792 
    /sbin/usermod -s /sbin/nologin named
793 
  fi
794 
  # Checkconf will parse out comments
795 
  if /usr/sbin/named-checkconf -p /etc/named.conf 2>/dev/null | grep -q named.iscdlv.key
796 
  then
797 
    echo "Replacing obsolete named.iscdlv.key with named.root.key..."
798 
    if cp -Rf --preserve=all --remove-destination /etc/named.conf /etc/named.conf.rpmbackup; then
799 
      sed -e 's/named\.iscdlv\.key/named.root.key/' \
800 
        /etc/named.conf.rpmbackup > /etc/named.conf || \
801 
      mv /etc/named.conf.rpmbackup /etc/named.conf
802 
    fi
803 
  fi
804 
fi
805 
%systemd_post named.service
806 
:;
807
808 
%preun
809 
# Package removal, not upgrade
810 
%systemd_preun named.service
811
812 
%postun
813 
%?ldconfig
814 
# Package upgrade, not uninstall
815 
%systemd_postun_with_restart named.service
816 
if [ -e "%{_sysconfdir}/selinux/config" ]; then
817 
  %selinux_unset_booleans -s targeted %{selinuxbooleans}
818 
  %selinux_unset_booleans -s mls %{selinuxbooleans}
819 
fi
820
821 
%if %{with PKCS11}
822 
%post pkcs11
823 
# Initial installation
824 
%systemd_post named-pkcs11.service
825
826 
%preun pkcs11
827 
# Package removal, not upgrade
828 
%systemd_preun named-pkcs11.service
829
830 
%postun pkcs11
831 
# Package upgrade, not uninstall
832 
%systemd_postun_with_restart named-pkcs11.service
833 
%endif
834
835 
# Fix permissions on existing device files on upgrade
836 
%define chroot_fix_devices() \
837 
if [ $1 -gt 1 ]; then \
838 
  for DEV in "%{1}/dev"/{null,random,zero}; do \
839 
    if [ -e "$DEV" -a "$(/bin/stat --printf="%G %a" "$DEV")" = "root 644" ]; \
840 
    then \
841 
      /bin/chmod 0664 "$DEV" \
842 
      /bin/chgrp named "$DEV" \
843 
    fi \
844 
  done \
845 
fi
846
847 
%ldconfig_scriptlets libs
848
849 
%if %{with PKCS11}
850 
%ldconfig_scriptlets pkcs11-libs
851 
%endif
852
853 
%post chroot
854 
%systemd_post named-chroot.service
855 
%chroot_fix_devices %{chroot_prefix}
856 
:;
857
858 
%posttrans chroot
859 
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
860 
  [ -x /sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1;
861 
fi;
862
863 
%preun chroot
864 
# wait for stop of both named-chroot and named-chroot-setup services
865 
# on uninstall
866 
%systemd_preun named-chroot.service named-chroot-setup.service
867 
:;
868
869 
%postun chroot
870 
# Package upgrade, not uninstall
871 
%systemd_postun_with_restart named-chroot.service
872
873
874 
%files
875 
# TODO: Move from lib/bind to lib/named, as used by upstream
876 
%dir %{_libdir}/bind
877 
%dir %{_libdir}/named
878 
%{_libdir}/named/*.so
879 
%exclude %{_libdir}/named/dlz_*.so
880 
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
881 
%config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
882 
%config(noreplace) %{_sysconfdir}/logrotate.d/named
883 
%{_tmpfilesdir}/named.conf
884 
%{_sysconfdir}/rwtab.d/named
885 
%{_unitdir}/named.service
886 
%{_unitdir}/named-setup-rndc.service
887 
%{_sbindir}/named-journalprint
888 
%{_sbindir}/named-checkconf
889 
%{_bindir}/named-rrchecker
890 
%{_bindir}/mdig
891 
%{_sbindir}/named
892 
%{_sbindir}/rndc*
893 
%{_libexecdir}/generate-rndc-key.sh
894 
%{_mandir}/man1/mdig.1*
895 
%{_mandir}/man1/named-rrchecker.1*
896 
%{_mandir}/man5/named.conf.5*
897 
%{_mandir}/man5/rndc.conf.5*
898 
%{_mandir}/man8/rndc.8*
899 
%{_mandir}/man8/named.8*
900 
%{_mandir}/man8/named-checkconf.8*
901 
%{_mandir}/man8/rndc-confgen.8*
902 
%{_mandir}/man8/named-journalprint.8*
903 
%{_mandir}/man8/filter-aaaa.8*
904 
%doc CHANGES README named.conf.default
905 
%doc sample/
906
907 
# Hide configuration
908 
%defattr(0640,root,named,0750)
909 
%dir %{_sysconfdir}/named
910 
%config(noreplace) %verify(not link) %{_sysconfdir}/named.conf
911 
%config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones
912 
%defattr(0660,root,named,01770)
913 
%dir %{_localstatedir}/named
914 
%defattr(0660,named,named,0770)
915 
%dir %{_localstatedir}/named/slaves
916 
%dir %{_localstatedir}/named/data
917 
%dir %{_localstatedir}/named/dynamic
918 
%ghost %{_localstatedir}/log/named.log
919 
%defattr(0640,root,named,0750)
920 
%config %verify(not link) %{_localstatedir}/named/named.ca
921 
%config %verify(not link) %{_localstatedir}/named/named.localhost
922 
%config %verify(not link) %{_localstatedir}/named/named.loopback
923 
%config %verify(not link) %{_localstatedir}/named/named.empty
924 
%ghost %config(noreplace) %{_sysconfdir}/rndc.key
925 
# ^- rndc.key now created on first install only if it does not exist
926 
%ghost %config(noreplace) %{_sysconfdir}/rndc.conf
927 
# ^- The default rndc.conf which uses rndc.key is in named's default internal config -
928 
#    so rndc.conf is not necessary.
929 
%defattr(-,named,named,-)
930 
%dir /run/named
931
932 
%files libs
933 
%{_libdir}/libbind9-%{version}*.so
934 
%{_libdir}/libisccc-%{version}*.so
935 
%{_libdir}/libns-%{version}*.so
936 
%{_libdir}/libdns-%{version}*.so
937 
%{_libdir}/libirs-%{version}*.so
938 
%{_libdir}/libisc-%{version}*.so
939 
%{_libdir}/libisccfg-%{version}*.so
940
941 
%files license
942 
%{!?_licensedir:%global license %%doc}
943 
%license COPYRIGHT
944
945 
%files utils
946 
%{_bindir}/dig
947 
%{_bindir}/delv
948 
%{_bindir}/host
949 
%{_bindir}/nslookup
950 
%{_bindir}/nsupdate
951 
%{_bindir}/arpaname
952 
%{_sbindir}/ddns-confgen
953 
%{_sbindir}/tsig-keygen
954 
%{_sbindir}/nsec3hash
955 
%{_sbindir}/named-checkzone
956 
%{_sbindir}/named-compilezone
957 
%if %{with DNSTAP}
958 
%{_bindir}/dnstap-read
959 
%{_mandir}/man1/dnstap-read.1*
960 
%endif
961 
%if %{with LMDB}
962 
%{_sbindir}/named-nzd2nzf
963 
%{_mandir}/man8/named-nzd2nzf.8*
964 
%endif
965 
%{_mandir}/man1/host.1*
966 
%{_mandir}/man1/nsupdate.1*
967 
%{_mandir}/man1/dig.1*
968 
%{_mandir}/man1/delv.1*
969 
%{_mandir}/man1/nslookup.1*
970 
%{_mandir}/man1/arpaname.1*
971 
%{_mandir}/man8/ddns-confgen.8*
972 
%{_mandir}/man8/tsig-keygen.8*
973 
%{_mandir}/man8/nsec3hash.8*
974 
%{_mandir}/man8/named-checkzone.8*
975 
%{_mandir}/man8/named-compilezone.8*
976 
%{_sysconfdir}/trusted-key.key
977
978 
%files dnssec-utils
979 
%{_sbindir}/dnssec*
980 
%if %{with PKCS11}
981 
%exclude %{_sbindir}/dnssec*pkcs11
982 
%endif
983
984 
%files dnssec-doc
985 
%{_mandir}/man8/dnssec*.8*
986 
%if %{with PKCS11}
987 
%exclude %{_mandir}/man8/dnssec*-pkcs11.8*
988 
%endif
989
990 
%files devel
991 
%{_libdir}/libbind9.so
992 
%{_libdir}/libisccc.so
993 
%{_libdir}/libns.so
994 
%{_libdir}/libdns.so
995 
%{_libdir}/libirs.so
996 
%{_libdir}/libisc.so
997 
%{_libdir}/libisccfg.so
998 
%dir %{_includedir}/bind9
999 
%{_includedir}/bind9/bind9
1000 
%{_includedir}/bind9/isccc
1001 
%{_includedir}/bind9/ns
1002 
%{_includedir}/bind9/dns
1003 
%{_includedir}/bind9/dst
1004 
%{_includedir}/bind9/irs
1005 
%{_includedir}/bind9/isc
1006 
%dir %{_includedir}/bind9/pk11
1007 
%{_includedir}/bind9/pk11/site.h
1008 
%{_includedir}/bind9/isccfg
1009
1010 
%files chroot
1011 
%config(noreplace) %{_sysconfdir}/named-chroot.files
1012 
%{_unitdir}/named-chroot.service
1013 
%{_unitdir}/named-chroot-setup.service
1014 
%{_libexecdir}/setup-named-chroot.sh
1015 
%defattr(0664,root,named,-)
1016 
%ghost %dev(c,1,3) %verify(not mtime) %{chroot_prefix}/dev/null
1017 
%ghost %dev(c,1,8) %verify(not mtime) %{chroot_prefix}/dev/random
1018 
%ghost %dev(c,1,9) %verify(not mtime) %{chroot_prefix}/dev/urandom
1019 
%ghost %dev(c,1,5) %verify(not mtime) %{chroot_prefix}/dev/zero
1020 
%defattr(0640,root,named,0750)
1021 
%dir %{chroot_prefix}
1022 
%dir %{chroot_prefix}/dev
1023 
%dir %{chroot_prefix}%{_sysconfdir}
1024 
%dir %{chroot_prefix}%{_sysconfdir}/named
1025 
%dir %{chroot_prefix}%{_sysconfdir}/pki
1026 
%dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys
1027 
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies
1028 
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends
1029 
%dir %{chroot_prefix}%{_localstatedir}
1030 
%dir %{chroot_prefix}/run
1031 
%ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf
1032 
%defattr(-,root,root,-)
1033 
%dir %{chroot_prefix}/usr
1034 
%dir %{chroot_prefix}/%{_libdir}
1035 
%dir %{chroot_prefix}/%{_libdir}/bind
1036 
%dir %{chroot_prefix}/%{_datadir}/GeoIP
1037 
%{chroot_prefix}/proc
1038 
%defattr(0660,root,named,01770)
1039 
%dir %{chroot_prefix}%{_localstatedir}/named
1040 
%defattr(0660,named,named,0770)
1041 
%dir %{chroot_prefix}%{_localstatedir}/tmp
1042 
%dir %{chroot_prefix}%{_localstatedir}/log
1043 
%defattr(-,named,named,-)
1044 
%dir %{chroot_prefix}/run/named
1045 
%{chroot_prefix}%{_localstatedir}/run
1046
1047 
%if %{with PKCS11}
1048 
%files pkcs11
1049 
%{_sbindir}/named-pkcs11
1050 
%{_unitdir}/named-pkcs11.service
1051 
%{_mandir}/man8/named-pkcs11.8*
1052 
%{_libexecdir}/setup-named-softhsm.sh
1053
1054 
%files pkcs11-utils
1055 
%{_sbindir}/dnssec*pkcs11
1056 
%{_sbindir}/pkcs11-destroy
