bind package update

Signed-off-by: webbuilder_pel7ppc64lebuilder0 <webbuilder@powerel.org>

SOURCES/bind-9.5-sdb.patch

@@ -14,10 +14,10 @@ index 187ec23..e6179e7 100644
  
  @BIND9_MAKE_RULES@
 diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
-index bc5be2a..71324d9 100644
+index 5ba3f56..1868418 100644
 --- a/bin/named-sdb/Makefile.in
 +++ b/bin/named-sdb/Makefile.in
-@@ -34,10 +34,10 @@ top_srcdir =	@top_srcdir@
+@@ -32,10 +32,10 @@ top_srcdir =	@top_srcdir@
  #
  # Add database drivers here.
  #
@@ -31,7 +31,7 @@ index bc5be2a..71324d9 100644
  
  DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
  
-@@ -83,7 +83,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+@@ -81,7 +81,7 @@ NOSYMLIBS =	${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
  
  SUBDIRS =	unix
  
@@ -40,7 +40,7 @@ index bc5be2a..71324d9 100644
  
  GEOIPLINKOBJS = geoip.@O@
  
-@@ -146,7 +146,7 @@ config.@O@: config.c bind.keys.h
+@@ -145,7 +145,7 @@ config.@O@: config.c bind.keys.h
  		-DNS_SYSCONFDIR=\"${sysconfdir}\" \
  		-c ${srcdir}/config.c
  
@@ -49,7 +49,7 @@ index bc5be2a..71324d9 100644
  	export MAKE_SYMTABLE="yes"; \
  	export BASEOBJS="${OBJS} ${UOBJS}"; \
  	${FINALBUILDCMD}
-@@ -177,15 +177,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
+@@ -176,15 +176,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
  
  installdirs:
  	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -69,7 +69,7 @@ index bc5be2a..71324d9 100644
  @DLZ_DRIVER_RULES@
  
 diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
-index a00687f..4fba625 100644
+index d26783f..75691ed 100644
 --- a/bin/named-sdb/main.c
 +++ b/bin/named-sdb/main.c
 @@ -86,6 +86,9 @@
@@ -163,10 +163,10 @@ index a00687f..4fba625 100644
  		      ISC_LOG_NOTICE, "exiting");
  	ns_log_shutdown();
 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
-index bc5be2a..3c69c9b 100644
+index 5ba3f56..4beeaf0 100644
 --- a/bin/named/Makefile.in
 +++ b/bin/named/Makefile.in
-@@ -51,7 +51,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
+@@ -49,7 +49,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
  		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
  		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
  
@@ -175,7 +175,7 @@ index bc5be2a..3c69c9b 100644
  
  CWARNINGS =
  
-@@ -75,11 +75,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+@@ -73,11 +73,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
  
  LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
  		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@@ -189,7 +189,7 @@ index bc5be2a..3c69c9b 100644
  
  SUBDIRS =	unix
  
-@@ -94,8 +94,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
+@@ -92,8 +92,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
  		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
  		zoneconf.@O@ \
  		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@@ -199,7 +199,7 @@ index bc5be2a..3c69c9b 100644
  
  UOBJS =		unix/os.@O@ unix/dlz_dlopen_driver.@O@
  
-@@ -110,8 +109,7 @@ SRCS =		builtin.c client.c config.c control.c \
+@@ -108,8 +107,7 @@ SRCS =		builtin.c client.c config.c control.c \
  		tkeyconf.c tsigconf.c update.c xfrout.c \
  		zoneconf.c \
  		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@@ -209,7 +209,7 @@ index bc5be2a..3c69c9b 100644
  
  MANPAGES =	named.8 lwresd.8 named.conf.5
  
-@@ -187,7 +185,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
+@@ -186,7 +184,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
  	${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
  	${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
  
@@ -218,10 +218,10 @@ index bc5be2a..3c69c9b 100644
  named-symtbl.@O@: named-symtbl.c
  	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
 diff --git a/configure.in b/configure.in
-index 9bb9a2a..d72093f 100644
+index d72f635..1aae803 100644
 --- a/configure.in
 +++ b/configure.in
-@@ -4018,12 +4018,15 @@ AC_CONFIG_FILES([
+@@ -4050,6 +4050,8 @@ AC_CONFIG_FILES([
  	bin/named-pkcs11/Makefile
  	bin/named-pkcs11/unix/Makefile
  	bin/named/unix/Makefile
@@ -230,8 +230,9 @@ index 9bb9a2a..d72093f 100644
  	bin/nsupdate/Makefile
  	bin/pkcs11/Makefile
  	bin/python/Makefile
- 	bin/python/dnssec-checkds.py
+@@ -4060,6 +4062,7 @@ AC_CONFIG_FILES([
  	bin/python/dnssec-coverage.py
+ 	bin/python/dnssec-keymgr.py
  	bin/rndc/Makefile
 +	bin/sdb_tools/Makefile
  	bin/tests/Makefile