1057 
%{_sbindir}/pkcs11-keygen
1058 
%{_sbindir}/pkcs11-list
1059 
%{_sbindir}/pkcs11-tokens
1060 
%{_mandir}/man8/pkcs11*.8*
1061 
%{_mandir}/man8/dnssec*-pkcs11.8*
1062
1063 
%files pkcs11-libs
1064 
%{_libdir}/libdns-pkcs11-%{version}*.so
1065 
%{_libdir}/libns-pkcs11-%{version}*.so
1066
1067 
%files pkcs11-devel
1068 
%{_includedir}/bind9/pk11/*.h
1069 
%exclude %{_includedir}/bind9/pk11/site.h
1070 
%{_includedir}/bind9/pkcs11
1071 
%{_libdir}/libdns-pkcs11.so
1072 
%{_libdir}/libns-pkcs11.so
1073 
%endif
1074
1075 
%if %{with DLZ}
1076 
%files dlz-filesystem
1077 
%{_libdir}/{named,bind}/dlz_filesystem_dynamic.so
1078
1079 
%files dlz-mysql
1080 
%{_libdir}/{named,bind}/dlz_mysql_dynamic.so
1081 
%doc contrib/dlz/modules/doc/mysql
1082 
%{_libdir}/{named,bind}/dlz_mysqldyn_mod.so
1083 
%doc contrib/dlz/modules/doc/mysqldyn
1084
1085 
%files dlz-ldap
1086 
%{_libdir}/{named,bind}/dlz_ldap_dynamic.so
1087 
%doc contrib/dlz/modules/ldap/testing/*
1088
1089 
%files dlz-sqlite3
1090 
%{_libdir}/{named,bind}/dlz_sqlite3_dynamic.so
1091 
%doc contrib/dlz/modules/sqlite3/testing/*
1092
1093 
%endif
1094
1095 
%files -n python3-bind
1096 
%{python3_sitelib}/*.egg-info
1097 
%{python3_sitelib}/isc/
1098
1099 
%if %{with DOC}
1100 
%files doc
1101 
%dir %{_pkgdocdir}
1102 
%doc %{_pkgdocdir}/Bv9ARM.html
1103 
%doc %{_pkgdocdir}/html
1104 
%endif
1105 
%if %{with DOCPDF}
1106 
%doc %{_pkgdocdir}/Bv9ARM.pdf
784 1107 
%endif
view file @ d5fe0dbac2
... ... --- /dev/null
... ... +++ b/bind.tmpfiles.d
... ... @@ -0,0 +1 @@
1 
d /run/named 0755 named named -
view file @ d5fe0dbac2
... ... --- /dev/null
... ... +++ b/bind93-rh490837.patch
... ... @@ -0,0 +1,34 @@
1 
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
2 
index cd44fe3..5b7c539 100644
3 
--- a/lib/isc/lex.c
4 
+++ b/lib/isc/lex.c
5 
@@ -27,6 +27,8 @@
6 
 #include <isc/string.h>
7 
 #include <isc/util.h>
8
9 
+#include "../errno2result.h"
10 
+
11 
 typedef struct inputsource {
12 
 	isc_result_t result;
13 
 	bool is_file;
14 
@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
15 
 #endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
16 
 				if (c == EOF) {
17 
 					if (ferror(stream)) {
18 
-						source->result = ISC_R_IOERROR;
19 
+						source->result = isc__errno2result(errno);
20 
 						result = source->result;
21 
 						goto done;
22 
 					}
23 
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
24 
index e3e2644..5e58600 100644
25 
--- a/lib/isc/unix/errno2result.c
26 
+++ b/lib/isc/unix/errno2result.c
27 
@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
28 
 	case EINVAL: /* XXX sometimes this is not for files */
29 
 	case ENAMETOOLONG:
30 
 	case EBADF:
31 
+	case EISDIR:
32 
 		return (ISC_R_INVALIDFILE);
33 
 	case ENOENT:
34 
 		return (ISC_R_FILENOTFOUND);
view file @ d5fe0dbac2
... ... --- a/bind97-rh645544.patch
... ... +++ b/bind97-rh645544.patch
... ... @@ -1,30 +1,31 @@
1 
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
2 
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544	2013-08-19 10:30:52.000000000 +0200
3 
+++ bind-9.9.4rc2/lib/dns/resolver.c	2013-09-06 17:58:03.864165823 +0200
4 
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
1 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
2 
index 31549c6..65a14b6 100644
3 
--- a/lib/dns/resolver.c
4 
+++ b/lib/dns/resolver.c
5 
@@ -1762,7 +1762,7 @@ log_edns(fetchctx_t *fctx) {
5 6 
 	 */
6 7 
 	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
7 8 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
8 9 
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
9 10 
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
10 
 		      "success resolving '%s' (in '%s'?) after %s",
11 
 		      fctx->info, domainbuf, fctx->reason);
12
13 
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
11 
 		      "success resolving '%s' (in '%s'?) after %s", fctx->info,
12 
 		      domainbuf, fctx->reason);
13 
 }
14 
@@ -5298,7 +5298,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
14 15 
 	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
15 16 
 	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
16 17 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
17 18 
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
18 19 
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
19 
 		      "lame server resolving '%s' (in '%s'?): %s",
20 
 		      namebuf, domainbuf, addrbuf);
20 
 		      "lame server resolving '%s' (in '%s'?): %s", namebuf,
21 
 		      domainbuf, addrbuf);
21 22 
 }
22 
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
23 
 	}
23 
@@ -5316,7 +5316,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
24 
 	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
24 25
25 26 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
26 27 
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
27 28 
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
28 
 		      "DNS format error from %s resolving %s%s%s: %s",
29 
 		      nsbuf, fctx->info, clmsg, clbuf, msgbuf);
29 
 		      "DNS format error from %s resolving %s for %s: %s", nsbuf,
30 
 		      fctx->info, fctx->clientstr, msgbuf);
30 31 
 }
view file @ 1fca60d876
... ... --- a/bind97-rh669163.patch
... ... +++ /dev/null
... ... @@ -1,14 +0,0 @@
0 
diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c
1 
--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163	2011-01-28 14:48:38.934472578 +0100
2 
+++ bind-9.7.2-P3/lib/lwres/lwconfig.c	2011-01-28 14:49:50.421326035 +0100
3 
@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c
4 
 			break;
5 
 		}
6
7 
+		/* Ignore options with no parameters */
8 
+		if (stopchar == '\n')
9 
+			continue;
10 
+
11 
 		if (strlen(word) == 0U)
12 
 			rval = LWRES_R_SUCCESS;
13 
 		else if (strcmp(word, "nameserver") == 0)
view file @ 1fca60d876
... ... --- a/bind99-rh640538.patch
... ... +++ /dev/null
... ... @@ -1,44 +0,0 @@
0 
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
1 
index 1079421..f11abd1 100644
2 
--- a/bin/dig/dig.docbook
3 
+++ b/bin/dig/dig.docbook
4 
@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
5 
     </para>
6 
   </refsection>
7
8 
+  <refsection><info><title>RETURN CODES</title></info>
9 
+    <para>
10 
+      <command>Dig</command> return codes are:
11 
+      <variablelist>
12 
+        <varlistentry>
13 
+          <listitem>
14 
+            <para>0: Everything went well, including things like NXDOMAIN</para>
15 
+          </listitem>
16 
+        </varlistentry>
17 
+        <varlistentry>
18 
+          <listitem>
19 
+            <para>1: Usage error</para>
20 
+          </listitem>
21 
+        </varlistentry>
22 
+        <varlistentry>
23 
+          <listitem>
24 
+            <para>8: Couldn't open batch file</para>
25 
+          </listitem>
26 
+        </varlistentry>
27 
+        <varlistentry>
28 
+          <listitem>
29 
+            <para>9: No reply from server</para>
30 
+          </listitem>
31 
+        </varlistentry>
32 
+        <varlistentry>
33 
+          <listitem>
34 
+            <para>10: Internal error</para>
35 
+          </listitem>
36 
+        </varlistentry>
37 
+      </variablelist>
38 
+    </para>
39 
+  </refsection>
40 
+
41 
   <refsection><info><title>FILES</title></info>
42
43 
     <para><filename>/etc/resolv.conf</filename>
view file @ 1fca60d876
... ... --- a/bogon_acl.conf
... ... +++ /dev/null
... ... @@ -1,77 +0,0 @@
0 
//
1 
// NOTE: This list is changing all the time (naturally) and serves as an
2 
// example only. It is up to you to keep this list up-to-date. In Mandriva
3 
// Linux we allow the 192.168.0.0/16 network to do recursive lookups per
4 
// default. If you don't like this you need to change this now.
5 
//
6 
// http://qa.mandriva.com/en/show_bug.cgi?id=27981
7 
//
8 
// The list was taken from http://www.cymru.com/Documents/secure-bind-template.html
9 
// Secure BIND Template Version 6.3 27 MAY 2008
10 
//
11 
// You should keep an eye on http://www.iana.org/assignments/ipv4-address-space in
12 
// order to stay up to date.
13 
//
14 
// NOTE: As of Fri Jul 31 2009 this file isn't used anymore and serves as an example
15 
// only. You should instead look at:
16 
// http://www.team-cymru.org/Services/Bogons/
17 
//
18 
// $Id: bogon_acl.conf 405097 2009-07-31 12:51:25Z oden $
19 
// $HeadURL: http://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/bogon_acl.conf $
20
21 
acl "bogon" {
22 
    // Filter out the bogon networks.  These are networks
23 
    // listed by IANA as test, RFC1918, Multicast, experi-
24 
    // mental, etc.  If you see DNS queries or updates with
25 
    // a source address within these networks, this is likely
26 
    // of malicious origin. CAUTION: If you are using RFC1918
27 
    // netblocks on your network, remove those netblocks from
28 
    // this list of blackhole ACLs!
29 
    0.0.0.0/8;
30 
    1.0.0.0/8;
31 
    2.0.0.0/8;
32 
    5.0.0.0/8;
33 
    10.0.0.0/8;
34 
    14.0.0.0/8;
35 
    23.0.0.0/8;
36 
    27.0.0.0/8;
37 
    31.0.0.0/8;
38 
    36.0.0.0/8;
39 
    37.0.0.0/8;
40 
    39.0.0.0/8;
41 
    42.0.0.0/8;
42 
    46.0.0.0/8;
43 
    49.0.0.0/8;
44 
    50.0.0.0/8;
45 
    100.0.0.0/8;
46 
    101.0.0.0/8;
47 
    102.0.0.0/8;
48 
    103.0.0.0/8;
49 
    104.0.0.0/8;
50 
    105.0.0.0/8;
51 
    106.0.0.0/8;
52 
    107.0.0.0/8;
53 
    108.0.0.0/8;
54 
    109.0.0.0/8;
55 
    110.0.0.0/8;
56 
    111.0.0.0/8;
57 
    169.254.0.0/16;
58 
    172.16.0.0/12;
59 
    175.0.0.0/8;
60 
    176.0.0.0/8;
61 
    177.0.0.0/8;
62 
    178.0.0.0/8;
63 
    179.0.0.0/8;
64 
    180.0.0.0/8;
65 
    181.0.0.0/8;
66 
    182.0.0.0/8;
67 
    183.0.0.0/8;
68 
    184.0.0.0/8;
69 
    185.0.0.0/8;
70 
    192.0.2.0/24;
71 
//    192.168.0.0/16;
72 
    197.0.0.0/8;
73 
    198.18.0.0/15;
74 
    223.0.0.0/8;
75 
    224.0.0.0/3;
76 
};
view file @ d5fe0dbac2
... ... --- /dev/null
... ... +++ b/codesign2021.txt
... ... @@ -0,0 +1,534 @@
1 
-----BEGIN PGP PUBLIC KEY BLOCK-----
2
3 
mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
4 
r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
5 
pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
6 
yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
7 
ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
8 
/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
9 
qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
10 
UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
11 
SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
12 
o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
13 
LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
14 
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
15 
LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
16 
EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
17 
Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
18 
1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
19 
tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
20 
5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
21 
Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
22 
JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
23 
hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
24 
xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
25 
gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
26 
pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
27 
vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
28 
6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr
29 
gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF
30 
FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki
31 
33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I
32 
LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X
33 
gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa
34 
7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A
35 
5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu
36 
8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN
37 
bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo
38 
p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus
39 
HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF
40 
CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW
41 
f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi
42 
wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I
43 
u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY
44 
0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87
45 
RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP
46 
NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD
47 
6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL
48 
llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0
49 
85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x
50 
zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF
51 
1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0
52 
wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH
53 
/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo
54 
dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON
55 
LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA
56 
Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj
57 
cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE
58 
tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak
59 
a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX
60 
THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4
61 
EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n
62 
ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ
63 
A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY
64 
BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf
65 
5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv
66 
29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx
67 
Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh
68 
nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS
69 
odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87
70 
y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk
71 
Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr
72 
FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk
73 
7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv
74 
O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k
75 
IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V
76 
Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/
77 
2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o
78 
NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT
79 
+pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7
80 
xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym
81 
JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn
82 
uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD
83 
jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06
84 
3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ
85 
ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb
86 
VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF
87 
SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6
88 
bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa
89 
C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc
90 
VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek
91 
IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN
92 
z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2
93 
jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg
94 
dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr
95 
2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB
96 
jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB
97 
CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr
98 
mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy
99 
4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu
100 
f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk
101 
vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO
102 
JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi
103 
8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S
104 
XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY
105 
TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY
106 
3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4
107 
uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM
108 
x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr
109 
0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J
110 
W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD
111 
4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm
112 
Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0
113 
p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW
114 
QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId
115 
GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ
116 
4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo
117 
VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM
118 
wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr
119 
iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1
120 
H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB
121 
UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w
122 
/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI
123 
/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101
124 
x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys
125 
uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM
126 
npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr
127 
9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M
128 
hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA
129 
DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA
130 
C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929
131 
y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln
132 
EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB
133 
CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA
134 
hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS
135 
BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0
136 
xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV
137 
qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4
138 
W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U
139 
9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn
140 
uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se
141 
mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I
142 
xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/
143 
WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV
144 
cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3
145 
E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU
146 
vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2
147 
LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4
148 
wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz
149 
nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq
150 
SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z
151 
zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj
152 
pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf
153 
7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/
154 
08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz
155 
QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ
156 
ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz
157 
iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs
158 
1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ
159 
z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB
160 
Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q
161 
fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg
162 
EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33
163 
AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ
164 
AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc
165 
bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x
166 
sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua
167 
TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO
168 
vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC
169 
qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0
170 
TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu
171 
8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z
172 
IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq
173 
x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw
174 
t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO
175 
/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu
176 
Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon
177 
UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q
178 
KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ
179 
SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN
180 
cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn
181 
BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+
182 
XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71
183 
e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6
184 
A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz
185 
Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR
186 
63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1
187 
oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN
188 
J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima
189 
chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9
190 
mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU
191 
rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv
192 
EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9
193 
5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE
194 
sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot
195 
s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2
196 
lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf
197 
vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu
198 
MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ
199 
BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa
200 
3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx
201 
W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C
202 
GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x
203 
8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo
204 
Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y
205 
chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh
206 
DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx
207 
l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0
208 
JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1
209 
P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi
210 
1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ
211 
snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo
212 
Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN
213 
iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws
214 
VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC
215 
m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa
216 
4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J
217 
Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS
218 
H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+
219 
g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD
220 
9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW
221 
TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o
222 
uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY
223 
QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS
224 
Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ==
225 
=fX+D
226 
-----END PGP PUBLIC KEY BLOCK-----
227 
-----BEGIN PGP PUBLIC KEY BLOCK-----
228
229 
mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS
230 
ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW
231 
AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/
232 
41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka
233 
4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z
234 
XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u
235 
/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5
236 
0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa
237 
9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM
238 
uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ
239 
hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB
240 
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
241 
LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA
242 
MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB
243 
Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+
244 
ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID
245 
4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ
246 
JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J
247 
QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV
248 
3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1
249 
8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/
250 
/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8
251 
LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk
252 
QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH
253 
sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9
254 
BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL
255 
3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj
256 
IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE
257 
U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC
258 
6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G
259 
LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h
260 
BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2
261 
HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ
262 
kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d
263 
f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8
264 
4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b
265 
8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF
266 
CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln
267 
xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/
268 
LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh
269 
KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b
270 
mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya
271 
8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn
272 
vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn
273 
IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7
274 
VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw
275 
IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2
276 
YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C
277 
L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s
278 
1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl
279 
qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj
280 
nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x
281 
UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73
282 
qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc
283 
IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb
284 
s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6
285 
nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl
286 
8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7
287 
0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6
288 
ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf
289 
7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS
290 
PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc
291 
GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh
292 
nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX
293 
vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7
294 
7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo
295 
bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl
296 
ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j
297 
hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH
298 
Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn
299 
0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY
300 
AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP
301 
PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ
302 
xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN
303 
ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+
304 
oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp
305 
aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m
306 
/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY
307 
ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52
308 
BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB
309 
ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4
310 
GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW
311 
0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp
312 
69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA
313 
qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N
314 
+tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w
315 
uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql
316 
yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc
317 
TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv
318 
XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f
319 
yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7
320 
zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf
321 
dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V
322 
XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d
323 
iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK
324 
W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY
325 
UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit
326 
BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV
327 
M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I
328 
EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr
329 
6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo
330 
Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb
331 
HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX
332 
ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT
333 
+iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1
334 
iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs
335 
gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ
336 
AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP
337 
/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH
338 
6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA
339 
5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA
340 
ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC
341 
89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc
342 
493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb
343 
jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g
344 
DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh
345 
nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m
346 
5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld
347 
72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ
348 
RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc
349 
lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS
350 
qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV
351 
FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH
352 
eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ
353 
+gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh
354 
uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN
355 
5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D
356 
IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag
357 
CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL
358 
ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR
359 
2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k
360 
IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n
361 
D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/
362 
X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm
363 
mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v
364 
zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv
365 
YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a
366 
88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id
367 
pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2
368 
Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu
369 
MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88
370 
h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa
371 
YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL
372 
XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4
373 
MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7
374 
eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz
375 
rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy
376 
5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid
377 
CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/
378 
zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6
379 
Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU
380 
a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2
381 
ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+
382 
GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14
383 
MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL
384 
hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe
385 
16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2
386 
isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7
387 
Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW
388 
NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc
389 
qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M
390 
bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt
391 
zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX
392 
DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk
393 
XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu
394 
ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4
395 
zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY
396 
JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi
397 
qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ
398 
zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS
399 
y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh
400 
qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx
401 
QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww
402 
QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH
403 
X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn
404 
vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi
405 
AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ
406 
aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY
407 
VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+
408 
flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p
409 
NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ
410 
Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w
411 
lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q
412 
se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc
413 
RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy
414 
MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE
415 
RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71
416 
PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3
417 
K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT
418 
Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP
419 
dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+
420 
qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe
421 
MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc
422 
wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ
423 
7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC
424 
PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj
425 
rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4
426 
b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g
427 
dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5
428 
Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS
429 
CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+
430 
96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/
431 
ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy
432 
a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT
433 
YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs
434 
KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp
435 
bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ
436 
la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u
437 
Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3
438 
Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ
439 
BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA
440 
CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7
441 
AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu
442 
9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK
443 
dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH
444 
fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II
445 
XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK
446 
yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz
447 
HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv
448 
SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN
449 
eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp
450 
jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv
451 
DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR
452 
Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p
453 
hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0
454 
rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV
455 
Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt
456 
ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ
457 
i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb
458 
rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637
459 
CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD
460 
LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l
461 
Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp
462 
dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF
463 
+6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs
464 
gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ
465 
8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf
466 
nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C
467 
r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf
468 
eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD
469 
VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT
470 
zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh
471 
Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU
472 
JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6
473 
IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE
474 
fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB
475 
dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF
476 
W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d
477 
O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK
478 
jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ
479 
TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF
480 
M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39
481 
oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp
482 
AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi
483 
sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI
484 
ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8
485 
M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3
486 
Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A
487 
0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8
488 
x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv
489 
6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw
490 
QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi
491 
gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o
492 
c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb
493 
1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF
494 
8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8
495 
Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr
496 
rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt
497 
MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV
498 
grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l
499 
QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR
500 
f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu
501 
O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb
502 
SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT
503 
VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg
504 
J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di
505 
ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8
506 
+SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH
507 
SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5
508 
8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76
509 
uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE
510 
JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4
511 
ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ
512 
Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c
513 
eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E
514 
dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0
515 
9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3
516 
d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526
517 
tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4
518 
lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT
519 
KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz
520 
iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR
521 
bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL
522 
d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r
523 
aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6
524 
X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5
525 
vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV
526 
4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC
527 
7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5
528 
UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa
529 
8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588
530 
7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90
531 
l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ
532 
4xcYgqlVpv15O7VrD+I=
533 
=Uugw
534 
-----END PGP PUBLIC KEY BLOCK-----
view file @ d5fe0dbac2
... ... --- a/generate-rndc-key.sh
... ... +++ b/generate-rndc-key.sh
... ... @@ -1,12 +1,23 @@
1 1 
#!/bin/bash
2 2
3 
. /etc/rc.d/init.d/functions
3 
if [ -r /etc/rc.d/init.d/functions ]; then
4 
	. /etc/rc.d/init.d/functions
5 
else
6 
success() {
7 
	echo $" OK "
8 
}
9
10 
failure() {
11 
	echo -n " "
12 
	echo $"FAILED"
13 
}
14 
fi
4 15
5 16 
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
6 17
7 18 
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
8 19 
  echo -n $"Generating /etc/rndc.key:"
9 
  if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1
20 
  if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
10 21 
  then
11 22 
    chmod 640 /etc/rndc.key
12 23 
    chown root:named /etc/rndc.key
... ... @@ -14,7 +25,9 @@ if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
25 25 
    success $"/etc/rndc.key generation"
26 26 
    echo
27 27 
  else
28 
    rc=$?