SOURCES/bind99-CVE-2018-5740.patch

@@ -0,0 +1,53 @@
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 252a02f..bfffb8a 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -5957,6 +5957,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+ 	unsigned int nlabels;
+ 	dns_fixedname_t fixed;
+ 	dns_name_t prefix;
++	int order;
+ 
+ 	REQUIRE(rdataset != NULL);
+ 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
+@@ -5979,18 +5980,26 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+ 		tname = &cname.cname;
+ 		break;
+ 	case dns_rdatatype_dname:
++		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
++		    dns_namereln_subdomain)
++		{
++			return (ISC_TRUE);
++		}
+ 		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+ 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ 		dns_name_init(&prefix, NULL);
+ 		dns_fixedname_init(&fixed);
+ 		tname = dns_fixedname_name(&fixed);
+-		nlabels = dns_name_countlabels(qname) -
+-			  dns_name_countlabels(rname);
++		nlabels = dns_name_countlabels(rname);
+ 		dns_name_split(qname, nlabels, &prefix, NULL);
+ 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
+ 					      NULL);
+-		if (result == DNS_R_NAMETOOLONG)
++		if (result == DNS_R_NAMETOOLONG) {
++			if (chainingp != NULL) {
++				*chainingp = ISC_TRUE;
++			}
+ 			return (ISC_TRUE);
++		}
+ 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ 		break;
+ 	default:
+@@ -6719,7 +6728,9 @@ answer_response(fetchctx_t *fctx) {
+ 		}
+ 		if ((ardataset->type == dns_rdatatype_cname ||
+ 		     ardataset->type == dns_rdatatype_dname) &&
+-		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
++		    type != ardataset->type &&
++		    type != dns_rdatatype_any &&
++		    !is_answertarget_allowed(fctx, qname, aname, ardataset,
+ 					      NULL))
+ 		{
+ 			return (DNS_R_SERVFAIL);