28 29 
    failure $"/etc/rndc.key generation"
29 30 
    echo
31 
    exit $rc
30 32 
  fi
31 33 
fi
view file @ 1fca60d876
... ... --- a/hosts
... ... +++ /dev/null
... ... @@ -1 +0,0 @@
0 
127.0.0.1	localhost.localdomain localhost
view file @ 1fca60d876
... ... --- a/ldap2zone.1
... ... +++ /dev/null
... ... @@ -1,41 +0,0 @@
0 
.\" Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
1 
.\"
2 
.\" Permission to use, copy, modify, and distribute this software for any
3 
.\" purpose with or without fee is hereby granted, provided that the above
4 
.\" copyright notice and this permission notice appear in all copies.
5 
.\" Manpage written by Jan Gorig
6 
.TH ldap2zone 1 "15 March 2010" "BIND9"
7 
.SH NAME
8 
ldap2zone - Creates zone file from LDAP dnszone information
9 
.SH SYNOPSIS
10 
.B ldap2zone zone-name LDAP-URL default-ttl [serial]
11 
.SH DESCRIPTION
12 
ldap2zone is a tool that reads info for a zone from LDAP and constructs a standard plain ascii zone file that is written to the standard output. The LDAP information has to be stored using the dnszone schema. The schema is used by BIND with LDAP back-end.
13
14 
\fBzone-name\fR
15 
.RS 4
16 
Name of the zone, eg "mydomain.net."
17 
.RE
18 
.PP
19 
\fBLDAP-URL\fR
20 
.RS 4
21 
LDAP URL to dnszone information
22 
.RE
23 
.PP
24 
\fBdefault-ttl\fR
25 
.RS 4
26 
Default TTL value to be used in zone
27 
.RE
28 
.PP
29 
\fBserial\fR
30 
.RS 4
31 
(optional) Program checks this number to be different than SOA serial number.
32 
.RE
33
34 
.SH "EXIT STATUS"
35 
Exits with 0 on success or 1 on failure.
36 
.SH "SEE ALSO"
37 
named(8) ldap(3)
38 
http://www.venaas.no/dns/ldap2zone/
39 
.SH "COPYRIGHT"
40 
Copyright (C) 2004, 2005 Stig Venaas
view file @ 1fca60d876
... ... --- a/ldap2zone.c
... ... +++ /dev/null
... ... @@ -1,411 +0,0 @@
0 
/*
1 
 * Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
2 
 * $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $
3 
 *
4 
 * Permission to use, copy, modify, and distribute this software for any
5 
 * purpose with or without fee is hereby granted, provided that the above
6 
 * copyright notice and this permission notice appear in all copies.
7 
 */
8
9 
#define LDAP_DEPRECATED 1
10
11 
#include <sys/types.h>
12 
#include <stdio.h>
13 
#include <stdlib.h>
14 
#include <ctype.h>
15
16 
#include <ldap.h>
17
18 
struct string {
19 
    void *data;
20 
    size_t len;
21 
};
22
23 
struct assstack_entry {
24 
    struct string key;
25 
    struct string val;
26 
    struct assstack_entry *next;
27 
};
28
29 
struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key);
30 
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item);
31 
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item);
32 
void printsoa(struct string *soa);
33 
void printrrs(char *defaultttl, struct assstack_entry *item);
34 
void print_zone(char *defaultttl, struct assstack_entry *stack);
35 
void usage(char *name);
36 
void err(char *name, const char *msg);
37 
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val);
38
39 
struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) {
40 
    for (; stack; stack = stack->next)
41 
	if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len))
42 
	    return stack;
43 
    return NULL;
44 
}
45
46 
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) {
47 
    item->next = *stack;
48 
    *stack = item;
49 
}
50
51 
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) {
52 
    struct assstack_entry *p;
53
54 
    item->next = NULL;
55 
    if (!*stack) {
56 
	*stack = item;
57 
	return;
58 
    }
59 
    /* find end, should keep track of end somewhere */
60 
    /* really a queue, not a stack */
61 
    p = *stack;
62 
    while (p->next)
63 
	p = p->next;
64 
    p->next = item;
65 
}
66
67 
void printsoa(struct string *soa) {
68 
    char *s;
69 
    size_t i;
70
71 
    s = (char *)soa->data;
72 
    i = 0;
73 
    while (i < soa->len) {
74 
	putchar(s[i]);
75 
	if (s[i++] == ' ')
76 
	    break;
77 
    }
78 
    while (i < soa->len) {
79 
	putchar(s[i]);
80 
	if (s[i++] == ' ')
81 
	    break;
82 
    }
83 
    printf("(\n\t\t\t\t");
84 
    while (i < soa->len) {
85 
	putchar(s[i]);
86 
	if (s[i++] == ' ')
87 
	    break;
88 
    }
89 
    printf("; Serialnumber\n\t\t\t\t");
90 
    while (i < soa->len) {
91 
	if (s[i] == ' ')
92 
	    break;
93 
	putchar(s[i++]);
94 
    }
95 
    i++;
96 
    printf("\t; Refresh\n\t\t\t\t");
97 
    while (i < soa->len) {
98 
	if (s[i] == ' ')
99 
	    break;
100 
	putchar(s[i++]);
101 
    }
102 
    i++;
103 
    printf("\t; Retry\n\t\t\t\t");
104 
    while (i < soa->len) {
105 
	if (s[i] == ' ')
106 
	    break;
107 
	putchar(s[i++]);
108 
    }
109 
    i++;
110 
    printf("\t; Expire\n\t\t\t\t");
111 
    while (i < soa->len) {
112 
	putchar(s[i++]);
113 
    }
114 
    printf(" )\t; Minimum TTL\n");
115 
}
116
117 
void printrrs(char *defaultttl, struct assstack_entry *item) {
118 
    struct assstack_entry *stack;
119 
    char *s;
120 
    int first;
121 
    size_t i;
122 
    char *ttl, *type;
123 
    int top;
124
125 
    s = (char *)item->key.data;
126
127 
    if (item->key.len == 1 && *s == '@') {
128 
	top = 1;
129 
	printf("@\t");
130 
    } else {
131 
	top = 0;
132 
	for (i = 0; i < item->key.len; i++)
133 
	    putchar(s[i]);
134 
	if (item->key.len < 8)
135 
	    putchar('\t');
136 
	putchar('\t');
137 
    }
138
139 
    first = 1;
140 
    for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) {
141 
	ttl = (char *)stack->key.data;
142 
	s = strchr(ttl, ' ');
143 
	*s++ = '\0';
144 
	type = s;
145
146 
	if (first)
147 
	    first = 0;
148 
        else
149 
	    printf("\t\t");
150
151 
	if (strcmp(defaultttl, ttl))
152 
	    printf("%s", ttl);
153 
	putchar('\t');
154
155 
	if (top) {
156 
	    top = 0;
157 
	    printf("IN\t%s\t", type);
158 
	    /* Should always be SOA here */
159 
	    if (!strcmp(type, "SOA")) {
160 
		printsoa(&stack->val);
161 
		continue;
162 
	    }
163 
	} else
164 
	    printf("%s\t", type);
165
166 
	s = (char *)stack->val.data;
167 
	for (i = 0; i < stack->val.len; i++)
168 
	    putchar(s[i]);
169 
	putchar('\n');
170 
    }
171 
}
172
173 
void print_zone(char *defaultttl, struct assstack_entry *stack) {
174 
    printf("$TTL %s\n", defaultttl);
175 
    for (; stack; stack = stack->next)
176 
	printrrs(defaultttl, stack);
177 
};
178
179 
void usage(char *name) {
180 
    fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name);
181 
    exit(1);
182 
};
183
184 
void err(char *name, const char *msg) {
185 
    fprintf(stderr, "%s: %s\n", name, msg);
186 
    exit(1);
187 
};
188
189 
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) {
190 
    struct string key;
191 
    struct assstack_entry *rr, *rrdata;
192
193 
    /* Do nothing if name or value have 0 length */
194 
    if (!name->bv_len || !val->bv_len)
195 
	return 0;
196
197 
    /* see if already have an entry for this name */
198 
    key.len = name->bv_len;
199 
    key.data = name->bv_val;
200
201 
    rr = assstack_find(*stack, &key);
202 
    if (!rr) {
203 
	/* Not found, create and push new entry */
204 
	rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
205 
	if (!rr)
206 
	    return -1;
207 
	rr->key.len = name->bv_len;
208 
	rr->key.data = (void *) malloc(rr->key.len);
209 
	if (!rr->key.data) {
210 
	    free(rr);
211 
	    return -1;
212 
	}
213 
	memcpy(rr->key.data, name->bv_val, name->bv_len);
214 
	rr->val.len = sizeof(void *);
215 
	rr->val.data = NULL;
216 
	if (name->bv_len == 1 && *(char *)name->bv_val == '@')
217 
	    assstack_push(stack, rr);
218 
	else
219 
	    assstack_insertbottom(stack, rr);
220 
    }
221
222 
    rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
223 
    if (!rrdata) {
224 
	free(rr->key.data);
225 
	free(rr);
226 
	return -1;
227 
    }
228 
    rrdata->key.len = strlen(type) + strlen(ttl) + 1;
229 
    rrdata->key.data = (void *) malloc(rrdata->key.len);
230 
    if (!rrdata->key.data) {
231 
	free(rrdata);
232 
	free(rr->key.data);
233 
	free(rr);
234 
	return -1;
235 
    }
236 
    sprintf((char *)rrdata->key.data, "%s %s", ttl, type);
237
238 
    rrdata->val.len = val->bv_len;
239 
    rrdata->val.data = (void *) malloc(val->bv_len);
240 
    if (!rrdata->val.data) {
241 
	free(rrdata->key.data);
242 
	free(rrdata);
243 
	free(rr->key.data);
244 
	free(rr);
245 
	return -1;
246 
    }
247 
    memcpy(rrdata->val.data, val->bv_val, val->bv_len);
248
249 
    if (!strcmp(type, "SOA"))
250 
	assstack_push((struct assstack_entry **) &(rr->val.data), rrdata);
251 
    else
252 
	assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata);
253 
    return 0;
254 
}
255
256 
int main(int argc, char **argv) {
257 
    char *s, *hostporturl, *base = NULL;
258 
    char *ttl, *defaultttl;
259 
    LDAP *ld;
260 
    char *fltr = NULL;
261 
    LDAPMessage *res, *e;
262 
    char *a, **ttlvals, **soavals, *serial;
263 
    struct berval **vals, **names;
264 
    char type[64];
265 
    BerElement *ptr;
266 
    int i, j, rc, msgid;
267 
    struct assstack_entry *zone = NULL;
268
269 
    if (argc < 4 || argc > 5)
270 
        usage(argv[0]);
271
272 
    hostporturl = argv[2];
273
274 
    if (hostporturl != strstr( hostporturl, "ldap"))
275 
	err(argv[0], "Not an LDAP URL");
276
277 
    s = strchr(hostporturl, ':');
278
279 
    if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/')
280 
	err(argv[0], "Not an LDAP URL");
281
282 
    s = strchr(s+3, '/');
283 
    if (s) {
284 
	*s++ = '\0';
285 
	base = s;
286 
	s = strchr(base, '?');
287 
	if (s)
288 
	    err(argv[0], "LDAP URL can only contain host, port and base");
289 
    }
290
291 
    defaultttl = argv[3];
292
293 
    rc = ldap_initialize(&ld, hostporturl);
294 
    if (rc != LDAP_SUCCESS)
295 
	err(argv[0], "ldap_initialize() failed");
296
297 
    if (argc == 5) {
298 
	/* serial number specified, check if different from one in SOA */
299 
	fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1);
300 
	sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]);
301 
	msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
302 
	if (msgid == -1)
303 
	    err(argv[0], "ldap_search() failed");
304
305 
	while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
306 
	    /* not supporting continuation references at present */
307 
	    if (rc != LDAP_RES_SEARCH_ENTRY)
308 
		err(argv[0], "ldap_result() returned cont.ref? Exiting");
309
310 
	    /* only one entry per result message */
311 
	    e = ldap_first_entry(ld, res);
312 
	    if (e == NULL) {
313 
		ldap_msgfree(res);
314 
		err(argv[0], "ldap_first_entry() failed");
315 
	    }
316
317 
	    soavals = ldap_get_values(ld, e, "SOARecord");
318 
	    if (soavals)
319 
		break;
320 
	}
321
322 
	ldap_msgfree(res);
323 
	if (!soavals) {
324 
		err(argv[0], "No SOA Record found");
325 
	}
326
327 
	/* We have a SOA, compare serial numbers */
328 
	/* Only checkinf first value, should be only one */
329 
	s = strchr(soavals[0], ' ');
330 
	s++;
331 
	s = strchr(s, ' ');
332 
	s++;
333 
	serial = s;
334 
	s = strchr(s, ' ');
335 
	*s = '\0';
336 
	if (!strcmp(serial, argv[4])) {
337 
	    ldap_value_free(soavals);
338 
	    err(argv[0], "serial numbers match");
339 
	}
340 
	ldap_value_free(soavals);
341 
    }
342
343 
    if (!fltr)
344 
	fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1);
345 
    if (!fltr)
346 
	err(argv[0], "Malloc failed");
347 
    sprintf(fltr, "(zoneName=%s)", argv[1]);
348
349 
    msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
350 
    if (msgid == -1)
351 
	err(argv[0], "ldap_search() failed");
352
353 
    while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
354 
	/* not supporting continuation references at present */
355 
	if (rc != LDAP_RES_SEARCH_ENTRY)
356 
	    err(argv[0], "ldap_result() returned cont.ref? Exiting");
357
358 
	/* only one entry per result message */
359 
	e = ldap_first_entry(ld, res);
360 
	if (e == NULL) {
361 
	    ldap_msgfree(res);
362 
	    err(argv[0], "ldap_first_entry() failed");
363 
	}
364
365 
	names = ldap_get_values_len(ld, e, "relativeDomainName");
366 
	if (!names)
367 
	    continue;
368
369 
	ttlvals = ldap_get_values(ld, e, "dNSTTL");
370 
	ttl = ttlvals ? ttlvals[0] : defaultttl;
371
372 
	for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) {
373 
	    char *s;
374
375 
	    for (s = a; *s; s++)
376 
		*s = toupper(*s);
377 
	    s = strstr(a, "RECORD");
378 
	    if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) {
379 
		ldap_memfree(a);
380 
		continue;
381 
	    }
382
383 
	    strncpy(type, a, s - a);
384 
	    type[s - a] = '\0';
385 
	    vals = ldap_get_values_len(ld, e, a);
386 
	    if (vals) {
387 
		for (i = 0; vals[i]; i++)
388 
		    for (j = 0; names[j]; j++)
389 
			if (putrr(&zone, names[j], type, ttl, vals[i]))
390 
			    err(argv[0], "malloc failed");
391 
		ldap_value_free_len(vals);
392 
	    }
393 
	    ldap_memfree(a);
394 
	}
395
396 
	if (ptr)
397 
	    ber_free(ptr, 0);
398 
	if (ttlvals)
399 
	    ldap_value_free(ttlvals);
400 
	ldap_value_free_len(names);
401 
	/* free this result */
402 
	ldap_msgfree(res);
403 
    }
404
405 
    /* free final result */
406 
    ldap_msgfree(res);
407
408 
    print_zone(defaultttl, zone);
409 
    return 0;
410 
}
view file @ 1fca60d876
... ... --- a/localdomain.zone
... ... +++ /dev/null
... ... @@ -1,10 +0,0 @@
0 
$TTL	86400
1 
@		IN SOA	localhost root (
2 
					42		; serial (d. adams)
3 
					3H		; refresh
4 
					15M		; retry
5 
					1W		; expiry
6 
					1D )		; minimum
7 
	        IN NS		localhost
8 
localhost	IN A		127.0.0.1
9
view file @ 1fca60d876
... ... --- a/localhost.zone
... ... +++ /dev/null
... ... @@ -1,12 +0,0 @@
0 
$TTL	86400
1 
@		IN SOA	@       root (
2 
					42		; serial (d. adams)
3 
					3H		; refresh
4 
					15M		; retry
5 
					1W		; expiry
6 
					1D )		; minimum
7
8 
	        IN NS		@
9 
	 	IN A		127.0.0.1
10 
		IN AAAA		::1
11
view file @ 1fca60d876
... ... --- a/logging.conf
... ... +++ /dev/null
... ... @@ -1,68 +0,0 @@
0 
// $Id: logging.conf 632499 2011-01-25 11:22:57Z oden $
1 
// $HeadURL: http://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/logging.conf $
2
3 
logging {
4
5 
        channel security_channel {
6 
                file "/var/log/security.log" versions 4 size 10m;
7 
                print-category yes;
8 
                print-severity yes;
9 
                print-time yes;
10 
                severity info;
11 
        };
12
13 
        channel default_channel {
14 
                file "/var/log/default.log" versions 4 size 10m;
15 
                print-category yes;
16 
                print-severity yes;
17 
                print-time yes;
18 
        };
19
20 
        channel xfer-in_channel {
21 
                file "/var/log/xfer-in.log" versions 4 size 10m;
22 
                severity info;
23 
                print-category yes;
24 
                print-severity yes;
25 
                print-time yes;
26 
        };
27
28 
        channel xfer-out_channel {
29 
                file "/var/log/xfer-out.log" versions 4 size 10m;
30 
                severity info;
31 
                print-category yes;
32 
                print-severity yes;
33 
                print-time yes;
34 
        };
35
36 
        channel update_channel {
37 
                file "/var/log/update.log" versions 4 size 10m;
38 
                severity info;
39 
                print-category yes;
40 
                print-severity yes;
41 
                print-time yes;
42 
        };
43
44 
        channel notify_channel {
45 
                file "/var/log/notify.log" versions 4 size 10m;
46 
                severity info;
47 
                print-category yes;
48 
                print-severity yes;
49 
                print-time yes;
50 
        };
51
52 
	channel "querylog" {
53 
                file "/var/log/query.log" versions 4 size 10m;
54 
		print-time yes;
55 
        };
56
57 
	category queries { querylog; };
58 
        category security { security_channel; };
59 
        category default { default_channel; };
60 
        category xfer-in { xfer-in_channel; };
61 
        category xfer-out { xfer-out_channel; };
62 
        category notify { notify_channel; };
63 
        category update { null; };
64 
        category lame-servers { null; };
65 
        category "delegation-only" { "null" ; };
66
67 
};
view file @ d5fe0dbac2
... ... index 950851c..237a909 100644
... ... --- a/bind-named-chroot-setup.service
... ... +++ b/named-chroot-setup.service
... ... @@ -8,5 +8,5 @@ After=named-setup-rndc.service
8 8 
[Service]