SOURCES/bind99-rh1510008-2.patch

@@ -0,0 +1,232 @@
+From 4a0a86d84ff11337c363e0540947da136b296b70 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Fri, 29 Apr 2016 14:17:21 -0700
+Subject: [PATCH] [master] more python2/3 compatibility fixes; use setup.py to
+ install
+
+---
+ bin/python/Makefile.in     |  2 ++
+ bin/python/isc/Makefile.in | 28 +++-------------------------
+ bin/python/isc/__init__.py |  6 ++++--
+ bin/python/isc/checkds.py  |  5 +++--
+ bin/python/isc/coverage.py |  7 +++----
+ bin/python/isc/dnskey.py   |  4 ++--
+ bin/python/isc/keymgr.py   |  7 +++----
+ bin/python/isc/policy.py   |  6 +++++-
+ bin/python/setup.py        |  8 ++++++++
+ 9 files changed, 33 insertions(+), 40 deletions(-)
+ create mode 100644 bin/python/setup.py
+
+diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
+index 1e4af9c2e2..7ef32cc59b 100644
+--- a/bin/python/Makefile.in
++++ b/bin/python/Makefile.in
+@@ -55,9 +55,11 @@ install:: ${TARGETS} installdirs
+ 	${INSTALL_DATA} ${srcdir}/dnssec-checkds.8 ${DESTDIR}${mandir}/man8
+ 	${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
+ 	${INSTALL_DATA} ${srcdir}/dnssec-keymgr.8 ${DESTDIR}${mandir}/man8
++	test -z "${PYTHON}" || ${PYTHON} setup.py install --prefix=${DESTDIR}${prefix}
+ 
+ clean distclean::
+ 	rm -f ${TARGETS}
++	rm -rf build
+ 
+ distclean::
+ 	rm -f dnssec-checkds.py dnssec-coverage.py dnssec-keymgr.py
+diff --git a/bin/python/isc/Makefile.in b/bin/python/isc/Makefile.in
+index 425d054cce..a72f6e4054 100644
+--- a/bin/python/isc/Makefile.in
++++ b/bin/python/isc/Makefile.in
+@@ -24,44 +24,22 @@ PYTHON	=	@PYTHON@
+ 
+ PYSRCS =	__init__.py dnskey.py eventlist.py keydict.py \
+ 		keyevent.py keyzone.py policy.py
+-TARGETS =	parsetab.py parsetab.pyc \
+-		__init__.pyc dnskey.pyc eventlist.py keydict.py \
+-		keyevent.pyc keyzone.pyc policy.pyc
++TARGETS =	parsetab.py
+ 
+ @BIND9_MAKE_RULES@
+ 
+ %.pyc: %.py
+ 	$(PYTHON) -m compileall .
+ 
+-parsetab.py parsetab.pyc: policy.py
++parsetab.py: policy.py
+ 	$(PYTHON) policy.py parse /dev/null > /dev/null
+ 	$(PYTHON) -m parsetab
+ 
+-installdirs:
+-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}/isc
+-
+-install:: ${PYSRCS} installdirs
+-	${INSTALL_SCRIPT} __init__.py ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} __init__.pyc ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} dnskey.py ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} dnskey.pyc ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} eventlist.py ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} eventlist.pyc ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} keydict.py ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} keydict.pyc ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} keyevent.py ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} keyevent.pyc ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} keyzone.py ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} keyzone.pyc ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} policy.py ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} policy.pyc ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} parsetab.py ${DESTDIR}${libdir}
+-	${INSTALL_SCRIPT} parsetab.pyc ${DESTDIR}${libdir}
+-
+ check test: subdirs
+ 
+ clean distclean::
+ 	rm -f *.pyc parser.out parsetab.py
++	rm -rf __pycache__ build
+ 
+ distclean::
+ 	rm -Rf utils.py
+\ No newline at end of file
+diff --git a/bin/python/isc/__init__.py b/bin/python/isc/__init__.py
+index 0d79f356fd..10b3c45cf1 100644
+--- a/bin/python/isc/__init__.py
++++ b/bin/python/isc/__init__.py
+@@ -13,8 +13,10 @@
+ # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ 
+-__all__ = ['dnskey', 'eventlist', 'keydict', 'keyevent', 'keyseries',
+-           'keyzone', 'policy', 'parsetab', 'utils']
++__all__ = ['checkds', 'coverage', 'keymgr', 'dnskey', 'eventlist',
++           'keydict', 'keyevent', 'keyseries', 'keyzone', 'policy',
++           'parsetab', 'utils']
++
+ from isc.dnskey import *
+ from isc.eventlist import *
+ from isc.keydict import *
+diff --git a/bin/python/isc/checkds.py b/bin/python/isc/checkds.py
+index 64ca12ebc6..2b7da39fc9 100644
+--- a/bin/python/isc/checkds.py
++++ b/bin/python/isc/checkds.py
+@@ -42,7 +42,7 @@ class SECRR:
+         if not rrtext:
+             raise Exception
+ 
+-        fields = rrtext.split()
++        fields = rrtext.decode('ascii').split()
+         if len(fields) < 7:
+             raise Exception
+ 
+@@ -75,7 +75,8 @@ class SECRR:
+             fields = fields[2:]
+ 
+         if fields[0].upper() != self.rrtype:
+-            raise Exception
++            raise Exception('%s does not match %s' %
++                            (fields[0].upper(), self.rrtype))
+ 
+         self.keyid, self.keyalg, self.hashalg = map(int, fields[1:4])
+         self.digest = ''.join(fields[4:]).upper()
+diff --git a/bin/python/isc/coverage.py b/bin/python/isc/coverage.py
+index c9e89596f7..bfe811bee8 100644
+--- a/bin/python/isc/coverage.py
++++ b/bin/python/isc/coverage.py
+@@ -27,9 +27,7 @@ from collections import defaultdict
+ 
+ prog = 'dnssec-coverage'
+ 
+-from isc import *
+-from isc.utils import prefix
+-
++from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils
+ 
+ ############################################################################
+ # print a fatal error and exit
+@@ -139,7 +137,8 @@ def set_path(command, default=None):
+ def parse_args():
+     """Read command line arguments, set global 'args' structure"""
+     compilezone = set_path('named-compilezone',
+-                           os.path.join(prefix('sbin'), 'named-compilezone'))
++                           os.path.join(utils.prefix('sbin'),
++                           'named-compilezone'))
+ 
+     parser = argparse.ArgumentParser(description=prog + ': checks future ' +
+                                      'DNSKEY coverage for a zone')
+diff --git a/bin/python/isc/dnskey.py b/bin/python/isc/dnskey.py
+index f1559e7239..14079504b6 100644
+--- a/bin/python/isc/dnskey.py
++++ b/bin/python/isc/dnskey.py
+@@ -205,11 +205,11 @@ class dnskey:
+             raise Exception('unable to generate key: ' + str(stderr))
+ 
+         try:
+-            keystr = stdout.splitlines()[0]
++            keystr = stdout.splitlines()[0].decode('ascii')
+             newkey = dnskey(keystr, keys_dir, ttl)
+             return newkey
+         except Exception as e:
+-            raise Exception('unable to generate key: %s' % str(e))
++            raise Exception('unable to parse generated key: %s' % str(e))
+ 
+     def generate_successor(self, keygen_bin, **kwargs):
+         quiet = kwargs.get('quiet', False)
+diff --git a/bin/python/isc/keymgr.py b/bin/python/isc/keymgr.py
+index a3a9043965..cbe86ab65e 100644
+--- a/bin/python/isc/keymgr.py
++++ b/bin/python/isc/keymgr.py
+@@ -20,8 +20,7 @@ from collections import defaultdict
+ 
+ prog='dnssec-keymgr'
+ 
+-from isc import *
+-from isc.utils import prefix
++from isc import dnskey, keydict, keyseries, policy, parsetab, utils
+ 
+ ############################################################################
+ # print a fatal error and exit
+@@ -63,9 +62,9 @@ def parse_args():
+     """
+ 
+     keygen = set_path('dnssec-keygen',
+-                      os.path.join(prefix('sbin'), 'dnssec-keygen'))
++                      os.path.join(utils.prefix('sbin'), 'dnssec-keygen'))
+     settime = set_path('dnssec-settime',
+-                       os.path.join(prefix('sbin'), 'dnssec-settime'))
++                       os.path.join(utils.prefix('sbin'), 'dnssec-settime'))
+ 
+     parser = argparse.ArgumentParser(description=prog + ': schedule '
+                                      'DNSSEC key rollovers according to a '
+diff --git a/bin/python/isc/policy.py b/bin/python/isc/policy.py
+index ed106c6c92..dbb4abf010 100644
+--- a/bin/python/isc/policy.py
++++ b/bin/python/isc/policy.py
+@@ -104,8 +104,12 @@ class PolicyLex:
+         t.lexer.skip(1)
+ 
+     def __init__(self, **kwargs):
++        if 'maketrans' in dir(str):
++            trans = str.maketrans('_', '-')
++        else:
++            trans = maketrans('_', '-')
+         for r in self.reserved:
+-            self.reserved_map[r.lower().translate(maketrans('_', '-'))] = r
++            self.reserved_map[r.lower().translate(trans)] = r
+         self.lexer = lex.lex(object=self, **kwargs)
+ 
+     def test(self, text):
+diff --git a/bin/python/setup.py b/bin/python/setup.py
+new file mode 100644
+index 0000000000..d7ea4a4d41
+--- /dev/null
++++ b/bin/python/setup.py
+@@ -0,0 +1,8 @@
++from distutils.core import setup
++setup(name='isc',
++      version='2.0',
++      description='Python functions to support BIND utilities',
++      url='https://www.isc.org/bind',
++      author='Internet Systems Consortium, Inc',
++      license='ISC',
++      packages=['isc'])
+-- 
+2.14.3
+