9 9 
Type=oneshot
10 10 
RemainAfterExit=yes
11 
ExecStart=/usr/sbin/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
12 
ExecStop=/usr/sbin/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files
11 
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
12 
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files
view file @ d5fe0dbac2
... ... --- a/named-chroot.files
... ... +++ b/named-chroot.files
... ... @@ -8,7 +8,7 @@
8 8 
/etc/rndc.conf
9 9 
/etc/rndc.key
10 10 
/etc/named.iscdlv.key
11 
/etc/crypto-policies/back-ends/bind.config
11 
#/etc/crypto-policies/back-ends/bind.config
12 12 
/etc/protocols
13 13 
/etc/services
14 14 
/etc/named.dnssec.keys
... ... @@ -16,108 +16,11 @@
16 16 
/etc/named
17 17 
/usr/lib64/bind
18 18 
/usr/lib/bind
19 
/usr/lib64/named
20 
/usr/lib/named
19 21 
/usr/share/GeoIP
20 22 
/run/named
21
22 
#/usr/lib/openssl-@openssl_shlib_ver@/engines
23 
#/usr/lib64/openssl-@openssl_shlib_ver@/engines
24
25 
# Please note that this example suits both i586 and x86_64 environments. Mount
26 
# script skips non-existant files and directories silently. Be careful as it
27 
# skips non-existant mount points the same way. Make sure mount point exists
28 
# when you add your own entries.
29 
#
30 
# It is also generally a good idea to stop named.service before editing the list
31 
# to let helper script release currently active mounts first.
32
33 
# A more complicated example. Samba 4 and Bind DLZ zones. To be able of reading
34 
# Samba zones Bind requires two things: DLZ module (along with quite a number of
35 
# shared libraries) and direct access to Samba DNS database.
36 
#
37 
# This list is for x86_64 environments - just to keep it short:
38 
#
39 
#/etc/samba/smb.conf
40 
#/etc/ld.so.conf
41 
#/etc/ld.so.conf.d
42 
#/etc/ld.so.cache
43 
#/usr/lib64/samba
44 
#/usr/lib64/sasl2
45 
#/usr/lib64/ldb
46 
#/usr/lib64/openssl-@openssl_shlib_ver@/engines
47 
#/usr/lib64/libsamba-hostconfig.so*
48 
#/usr/lib64/libgensec.so*
49 
#/usr/lib64/libsamba-util.so*
50 
#/usr/lib64/libsamba-credentials.so*
51 
#/usr/lib64/libsamdb.so*
52 
#/usr/lib64/libldb.so*
53 
#/usr/lib64/libtalloc.so*
54 
#/usr/lib64/libndr.so*
55 
#/usr/lib64/libtevent.so*
56 
#/usr/lib64/libtevent-util.so*
57 
#/usr/lib64/libndr-krb5pac.so*
58 
#/usr/lib64/libgnutls.so*
59 
#/usr/lib64/libtdb.so*
60 
#/usr/lib64/libndr-standard.so*
61 
#/usr/lib64/libndr-nbt.so*
62 
#/usr/lib64/libp11-kit.so*
63 
#/usr/lib64/libtasn1.so*
64 
#/usr/lib64/libnettle.so*
65 
#/usr/lib64/libhogweed.so*
66 
#/usr/lib64/libffi.so*
67 
#/usr/lib64/libdcerpc-binding.so*
68 
#/usr/lib64/libsmbconf.so*
69 
#/usr/lib64/libgmp.so*
70 
#/usr/lib64/libfreebl3.so*
71 
#/lib64/libpopt.so*
72 
#/lib64/librt.so*
73 
#/lib64/libcrypt.so*
74 
#/lib64/libfreebl3.so*
75 
#/var/lib/samba/private/dns
76 
#/var/lib/samba/private/dns.keytab
77 
#/var/lib/samba/private/sam.ldb.d
78 
#
79 
# And this one is for i586 environments:
80 
#
81 
#/etc/samba/smb.conf
82 
#/etc/ld.so.conf
83 
#/etc/ld.so.conf.d
84 
#/etc/ld.so.cache
85 
#/usr/lib/samba
86 
#/usr/lib/sasl2
87 
#/usr/lib/ldb
88 
#/usr/lib/openssl-@openssl_shlib_ver@/engines
89 
#/usr/lib/libsamba-hostconfig.so*
90 
#/usr/lib/libgensec.so*
91 
#/usr/lib/libsamba-util.so*
92 
#/usr/lib/libsamba-credentials.so*
93 
#/usr/lib/libsamdb.so*
94 
#/usr/lib/libldb.so*
95 
#/usr/lib/libtalloc.so*
96 
#/usr/lib/libndr.so*
97 
#/usr/lib/libtevent.so*
98 
#/usr/lib/libtevent-util.so*
99 
#/usr/lib/libndr-krb5pac.so*
100 
#/usr/lib/libgnutls.so*
101 
#/usr/lib/libtdb.so*
102 
#/usr/lib/libndr-standard.so*
103 
#/usr/lib/libndr-nbt.so*
104 
#/usr/lib/libp11-kit.so*
105 
#/usr/lib/libtasn1.so*
106 
#/usr/lib/libnettle.so*
107 
#/usr/lib/libhogweed.so*
108 
#/usr/lib/libffi.so*
109 
#/usr/lib/libdcerpc-binding.so*
110 
#/usr/lib/libsmbconf.so*
111 
#/usr/lib/libgmp.so*
112 
#/usr/lib/libfreebl3.so*
113 
#/lib/libpopt.so*
114 
#/lib/librt.so*
115 
#/lib/libcrypt.so*
116 
#/lib/libfreebl3.so*
117 
#/var/lib/samba/private/dns
118 
#/var/lib/samba/private/dns.keytab
119 
#/var/lib/samba/private/sam.ldb.d'
120
23 
/proc/sys/net/ipv4/ip_local_port_range
121 24 
# Warning: the order is important
122 25 
# If a directory containing $ROOTDIR is listed here,
123 26 
# it MUST be listed last. (/var/named contains /var/named/chroot)
view file @ d5fe0dbac2
...... file renamed without changes
view file @ d5fe0dbac2
... ... --- a/named-pkcs11.service
... ... +++ b/named-pkcs11.service
... ... @@ -9,14 +9,14 @@ After=named-setup-rndc.service
9 9 
[Service]
10 10 
Type=forking
11 11 
Environment=NAMEDCONF=/etc/named.conf
12 
Environment=KRB5_KTNAME=/etc/named.keytab
13 12 
EnvironmentFile=-/etc/sysconfig/named
13 
Environment=KRB5_KTNAME=/etc/named.keytab
14 14 
PIDFile=/run/named/named.pid
15 15
16 
ExecStartPre=/bin/bash -c 'if [ "$DISABLE_ZONE_CHECKING" != "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
16 
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
17 17 
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
18 18
19 
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
19 
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
20 20
21 21 
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
22 22
view file @ 1fca60d876
... ... --- a/named-sdb.8
... ... +++ /dev/null
... ... @@ -1 +0,0 @@
0 
.so man8/named.8.gz
 
\ No newline at end of file
view file @ d5fe0dbac2
... ... index f7e0415..ff85e3c 100644
... ... --- a/bind-named-setup-rndc.service
... ... +++ b/named-setup-rndc.service
... ... @@ -4,4 +4,4 @@ Description=Generate rndc key for BIND (DNS)
4 4 
[Service]
5 5 
Type=oneshot
6 6
7 
ExecStart=/usr/sbin/generate-rndc-key
7 
ExecStart=/usr/libexec/generate-rndc-key.sh
view file @ 1fca60d876
... ... --- a/named.broadcast
... ... +++ /dev/null
... ... @@ -1,8 +0,0 @@
0 
$TTL    86400
1 
@               IN SOA  localhost.      root.localhost. (
2 
                                        42              ; serial (d. adams)
3 
                                        3H              ; refresh
4 
                                        15M             ; retry
5 
                                        1W              ; expiry
6 
                                        1D )            ; minimum
7 
	IN	NS	localhost.
view file @ 1fca60d876
... ... --- a/named.cache
... ... +++ /dev/null
... ... @@ -1,92 +0,0 @@
0 
;       This file holds the information on root name servers needed to
1 
;       initialize cache of Internet domain name servers
2 
;       (e.g. reference this file in the "cache  .  <file>"
3 
;       configuration file of BIND domain name servers).
4 
;
5 
;       This file is made available by InterNIC
6 
;       under anonymous FTP as
7 
;           file                /domain/named.cache
8 
;           on server           FTP.INTERNIC.NET
9 
;       -OR-                    RS.INTERNIC.NET
10 
;
11 
;       last update:     September 14, 2020
12 
;       related version of root zone:     2020091401
13 
;
14 
; FORMERLY NS.INTERNIC.NET
15 
;
16 
.                        3600000      NS    A.ROOT-SERVERS.NET.
17 
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
18 
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
19 
;
20 
; FORMERLY NS1.ISI.EDU
21 
;
22 
.                        3600000      NS    B.ROOT-SERVERS.NET.
23 
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
24 
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
25 
;
26 
; FORMERLY C.PSI.NET
27 
;
28 
.                        3600000      NS    C.ROOT-SERVERS.NET.
29 
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
30 
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
31 
;
32 
; FORMERLY TERP.UMD.EDU
33 
;
34 
.                        3600000      NS    D.ROOT-SERVERS.NET.
35 
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
36 
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
37 
;
38 
; FORMERLY NS.NASA.GOV
39 
;
40 
.                        3600000      NS    E.ROOT-SERVERS.NET.
41 
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
42 
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
43 
;
44 
; FORMERLY NS.ISC.ORG
45 
;
46 
.                        3600000      NS    F.ROOT-SERVERS.NET.
47 
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
48 
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
49 
;
50 
; FORMERLY NS.NIC.DDN.MIL
51 
;
52 
.                        3600000      NS    G.ROOT-SERVERS.NET.
53 
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
54 
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
55 
;
56 
; FORMERLY AOS.ARL.ARMY.MIL
57 
;
58 
.                        3600000      NS    H.ROOT-SERVERS.NET.
59 
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
60 
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
61 
;
62 
; FORMERLY NIC.NORDU.NET
63 
;
64 
.                        3600000      NS    I.ROOT-SERVERS.NET.
65 
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
66 
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
67 
;
68 
; OPERATED BY VERISIGN, INC.
69 
;
70 
.                        3600000      NS    J.ROOT-SERVERS.NET.
71 
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
72 
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
73 
;
74 
; OPERATED BY RIPE NCC
75 
;
76 
.                        3600000      NS    K.ROOT-SERVERS.NET.
77 
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
78 
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
79 
;
80 
; OPERATED BY ICANN
81 
;
82 
.                        3600000      NS    L.ROOT-SERVERS.NET.
83 
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
84 
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
85 
;
86 
; OPERATED BY WIDE
87 
;
88 
.                        3600000      NS    M.ROOT-SERVERS.NET.
89 
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
90 
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
91 
; End of file
 
\ No newline at end of file
view file @ d5fe0dbac2
... ... --- a/named.conf
... ... +++ b/named.conf
... ... @@ -30,7 +30,6 @@ options {
30 30 
	*/
31 31 
	recursion yes;
32 32
33 
	dnssec-enable yes;
34 33 
	dnssec-validation yes;
35 34
36 35 
	managed-keys-directory "/var/named/dynamic";
... ... @@ -40,7 +39,7 @@ options {
39 39 
	session-keyfile "/run/named/session.key";
40 40
41 41 
	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
42 
	include "/etc/crypto-policies/back-ends/bind.config";
42 
	// include "/etc/crypto-policies/back-ends/bind.config";
43 43 
};
44 44
45 45 
logging {
... ... @@ -52,7 +51,7 @@ logging {
51 51
52 52 
zone "." IN {
53 53 
	type hint;
54 
	file "/var/named/named.ca";
54 
	file "named.ca";
55 55 
};
56 56
57 57 
include "/etc/named.rfc1912.zones";
view file @ d5fe0dbac2
... ... --- a/named.conf.sample
... ... +++ b/named.conf.sample
... ... @@ -63,10 +63,6 @@ options
63 63
64 64 
	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
65 65
66 
	/* Enable serving of DNSSEC related data - enable on both authoritative
67 
 	   and recursive servers DNSSEC aware servers */
68 
	dnssec-enable yes;
69
70 66 
	/* Enable DNSSEC validation on recursive servers */
71 67 
	dnssec-validation yes;
72 68
... ... @@ -182,8 +178,8 @@ view "internal"
178 178
179 179 
key ddns_key
180 180 
{
181 
	algorithm hmac-md5;
182 
	secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
181 
	algorithm hmac-sha256;
182 
	secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
183 183 
};
184 184
185 185 
view "external"
... ... @@ -214,39 +210,34 @@ view "external"
210 210 
/* Trusted keys
211 211
212 212 
  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
213 
  have to configure at least one trusted key.
213 
  should configure at least one trusted key.
214 214
215 215 
  Note that no key written below is valid. Especially root key because root zone
216 216 
  is not signed yet.
217 217 
*/
218 218 
/*
219 
trusted-keys {
219 
trust-anchors {
220 220 
// Root Key
221 
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
222 
             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
223 
             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
224 
             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
225 
             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
226 
             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
227 
             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
221 
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
222 
		      +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
223 
		      ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
224 
		      0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
225 
		      oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
226 
		      RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
227 
		      R1AkUTV74bU=";
228 228
229 229 
// Key for forward zone
230 
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
231 
                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
232 
                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
233 
                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
234 
                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
235 
                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
236 
                      SCThlHf3xiYleDbt/o1OTQ09A0=";
230 
example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
231 
				LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
232 
				LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
233 
				UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
234 
				yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
235 
				Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
236 
				Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
237 
				xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
238
237 239
238 240 
// Key for reverse zone.
239 
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
240 
                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
241 
                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
242 
                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
243 
                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
244 
                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
245 
                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
246 
                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
241 
2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
247 242 
};
248 243 
*/
view file @ 1fca60d876
... ... --- a/named.ip6.local
... ... +++ /dev/null
... ... @@ -1,9 +0,0 @@
0 
$TTL	86400
1 
@       IN      SOA     localhost. root.localhost.  (
2 
                                      1997022700 ; Serial
3 
                                      28800      ; Refresh
4 
                                      14400      ; Retry
5 
                                      3600000    ; Expire
6 
                                      86400 )    ; Minimum
7 
       IN      NS      localhost.