SOURCES/bind99-rh1549130-2.patch

@@ -0,0 +1,54 @@
+From 9f9ce5d91a944407e13360e9c92c090d23777a8b Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 27 May 2016 18:39:33 +1000
+Subject: [PATCH] fix merge error
+
+---
+ bin/named/query.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/bin/named/query.c b/bin/named/query.c
+index 6e988f5686..2c44e9ff53 100644
+--- a/bin/named/query.c
++++ b/bin/named/query.c
+@@ -7195,6 +7195,37 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
+ 		 * we know the answer.
+ 		 */
+ 
++		/*
++		 * If we have a zero ttl from the cache refetch it.
++		 */
++		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
++		    RECURSIONOK(client))
++		{
++			if (dns_rdataset_isassociated(rdataset))
++				dns_rdataset_disassociate(rdataset);
++			if (sigrdataset != NULL &&
++			    dns_rdataset_isassociated(sigrdataset))
++				dns_rdataset_disassociate(sigrdataset);
++			if (node != NULL)
++				dns_db_detachnode(db, &node);
++
++			result = query_recurse(client, qtype,
++					       client->query.qname,
++					       NULL, NULL, resuming);
++			if (result == ISC_R_SUCCESS) {
++				client->query.attributes |=
++					NS_QUERYATTR_RECURSING;
++				if (dns64)
++					client->query.attributes |=
++						NS_QUERYATTR_DNS64;
++				if (dns64_exclude)
++					client->query.attributes |=
++					      NS_QUERYATTR_DNS64EXCLUDE;
++			} else
++				RECURSE_ERROR(result);
++			goto cleanup;
++		}
++
+ #ifdef ALLOW_FILTER_AAAA_ON_V4
+ 		/*
+ 		 * Optionally hide AAAAs from IPv4 clients if there is an A.
+-- 
+2.14.4
+