8 
1      IN      PTR     localhost.
view file @ 1fca60d876
... ... --- a/named.iscdlv.key
... ... +++ /dev/null
... ... @@ -1,69 +0,0 @@
0 
# The bind.keys file is used to override the built-in DNSSEC trust anchors
1 
# which are included as part of BIND 9.  As of the current release, the only
2 
# trust anchors it contains are those for the DNS root zone ("."), and for
3 
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
4 
# for any other zones MUST be configured elsewhere; if they are configured
5 
# here, they will not be recognized or used by named.
6 
#
7 
# The built-in trust anchors are provided for convenience of configuration.
8 
# They are not activated within named.conf unless specifically switched on.
9 
# To use the built-in root key, set "dnssec-validation auto;" in
10 
# named.conf options.  To use the built-in DLV key, set
11 
# "dnssec-lookaside auto;".  Without these options being set,
12 
# the keys in this file are ignored.
13 
#
14 
# This file is NOT expected to be user-configured.
15 
#
16 
# These keys are current as of Feburary 2017.  If any key fails to
17 
# initialize correctly, it may have expired.  In that event you should
18 
# replace this file with a current version.  The latest version of
19 
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
20
21 
managed-keys {
22 
        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
23 
        #
24 
        # NOTE: The ISC DLV zone is being phased out as of February 2017;
25 
        # the key will remain in place but the zone will be otherwise empty.
26 
        # Configuring "dnssec-lookaside auto;" to activate this key is
27 
        # harmless, but is no longer useful and is not recommended.
28 
        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
29 
                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
30 
                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
31 
                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
32 
                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
33 
                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
34 
                TDN0YUuWrBNh";
35
36 
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
37 
        # for current trust anchor information.
38 
        #
39 
        # These keys are activated by setting "dnssec-validation auto;"
40 
        # in named.conf.
41 
        #
42 
        # This key (19036) is to be phased out starting in 2017. It will
43 
        # remain in the root zone for some time after its successor key
44 
        # has been added. It will remain this file until it is removed from
45 
        # the root zone.
46 
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
47 
                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
48 
                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
49 
                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
50 
                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
51 
                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
52 
                QxA+Uk1ihz0=";
53
54 
        # This key (20326) is to be published in the root zone in 2017.
55 
        # Servers which were already using the old key (19036) should
56 
        # roll seamlessly to this new one via RFC 5011 rollover. Servers
57 
        # being set up for the first time can use the contents of this
58 
        # file as initializing keys; thereafter, the keys in the
59 
        # managed key database will be trusted and maintained
60 
        # automatically.
61 
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
62 
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
63 
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
64 
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
65 
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
66 
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
67 
                R1AkUTV74bU=";
68 
};
view file @ 1fca60d876
... ... --- a/named.local
... ... +++ /dev/null
... ... @@ -1,9 +0,0 @@
0 
$TTL	86400
1 
@       IN      SOA     localhost. root.localhost.  (
2 
                                      1997022700 ; Serial
3 
                                      28800      ; Refresh
4 
                                      14400      ; Retry
5 
                                      3600000    ; Expire
6 
                                      86400 )    ; Minimum
7 
        IN      NS      localhost.
8 
1       IN      PTR     localhost.
view file @ d5fe0dbac2
... ... --- a/named.logrotate
... ... +++ b/named.logrotate
... ... @@ -3,8 +3,10 @@
3 3 
    su named named
4 4 
    create 0644 named named
5 5 
    postrotate
6 
        /bin/systemctl reload named.service > /dev/null 2>&1 || :
7 
        /bin/systemctl reload named-sdb.service > /dev/null 2>&1 || :
8 
        /bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || :
6 
        /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
7 
        /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
8 
        /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
9 
        /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
10 
        /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
9 11 
    endscript
10 12 
}
view file @ d5fe0dbac2
... ... --- a/named.rfc1912.zones
... ... +++ b/named.rfc1912.zones
... ... @@ -4,11 +4,15 @@
4 4 
//
5 5 
// ISC BIND named zone configuration for zones recommended by
6 6 
// RFC 1912 section 4.1 : localhost TLDs and address zones
7 
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
7 
// and https://tools.ietf.org/html/rfc6303
8 8 
// (c)2007 R W Franks
9 9 
//
10 10 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
11 11 
//
12 
// Note: empty-zones-enable yes; option is default.
13 
// If private ranges should be forwarded, add
14 
// disable-empty-zone "."; into options
15 
//
12 16
13 17 
zone "localhost.localdomain" IN {
14 18 
	type master;
... ... @@ -39,4 +43,3 @@ zone "0.in-addr.arpa" IN {
43 43 
	file "named.empty";
44 44 
	allow-update { none; };
45 45 
};
46
view file @ d5fe0dbac2
... ... --- a/named.root
... ... +++ b/named.root
... ... @@ -1,92 +1,61 @@
1 
;       This file holds the information on root name servers needed to
2 
;       initialize cache of Internet domain name servers
3 
;       (e.g. reference this file in the "cache  .  <file>"
4 
;       configuration file of BIND domain name servers).
5 
;
6 
;       This file is made available by InterNIC
7 
;       under anonymous FTP as
8 
;           file                /domain/named.cache
9 
;           on server           FTP.INTERNIC.NET
10 
;       -OR-                    RS.INTERNIC.NET
11 
;
12 
;       last update:     September 14, 2020
13 
;       related version of root zone:     2020091401
14 
;
15 
; FORMERLY NS.INTERNIC.NET
16 
;
17 
.                        3600000      NS    A.ROOT-SERVERS.NET.
18 
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
19 
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
20 
;
21 
; FORMERLY NS1.ISI.EDU
22 
;
23 
.                        3600000      NS    B.ROOT-SERVERS.NET.
24 
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
25 
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
26 
;
27 
; FORMERLY C.PSI.NET
28 
;
29 
.                        3600000      NS    C.ROOT-SERVERS.NET.
30 
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
31 
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
32 
;
33 
; FORMERLY TERP.UMD.EDU
34 
;
35 
.                        3600000      NS    D.ROOT-SERVERS.NET.
36 
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
37 
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
38 
;
39 
; FORMERLY NS.NASA.GOV
40 
;
41 
.                        3600000      NS    E.ROOT-SERVERS.NET.
42 
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
43 
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
44 
;
45 
; FORMERLY NS.ISC.ORG
46 
;
47 
.                        3600000      NS    F.ROOT-SERVERS.NET.
48 
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
49 
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
50 
;
51 
; FORMERLY NS.NIC.DDN.MIL
52 
;
53 
.                        3600000      NS    G.ROOT-SERVERS.NET.
54 
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
55 
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
56 
;
57 
; FORMERLY AOS.ARL.ARMY.MIL
58 
;
59 
.                        3600000      NS    H.ROOT-SERVERS.NET.
60 
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
61 
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
62 
;
63 
; FORMERLY NIC.NORDU.NET
64 
;
65 
.                        3600000      NS    I.ROOT-SERVERS.NET.
66 
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
67 
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
68 
;
69 
; OPERATED BY VERISIGN, INC.
70 
;
71 
.                        3600000      NS    J.ROOT-SERVERS.NET.
72 
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
73 
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
74 
;
75 
; OPERATED BY RIPE NCC
76 
;
77 
.                        3600000      NS    K.ROOT-SERVERS.NET.
78 
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
79 
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
80 
;
81 
; OPERATED BY ICANN
82 
;
83 
.                        3600000      NS    L.ROOT-SERVERS.NET.
84 
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
85 
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
86 
;
87 
; OPERATED BY WIDE
88 
;
89 
.                        3600000      NS    M.ROOT-SERVERS.NET.
90 
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
91 
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
92 
; End of file
92 
\ No newline at end of file
1
2 
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
3 
; (2 servers found)
4 
;; global options: +cmd
5 
;; Got answer:
6 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
7 
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
8
9 
;; OPT PSEUDOSECTION:
10 
; EDNS: version: 0, flags:; udp: 1472
11 
;; QUESTION SECTION:
12 
;.				IN	NS
13
14 
;; ANSWER SECTION:
15 
.			518400	IN	NS	a.root-servers.net.
16 
.			518400	IN	NS	b.root-servers.net.
17 
.			518400	IN	NS	c.root-servers.net.
18 
.			518400	IN	NS	d.root-servers.net.
19 
.			518400	IN	NS	e.root-servers.net.
20 
.			518400	IN	NS	f.root-servers.net.
21 
.			518400	IN	NS	g.root-servers.net.
22 
.			518400	IN	NS	h.root-servers.net.
23 
.			518400	IN	NS	i.root-servers.net.
24 
.			518400	IN	NS	j.root-servers.net.
25 
.			518400	IN	NS	k.root-servers.net.
26 
.			518400	IN	NS	l.root-servers.net.
27 
.			518400	IN	NS	m.root-servers.net.
28
29 
;; ADDITIONAL SECTION:
30 
a.root-servers.net.	518400	IN	A	198.41.0.4
31 
b.root-servers.net.	518400	IN	A	199.9.14.201
32 
c.root-servers.net.	518400	IN	A	192.33.4.12
33 
d.root-servers.net.	518400	IN	A	199.7.91.13
34 
e.root-servers.net.	518400	IN	A	192.203.230.10
35 
f.root-servers.net.	518400	IN	A	192.5.5.241
36 
g.root-servers.net.	518400	IN	A	192.112.36.4
37 
h.root-servers.net.	518400	IN	A	198.97.190.53
38 
i.root-servers.net.	518400	IN	A	192.36.148.17
39 
j.root-servers.net.	518400	IN	A	192.58.128.30
40 
k.root-servers.net.	518400	IN	A	193.0.14.129
41 
l.root-servers.net.	518400	IN	A	199.7.83.42
42 
m.root-servers.net.	518400	IN	A	202.12.27.33
43 
a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
44 
b.root-servers.net.	518400	IN	AAAA	2001:500:200::b
45 
c.root-servers.net.	518400	IN	AAAA	2001:500:2::c
46 
d.root-servers.net.	518400	IN	AAAA	2001:500:2d::d
47 
e.root-servers.net.	518400	IN	AAAA	2001:500:a8::e
48 
f.root-servers.net.	518400	IN	AAAA	2001:500:2f::f
49 
g.root-servers.net.	518400	IN	AAAA	2001:500:12::d0d
50 
h.root-servers.net.	518400	IN	AAAA	2001:500:1::53
51 
i.root-servers.net.	518400	IN	AAAA	2001:7fe::53
52 
j.root-servers.net.	518400	IN	AAAA	2001:503:c27::2:30
53 
k.root-servers.net.	518400	IN	AAAA	2001:7fd::1
54 
l.root-servers.net.	518400	IN	AAAA	2001:500:9f::42
55 
m.root-servers.net.	518400	IN	AAAA	2001:dc3::35
56
57 
;; Query time: 24 msec
58 
;; SERVER: 198.41.0.4#53(198.41.0.4)
59 
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
60 
;; MSG SIZE  rcvd: 811
61
view file @ d5fe0dbac2
... ... --- a/named.root.key
... ... +++ b/named.root.key
... ... @@ -1,33 +1,13 @@
1 
managed-keys {
1 
trust-anchors {
2 2 
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
3 3 
        # for current trust anchor information.
4 4 
        #
5 
        # These keys are activated by setting "dnssec-validation auto;"
6 
        # in named.conf.
7 
        #
8 
        # This key (19036) is to be phased out starting in 2017. It will
9 
        # remain in the root zone for some time after its successor key
10 
        # has been added. It will remain this file until it is removed from
11 
        # the root zone.
12 
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
13 
                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
14 
                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
15 
                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
16 
                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
17 
                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
18 
                QxA+Uk1ihz0=";
19
20 
        # This key (20326) is to be published in the root zone in 2017.
21 
        # Servers which were already using the old key should roll to the
22 
        # new # one seamlessly.  Servers being set up for the first time
23 
        # can use either of the keys in this file to verify the root keys
24 
        # for the first time; thereafter the keys in the zone will be
25 
        # trusted and maintained automatically.
26 
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
27 
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
28 
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
29 
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
30 
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
31 
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
32 
                R1AkUTV74bU=";
5 
        # This key (20326) was published in the root zone in 2017.
6 
        # Servers which were already using the old key (19036) should
7 
        # roll seamlessly to this new one via RFC 5011 rollover. Servers
8 
        # being set up for the first time can use the contents of this
9 
        # file as initializing keys; thereafter, the keys in the
10 
        # managed key database will be trusted and maintained
11 
        # automatically.
12 
        . initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
33 13 
};
view file @ d5fe0dbac2
...... file renamed without changes
view file @ 1fca60d876
... ... --- a/named.sysusers.conf
... ... +++ /dev/null
... ... @@ -1,3 +0,0 @@
0 
u named - "BIND DNS Server" /var/lib/named
1 
g named - -
2 
m named named
view file @ 1fca60d876
... ... --- a/named.tmpfiles.conf
... ... +++ /dev/null
... ... @@ -1 +0,0 @@
0 
d /run/named 0750 named named -
view file @ 1fca60d876
... ... --- a/named.zero
... ... +++ /dev/null
... ... @@ -1,8 +0,0 @@
0 
$TTL    86400
1 
@               IN SOA  localhost.      root.localhost. (
2 
                                        42              ; serial (d. adams)
3 
                                        3H              ; refresh
4 
                                        15M             ; retry
5 
                                        1W              ; expiry
6 
                                        1D )            ; minimum
7 
	IN	NS	localhost.