SOURCES/bind99-rh1549130.patch

@@ -0,0 +1,183 @@
+From 02412bfe731d0cb229eb22f0ca4e8fbaed601cbe Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 27 May 2016 09:59:46 +1000
+Subject: [PATCH] 4377.   [bug]           Don't reuse zero TTL responses beyond
+ the current                         client set (excludes ANY/SIG/RRSIG
+ queries).                         [RT #42142]
+
+(cherry picked from commit aabcb1fde0ca255ff30f0a5c10cbd39f798cc5b7)
+
+REDIRECT macro is 9.11.0+
+---
+ bin/named/query.c                 | 31 +++++++++++++++
+ bin/tests/system/zero/ans5/ans.pl | 81 +++++++++++++++++++++++++++++++++++++++
+ bin/tests/system/zero/ns1/root.db |  2 +
+ bin/tests/system/zero/tests.sh    | 13 +++++++
+ 4 files changed, 127 insertions(+)
+ create mode 100644 bin/tests/system/zero/ans5/ans.pl
+
+diff --git a/bin/named/query.c b/bin/named/query.c
+index 2c44e9ff53..3b402f1d01 100644
+--- a/bin/named/query.c
++++ b/bin/named/query.c
+@@ -6816,6 +6816,37 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
+ 		goto cleanup;
+ 
+ 	case DNS_R_CNAME:
++		/*
++		 * If we have a zero ttl from the cache refetch it.
++		 */
++		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
++		    RECURSIONOK(client))
++		{
++			if (dns_rdataset_isassociated(rdataset))
++				dns_rdataset_disassociate(rdataset);
++			if (sigrdataset != NULL &&
++			    dns_rdataset_isassociated(sigrdataset))
++				dns_rdataset_disassociate(sigrdataset);
++			if (node != NULL)
++				dns_db_detachnode(db, &node);
++
++			result = query_recurse(client, qtype,
++					       client->query.qname,
++					       NULL, NULL, resuming);
++			if (result == ISC_R_SUCCESS) {
++				client->query.attributes |=
++					NS_QUERYATTR_RECURSING;
++				if (dns64)
++					client->query.attributes |=
++						NS_QUERYATTR_DNS64;
++				if (dns64_exclude)
++					client->query.attributes |=
++					      NS_QUERYATTR_DNS64EXCLUDE;
++			} else
++				RECURSE_ERROR(result);
++			goto cleanup;
++		}
++
+ 		/*
+ 		 * Keep a copy of the rdataset.  We have to do this because
+ 		 * query_addrrset may clear 'rdataset' (to prevent the
+diff --git a/bin/tests/system/zero/ans5/ans.pl b/bin/tests/system/zero/ans5/ans.pl
+new file mode 100644
+index 0000000000..9dfa18e444
+--- /dev/null
++++ b/bin/tests/system/zero/ans5/ans.pl
+@@ -0,0 +1,81 @@
++#!/usr/bin/perl -w
++#
++# Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
++#
++# Permission to use, copy, modify, and/or distribute this software for any
++# purpose with or without fee is hereby granted, provided that the above
++# copyright notice and this permission notice appear in all copies.
++#
++# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
++# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
++# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
++# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
++# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
++# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
++# PERFORMANCE OF THIS SOFTWARE.
++
++#
++# Don't respond if the "norespond" file exists; otherwise respond to
++# any A or AAAA query.
++#
++
++use IO::File;
++use IO::Socket;
++use Net::DNS;
++use Net::DNS::Packet;
++
++my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.5",
++   LocalPort => 5300, Proto => "udp") or die "$!";
++
++my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
++print $pidf "$$\n" or die "cannot write pid file: $!";
++$pidf->close or die "cannot close pid file: $!";
++sub rmpid { unlink "ans.pid"; exit 1; };
++
++$SIG{INT} = \&rmpid;
++$SIG{TERM} = \&rmpid;
++
++my $octet = 0;
++
++for (;;) {
++	$sock->recv($buf, 512);
++
++	print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
++
++	my $packet;
++
++	if ($Net::DNS::VERSION > 0.68) {
++		$packet = new Net::DNS::Packet(\$buf, 0);
++		$@ and die $@;
++	} else {
++		my $err;
++		($packet, $err) = new Net::DNS::Packet(\$buf, 0);
++		$err and die $err;
++	}
++
++	print "REQUEST:\n";
++	$packet->print;
++
++	$packet->header->qr(1);
++
++	my @questions = $packet->question;
++	my $qname = $questions[0]->qname;
++	my $qtype = $questions[0]->qtype;
++
++	$packet->header->aa(1);
++	if ($qtype eq "A") {
++		$packet->push("answer",
++			      new Net::DNS::RR($qname .
++					       " 0 A 192.0.2." . $octet));
++		$octet = $octet + 1;
++	} elsif ($qtype eq "AAAA") {
++		$packet->push("answer",
++			      new Net::DNS::RR($qname .
++						" 300 AAAA 2001:db8:beef::1"));
++	}
++
++	$sock->send($packet->data);
++	print "RESPONSE:\n";
++	$packet->print;
++	print "\n";
++}
+diff --git a/bin/tests/system/zero/ns1/root.db b/bin/tests/system/zero/ns1/root.db
+index 69aca86fb8..beb97cb693 100644
+--- a/bin/tests/system/zero/ns1/root.db
++++ b/bin/tests/system/zero/ns1/root.db
+@@ -22,3 +22,5 @@ example. NS ns2.example.
+ ns2.example. A 10.53.0.2
+ example. NS ns4.example.
+ ns4.example. A 10.53.0.4
++increment. NS incrementns.
++incrementns A 10.53.0.5
+diff --git a/bin/tests/system/zero/tests.sh b/bin/tests/system/zero/tests.sh
+index 15c2906a92..bbb78f0fd8 100644
+--- a/bin/tests/system/zero/tests.sh
++++ b/bin/tests/system/zero/tests.sh
+@@ -44,5 +44,18 @@ done
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ 
++echo "I:check repeated recursive lookups of non recurring zero ttl responses get new values"
++count=`(
++dig +short -p 5300 @10.53.0.3 foo.increment
++dig +short -p 5300 @10.53.0.3 foo.increment
++dig +short -p 5300 @10.53.0.3 foo.increment
++dig +short -p 5300 @10.53.0.3 foo.increment
++dig +short -p 5300 @10.53.0.3 foo.increment
++dig +short -p 5300 @10.53.0.3 foo.increment
++dig +short -p 5300 @10.53.0.3 foo.increment
++) | sort -u | wc -l `
++if [ $count -ne 7 ] ; then echo "I:failed (count=$count)"; ret=1; fi
++status=`expr $status + $ret`
++
+ echo "I:exit status: $status"
+ exit $status
+-- 
+2.14.4
+

SOURCES/bind99-rh1647539.patch

@@ -0,0 +1,28 @@
+From 89293e44e0d022463b03a92a30b3790d4569bd50 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 20 Feb 2014 23:04:54 +1100
+Subject: [PATCH] 3752.   [bug]           Address potential REQUIRE failure if 
+                        DNS_STYLEFLAG_COMMENTDATA is set when printing out    
+                     a rdataset.
+
+(cherry picked from commit 86856f4f3069bb2d75851b56401ffde18f41198f)
+---
+ lib/dns/masterdump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
+index 80fcd4c12d..58dcd3de3e 100644
+--- a/lib/dns/masterdump.c
++++ b/lib/dns/masterdump.c
+@@ -451,7 +451,7 @@ rdataset_totext(dns_rdataset_t *rdataset,
+ 		 * Comment?
+ 		 */
+ 		if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
+-			isc_buffer_putstr(target, ";");
++			RETERR(str_totext(";", target));
+ 
+ 		/*
+ 		 * Owner name.
+-- 
+2.14.5
+

SOURCES/named.conf.sample

@@ -13,6 +13,8 @@ options
 	dump-file 		"data/cache_dump.db";
         statistics-file 	"data/named_stats.txt";
         memstatistics-file 	"data/named_mem_stats.txt";
+	recursing-file		"data/named.recursing";
+	secroots-file		"data/named.secroots";
 
 
 	/*

SPECS/bind.spec

@@ -17,6 +17,7 @@
 %{?!DEVEL:     %global DEVEL     1}
 %global        bind_dir          /var/named
 %global        chroot_prefix     %{bind_dir}/chroot
+%global        selinuxbooleans   named_write_master_zones=1
 %if %{SDB}
 %global        chroot_sdb_prefix %{bind_dir}/chroot_sdb
 %endif
@@ -25,7 +26,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.4
-Release:  61%{?PATCHVER}%{?PREVER}%{?dist}
+Release:  73%{?PATCHVER}%{?PREVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -38,7 +39,8 @@ Source7:  bind-9.3.1rc1-sdb_tools-Makefile.in
 Source8:  dnszone.schema
 Source12: README.sdb_pgsql
 Source25: named.conf.sample
-Source28: config-15.tar.bz2
+Source26: named.conf
+Source28: config-16.tar.bz2
 # Up-to-date bind.keys from upstream
 # Fetch a new one from page https://www.isc.org/bind-keys
 Source29: bind.keys
@@ -161,6 +163,17 @@ Patch188: bind99-rh1464850-2.patch
 Patch189: bind99-rh1501531.patch
 # ISC 4858
 Patch190: bind99-CVE-2017-3145.patch
+Patch191: bind99-rh1510008.patch
+Patch192: bind99-nta.patch
+Patch193: bind99-rh1510008-2.patch
+Patch194: bind99-fips.patch
+Patch195: bind99-fips-tests.patch
+# commit c3fbf330bc014f0470371e8da590d14a1d62977e ISC 4377
+Patch196: bind99-rh1549130.patch
+# commit cb735b3f902d4bb5f6e30328d5828d38efa63573
+Patch197: bind99-rh1549130-2.patch
+Patch198: bind99-CVE-2018-5740.patch
+Patch199: bind99-rh1647539.patch
 