view file @ d5fe0dbac2
view file @ 1fca60d876
... ... --- a/rndc.key
... ... +++ /dev/null
... ... @@ -1,8 +0,0 @@
0 
// $Id: rndc.key 80849 2007-09-06 11:56:48Z oden $
1 
// $HeadURL: http://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/rndc.key $
2
3 
key mykey {
4 
    algorithm hmac-md5;
5 
    secret "_MY_KEY_";
6 
};
7
view file @ d5fe0dbac2
... ... --- a/setup-named-softhsm.sh
... ... +++ b/setup-named-softhsm.sh
... ... @@ -2,6 +2,12 @@
2 2 
#
3 3 
# This script will initialise token storage of softhsm PKCS11 provider
4 4 
# in custom location. Is useful to store tokens in non-standard location.
5 
#
6 
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
7 
# Quotes around eval are mandatory!
8 
# Recommended use:
9 
# eval "$(bash setup-named-softhsm.sh -A)"
10 
#
5 11
6 12 
SOFTHSM2_CONF="$1"
7 13 
TOKENPATH="$2"
... ... @@ -10,14 +16,55 @@ GROUPNAME="$3"
16 16 
# This is intended for crypto accelerators using PKCS11 interface.
17 17 
# Uninitialized token would fail any crypto operation.
18 18 
PIN=1234
19 
SO_PIN=1234
20 
LABEL=rpm
19 21
20 22 
set -e
21 23
24 
echo_i()
25 
{
26 
	echo "#" $@
27 
}
28
29 
random()
30 
{
31 
	if [ -x "$(which openssl 2>/dev/null)" ]; then
32 
		openssl rand -base64 $1
33 
	else
34 
		dd if=/dev/urandom bs=1c count=$1 | base64
35 
	fi
36 
}
37
38 
usage()
39 
{
40 
	echo "Usage: $0 -A [token directory] [group]"
41 
	echo "   or: $0 <config file> <token directory> [group]"
42 
}
43
44 
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
45 
	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
46 
fi
47
22 48 
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
23 
	echo "Usage: $0 <config file> <token directory> [group]" >&2
49 
	usage >&2
24 50 
	exit 1
25 51 
fi
26 52
53 
if [ "$SOFTHSM2_CONF" = "-A" ]; then
54 
	# Automagic mode instead
55 
	MODE=secure
56 
	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
57 
	PIN_SOURCE="$TOKENPATH/pin"
58 
	SOPIN_SOURCE="$TOKENPATH/so-pin"
59 
	TOKENPATH="$TOKENPATH/tokens"
60 
else
61 
	MODE=legacy
62 
fi
63
64 
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
65
66 
umask 0022
67
27 68 
if ! [ -f "$SOFTHSM2_CONF" ]; then
28 69 
cat  << SED > "$SOFTHSM2_CONF"
29 70 
# SoftHSM v2 configuration file
... ... @@ -32,19 +79,36 @@ log.level = ERROR
79 79 
slots.removable = false
80 80 
SED
81 81 
else
82 
	echo "Config file $SOFTHSM2_CONF already exists" >&2
82 
	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
83 83 
fi
84 84
85 
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
85 
if [ -n "$PIN_SOURCE" ]; then
86 
	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
87 
	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
88 
	if [ -n "$GROUPNAME" ]; then
89 
		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
90 
		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
91 
	fi
92 
fi
86 93
87 94 
export SOFTHSM2_CONF
88 95
89 96 
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
90 97 
then
91 
	echo "Token in ${TOKENPATH} is already initialized" >&2
98 
	echo_i "Token in ${TOKENPATH} is already initialized" >&2
99
100 
	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
101 
	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
92 102 
else
93 
	echo "Initializing tokens to ${TOKENPATH}..."
94 
	softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
103 
	PIN=$(random 6)
104 
	SO_PIN=$(random 18)
105 
	if [ -n "$PIN_SOURCE" ]; then
106 
		echo -n "$PIN" > "$PIN_SOURCE"
107 
		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
108 
	fi
109
110 
	echo_i "Initializing tokens to ${TOKENPATH}..."
111 
	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
95 112
96 113 
	if [ -n "$GROUPNAME" ]; then
97 114 
		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
... ... @@ -53,3 +117,8 @@ else
117 117 
fi
118 118
119 119 
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
120 
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
121 
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
122 
# These are intentionaly not exported
123 
echo "PIN=\"$PIN\""
124 
echo "SO_PIN=\"$SO_PIN\""
view file @ d5fe0dbac2
... ... --- a/trusted-key.key
... ... +++ b/trusted-key.key
... ... @@ -1,2 +1 @@
1 
. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
2 1 
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
view file @ 1fca60d876
... ... --- a/trusted_networks_acl.conf
... ... +++ /dev/null
... ... @@ -1,15 +0,0 @@
0 
// NOTE: You have to maintain this list yourself. In Mandriva Linux we allow
1 
// the 192.168.0.0/16 network to do recursive lookups per default. If you
2 
// don't like this you need to change this now.
3 
//
4 
// You may need to add specific ip addresses here as well.
5 
//
6 
// $Id: trusted_networks_acl.conf 632499 2011-01-25 11:22:57Z oden $
7 
// $HeadURL: http://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/trusted_networks_acl.conf $
8
9 
acl "trusted_networks" {
10 
    // If you are using RFC1918 netblocks please remember to
11 
    // comment these in the bogon_acl.conf file.
12 
    127.0.0.1;
13 
    192.168.0.0/16;
14 
};
view file @ 1fca60d876
... ... --- a/zone2sqlite.1
... ... +++ /dev/null
... ... @@ -1,53 +0,0 @@
0 
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
1 
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
2 
.\"
3 
.\" Permission to use, copy, modify, and/or distribute this software for any
4 
.\" purpose with or without fee is hereby granted, provided that the above
5 
.\" copyright notice and this permission notice appear in all copies.
6 
.\"
7 
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8 
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9 
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
10 
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
11 
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
12 
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
13 
.\" PERFORMANCE OF THIS SOFTWARE.
14 
.\"
15 
.\" Manpage written by Jan Gorig
16 
.TH zone2sqlite 1 "15 March 2010" "BIND9"
17 
.SH NAME
18 
zone2sqlite - Load BIND 9 zone file into SQLite database
19 
.SH SYNOPSIS
20 
.B zone2sqlite zone zonefile dbfile dbtable
21 
.SH DESCRIPTION
22 
zone2sqlite parses DNS zone file and creates database for use with SQLite BIND SDB driver.
23
24 
\fBzone\fR
25 
.RS 4
26 
Zone origin, eg "mydomain.net."
27 
.RE
28 
.PP
29 
\fBzonefile\fR
30 
.RS 4
31 
Master zone database file, eg. mydomain.net.zone
32 
.RE
33 
.PP
34 
\fBdbfile\fR
35 
.RS 4
36 
Name of SQLite database file
37 
.RE
38 
.PP
39 
\fBdbtable\fR
40 
.RS 4
41 
Name of table in database
42 
.RE
43
44 
.SH "EXIT STATUS"
45 
Exits with 0 on success or 1 on failure.
46 
.SH "SEE ALSO"
47 
named(8)
48 
.SH "COPYRIGHT"
49 
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
50 
.br
51 
Copyright \(co 2000, 2001 Internet Software Consortium.
52 
.br
view file @ 1fca60d876
... ... --- a/zonetodb-compat.sh
... ... +++ /dev/null
... ... @@ -1,11 +0,0 @@
0 
#!/bin/sh
1
2 
echo_err(){
3 
	echo "$@" 1>&2
4 
}
5
6 
echo_err "WARNING: there is zonetodb-pgsql (PostgreSQL) and zonetodb-mysql (MySQL/MariaDB)"
7 
echo_err "WARNING: zonetodb defaults to zonetodb-mysql for compatibility with older bind packages in ROSA"
8 
echo_err "WARNING: please consider using either zonetodb-pgsql or zonetodb-mysql directly!"
9
10 
zonetodb-mysql $@
view file @ 1fca60d876
... ... --- a/zonetodb.1
... ... +++ /dev/null
... ... @@ -1,53 +0,0 @@
0 
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
1 
.\" Copyright (C) 2000, 2001 Internet Software Consortium.
2 
.\"
3 
.\" Permission to use, copy, modify, and/or distribute this software for any
4 
.\" purpose with or without fee is hereby granted, provided that the above
5 
.\" copyright notice and this permission notice appear in all copies.
6 
.\"
7 
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8 
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9 
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
10 
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
11 
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
12 
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
13 
.\" PERFORMANCE OF THIS SOFTWARE.
14 
.\"
15 
.\" Manpage written by Jan Gorig
16 
.TH zonetodb 1 "15 March 2010" "BIND9"
17 
.SH NAME
18 
zonetodb - Generate a PostgreSQL table from a zone.
19 
.SH SYNOPSIS
20 
.B zonetodb origin file dbname dbtable
21 
.SH DESCRIPTION
22 
zonetodb parses DNS zone file and creates table in selected database for use with PostgreSQL BIND SDB driver.
23
24 
\fBzone\fR
25 
.RS 4
26 
Zone origin, eg "pgdb.net."
27 
.RE
28 
.PP
29 
\fBfile\fR
30 
.RS 4
31 
Master zone database file, eg. pgdb.net.db
32 
.RE
33 
.PP
34 
\fBdbname\fR
35 
.RS 4
36 
Name of PostgreSQL database (database must exist)
37 
.RE
38 
.PP
39 
\fBdbtable\fR
40 
.RS 4
41 
Name of table in database
42 
.RE
43
44 
.SH "EXIT STATUS"
45 
Exits with 0 on success or 1 on failure.
46 
.SH "SEE ALSO"
47 
named(8)
48 
.SH "COPYRIGHT"
49 
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
50 
.br
51 
Copyright \(co 2000, 2001 Internet Software Consortium.
52 
.br