 # Native PKCS#11 functionality from 9.10
 Patch150:bind-9.9-allow_external_dnskey.patch
@@ -190,6 +203,8 @@ Requires(postun): systemd
 Requires:       coreutils
 Requires:       systemd-units
 Requires(post): grep, systemd
+Requires(post): shadow-utils
+Requires(post): glibc-common
 Requires(pre):  shadow-utils
 Requires:       bind-libs = %{epoch}:%{version}-%{release}
 Obsoletes:      bind-config < 30:9.3.2-34.fc6
@@ -198,9 +213,18 @@ Obsoletes:      caching-nameserver < 31:9.4.1-7.fc8
 Provides:       caching-nameserver = 31:9.4.1-7.fc8
 Obsoletes:      dnssec-conf < 1.27-2
 Provides:       dnssec-conf = 1.27-1
+Requires:       python-ply
+Provides:       python-isc = %{epoch}:%{version}-%{release}
+Provides:       python-bind = %{epoch}:%{version}-%{release}
+# selinux_set_booleans requires
+Requires(post):      policycoreutils-python, libselinux-utils, selinux-policy
+Requires(postun):    policycoreutils-python, libselinux-utils, selinux-policy
+Requires(posttrans): policycoreutils-python, libselinux-utils, selinux-policy
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
 BuildRequires:  libidn-devel, libxml2-devel, GeoIP-devel
 BuildRequires:  systemd-units
+BuildRequires:  python-ply
+BuildRequires:  selinux-policy
 %if %{SDB}
 BuildRequires:  openldap-devel, postgresql-devel, sqlite-devel, mysql-devel
 BuildRequires:  libdb-devel
@@ -467,6 +491,15 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data
 %patch188 -p1 -b .rh1464850
 %patch189 -p1 -b .rh1501531
 %patch190 -p1 -b .CVE-2017-3145
+%patch191 -p1 -b .dnssec-keymgr
+%patch192 -p1 -b .rh1452091
+%patch193 -p1 -b .dnssec-keymgr-2
+%patch194 -p1 -b .fips
+%patch195 -p1 -b .fips-tests
+%patch196 -p1 -b .rh1549130
+%patch197 -p1 -b .rh1549130-2
+%patch198 -p1 -b .CVE-2018-5740
+%patch199 -p1 -b .rh1647539
 
 # Override upstream builtin keys
 cp -fp %{SOURCE29} bind.keys
@@ -740,6 +773,7 @@ tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28}
 touch ${RPM_BUILD_ROOT}/etc/rndc.key
 touch ${RPM_BUILD_ROOT}/etc/rndc.conf
 mkdir ${RPM_BUILD_ROOT}/etc/named
+install -m 640 %{SOURCE26} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
 install -m 644 bind.keys ${RPM_BUILD_ROOT}/etc/named.iscdlv.key
 install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key
 
@@ -747,7 +781,7 @@ install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key
 mkdir -p sample/etc sample/var/named/{data,slaves}
 install -m 644 %{SOURCE25} sample/etc/named.conf
 # Copy default configuration to %%doc to make it usable from system-config-bind
-install -m 644 ${RPM_BUILD_ROOT}/etc/named.conf named.conf.default
+install -m 644 %{SOURCE26} named.conf.default
 install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones
 install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty}  sample/var/named
 for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do 
@@ -765,20 +799,25 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
 %pre
 if [ "$1" -eq 1 ]; then
   /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
-  /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
+  /usr/sbin/useradd  -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :;
 fi;
 :;
 
 %post
 /sbin/ldconfig
-%systemd_post named.service
 if [ "$1" -eq 1 ]; then
   # Initial installation
   [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
   # rndc.key has to have correct perms and ownership, CVE-2007-6283
   [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
   [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
+else
+  # Upgrade, use invalid shell
+  if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then
+    usermod -s /bin/false named
+  fi
 fi
+%systemd_post named.service
 :;
 
 %preun
@@ -787,8 +826,16 @@ fi
 
 %postun
 /sbin/ldconfig
-# Package upgrade, not uninstall
 %systemd_postun_with_restart named.service
+# Unset on both upgrade and install. Boolean would be unset from now
+# until %posttrans on upgrade. Write requests might fail during update.
+(export LC_ALL=C; %{selinux_unset_booleans %{selinuxbooleans}})
+
+%posttrans
+# selinux-policy-targeted is required for following macro to work.
+# This package should not depend on it explicitly, but anaconda ensures
+# it is installed. Run after all packages are installed.
+(export LC_ALL=C; %{selinux_set_booleans %{selinuxbooleans}})
 
 %if %{SDB}
 %post sdb
@@ -940,6 +987,8 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_sbindir}/named-compilezone
 %{_sbindir}/isc-hmac-fixup
 %{_libexecdir}/generate-rndc-key.sh
+%{python_sitelib}/isc/
+%{python_sitelib}/*.egg-info
 %{_mandir}/man1/arpaname.1*
 %{_mandir}/man5/named.conf.5*
 %{_mandir}/man5/rndc.conf.5*
@@ -964,19 +1013,20 @@ rm -rf ${RPM_BUILD_ROOT}
 # Hide configuration
 %defattr(0640,root,named,0750)
 %dir %{_sysconfdir}/named
-%dir %{_localstatedir}/named
 %config(noreplace) %verify(not link) %{_sysconfdir}/named.conf
 %config(noreplace) %verify(not link) %{_sysconfdir}/named.rfc1912.zones
-%config %verify(not link) %{_localstatedir}/named/named.ca
-%config %verify(not link) %{_localstatedir}/named/named.localhost
-%config %verify(not link) %{_localstatedir}/named/named.loopback
-%config %verify(not link) %{_localstatedir}/named/named.empty
+%defattr(0660,root,named,01770)
+%dir %{_localstatedir}/named
 %defattr(0660,named,named,0770)
 %dir %{_localstatedir}/named/slaves
 %dir %{_localstatedir}/named/data
 %dir %{_localstatedir}/named/dynamic
 %ghost %{_localstatedir}/log/named.log
 %defattr(0640,root,named,0750)
+%config %verify(not link) %{_localstatedir}/named/named.ca
+%config %verify(not link) %{_localstatedir}/named/named.localhost
+%config %verify(not link) %{_localstatedir}/named/named.loopback
+%config %verify(not link) %{_localstatedir}/named/named.empty
 %ghost %config(noreplace) %{_sysconfdir}/rndc.key
 # ^- rndc.key now created on first install only if it does not exist
 # %%verify(not size,not md5) %%config(noreplace) %%attr(0640,root,named) /etc/rndc.conf
@@ -1078,12 +1128,13 @@ rm -rf ${RPM_BUILD_ROOT}
 %dir %{chroot_prefix}/etc/pki/dnssec-keys
 %dir %{chroot_prefix}/var
 %dir %{chroot_prefix}/run
-%dir %{chroot_prefix}/var/named
 %ghost %config(noreplace) %{chroot_prefix}/etc/named.conf
 %defattr(-,root,root,-)
 %dir %{chroot_prefix}/usr
 %dir %{chroot_prefix}/%{_libdir}
 %dir %{chroot_prefix}/%{_libdir}/bind
+%defattr(0660,root,named,01770)
+%dir %{chroot_prefix}/var/named
 %defattr(0660,named,named,0770)
 %dir %{chroot_prefix}/var/tmp
 %dir %{chroot_prefix}/var/log
@@ -1109,8 +1160,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys
 %dir %{chroot_sdb_prefix}/var
 %dir %{chroot_sdb_prefix}/run
-%dir %{chroot_sdb_prefix}/var/named
 %ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf
+%defattr(0660,root,named,01770)
+%dir %{chroot_sdb_prefix}/var/named
 %defattr(-,root,root,-)
 %dir %{chroot_sdb_prefix}/usr
 %dir %{chroot_sdb_prefix}/%{_libdir}
@@ -1155,6 +1207,45 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Fri Nov 23 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-73
+- Fixes debug level comments (#1647539)
+
+* Thu Sep 20 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-72
+- Fix automatic selinux boolean named_write_master_zones (#1569466)
+- Allow starting named with readonly home again
+
+* Wed Aug 08 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-71
+- Fix CVE-2018-5740
+
+* Sun Jun 24 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-70
+- Fix compiler warnings
+
+* Thu Jun 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-69
+- Refetch always records with TTL 0 (#1549130)
+
+* Thu Jun 21 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-68
+- Detect and disable MD5 functions in FIPS 140-2 mode (#1519306)
+
+* Thu Jun 14 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-67
+- Move change of dns_view_t to the end (#1452091)
+
+* Fri Jun 01 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-66
+- Correct recursing file name (#1435883)
+- Use python binary again, install all modules (#1510008)
+
+* Thu May 31 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-65
+- Add rndc secroots and recursing output files into data (#1435883)
+
+* Mon May 28 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-64
+- Backported negative trust anchors (#1452091)
+
+* Mon May 28 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-63
+- Make named home writeable (#1569466)
+- Change named shell to /bin/false
+
+* Tue May 22 2018 Martin Sehnoutka <msehnout@redhat.com> - 32:9.9.4-62
+- Resolves: #1510008 - add support for dnssec-keymgr
+
 * Tue Jan 16 2018 Petr Menšík <pemensik@redhat.com> - 32:9.9.4-61
 - Fix CVE-2017-3145