diff --git a/backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch b/backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch new file mode 100644 index 0000000000000000000000000000000000000000..575ce6d668e7b81f3d6b8fafbe37ed8eb1ea6fdb --- /dev/null +++ b/backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch @@ -0,0 +1,60 @@ +From f1c08fe93ba35343534d893f3efcfa6f5d97fdf0 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 10 Jan 2023 13:51:49 +1100 +Subject: [PATCH] Accept 'in=NULL' with 'inlen=0' in isc_{half}siphash24 + +Arthimetic on NULL pointers is undefined. Avoid arithmetic operations +when 'in' is NULL and require 'in' to be non-NULL if 'inlen' is not zero. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/f1c08fe93ba35343534d893f3efcfa6f5d97fdf0 + +(cherry picked from commit 349c23dbb7a4f3ffe29f3c9deff418aab6266fd0) +--- + lib/isc/siphash.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/lib/isc/siphash.c b/lib/isc/siphash.c +index 1a863ff8e1..a6e60cf02f 100644 +--- a/lib/isc/siphash.c ++++ b/lib/isc/siphash.c +@@ -91,6 +91,7 @@ isc_siphash24(const uint8_t *k, const uint8_t *in, const size_t inlen, + uint8_t *out) { + REQUIRE(k != NULL); + REQUIRE(out != NULL); ++ REQUIRE(inlen == 0 || in != NULL); + + uint64_t k0 = U8TO64_LE(k); + uint64_t k1 = U8TO64_LE(k + 8); +@@ -102,7 +103,9 @@ isc_siphash24(const uint8_t *k, const uint8_t *in, const size_t inlen, + + uint64_t b = ((uint64_t)inlen) << 56; + +- const uint8_t *end = in + inlen - (inlen % sizeof(uint64_t)); ++ const uint8_t *end = (in == NULL) ++ ? NULL ++ : in + inlen - (inlen % sizeof(uint64_t)); + const size_t left = inlen & 7; + + for (; in != end; in += 8) { +@@ -169,6 +172,7 @@ isc_halfsiphash24(const uint8_t *k, const uint8_t *in, const size_t inlen, + uint8_t *out) { + REQUIRE(k != NULL); + REQUIRE(out != NULL); ++ REQUIRE(inlen == 0 || in != NULL); + + uint32_t k0 = U8TO32_LE(k); + uint32_t k1 = U8TO32_LE(k + 4); +@@ -180,7 +184,9 @@ isc_halfsiphash24(const uint8_t *k, const uint8_t *in, const size_t inlen, + + uint32_t b = ((uint32_t)inlen) << 24; + +- const uint8_t *end = in + inlen - (inlen % sizeof(uint32_t)); ++ const uint8_t *end = (in == NULL) ++ ? NULL ++ : in + inlen - (inlen % sizeof(uint32_t)); + const int left = inlen & 3; + + for (; in != end; in += 4) { +-- +2.23.0 diff --git a/backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch b/backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch new file mode 100644 index 0000000000000000000000000000000000000000..d24cdf218831d40e84f6f3543c770e0cb2dba3b3 --- /dev/null +++ b/backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch @@ -0,0 +1,67 @@ +From cb083876c192fa32d2984508491bac96a4236137 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 17 Jan 2023 07:18:16 +0100 +Subject: [PATCH] Detach the views in zone_shutdown(), not in zone_free() + +The .view (and possibly .prev_view) would be kept attached to the +removed zone until the zone is fully removed from the memory in +zone_free(). If this process is delayed because server is busy +something else like doing constant `rndc reconfig`, it could take +seconds to detach the view, possibly keeping multiple dead views in the +memory. This could quickly lead to a massive memory bloat. + +Release the views early in the zone_shutdown() call, and don't wait +until the zone is freed. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/cb083876c192fa32d2984508491bac96a4236137 + +(cherry picked from commit 13bb8212804ce385010387d681a6623481921023) +--- + lib/dns/zone.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 51e2fc6cf2..9b025cdcaf 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -1246,6 +1246,8 @@ zone_free(dns_zone_t *zone) { + INSIST(zone->readio == NULL); + INSIST(zone->statelist == NULL); + INSIST(zone->writeio == NULL); ++ INSIST(zone->view == NULL); ++ INSIST(zone->prev_view == NULL); + + if (zone->task != NULL) { + isc_task_detach(&zone->task); +@@ -1253,12 +1255,6 @@ zone_free(dns_zone_t *zone) { + if (zone->loadtask != NULL) { + isc_task_detach(&zone->loadtask); + } +- if (zone->view != NULL) { +- dns_view_weakdetach(&zone->view); +- } +- if (zone->prev_view != NULL) { +- dns_view_weakdetach(&zone->prev_view); +- } + + /* Unmanaged objects */ + while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) { +@@ -14971,6 +14967,15 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) { + + LOCK_ZONE(zone); + INSIST(zone != zone->raw); ++ ++ /* Detach the views early, we don't need them anymore */ ++ if (zone->view != NULL) { ++ dns_view_weakdetach(&zone->view); ++ } ++ if (zone->prev_view != NULL) { ++ dns_view_weakdetach(&zone->prev_view); ++ } ++ + if (linked) { + isc_refcount_decrement(&zone->irefs); + } +-- +2.23.0 diff --git a/backport-Detach-the-zone-views-outside-of-the-zone-lock.patch b/backport-Detach-the-zone-views-outside-of-the-zone-lock.patch new file mode 100644 index 0000000000000000000000000000000000000000..4c3a35653219b1f0ae7f2ef6f0ce3376e79e1857 --- /dev/null +++ b/backport-Detach-the-zone-views-outside-of-the-zone-lock.patch @@ -0,0 +1,70 @@ +From 4b222f154bc3d5d6755cf7089948bd4522ddb7af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Thu, 19 Jan 2023 09:14:53 +0100 +Subject: [PATCH] Detach the zone views outside of the zone lock + +Detaching the views in the zone_shutdown() could lead to +lock-order-inversion between adb->namelocks[bucket], adb->lock, +view->lock and zone->lock. Detach the views outside of the section that +zone-locked. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b222f154bc3d5d6755cf7089948bd4522ddb7af + +(cherry picked from commit 978a0ef84cfb08435c1b7664c6328521b743fb02) +--- + lib/dns/zone.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 9b025cdcaf..1763dbc306 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -14922,6 +14922,7 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) { + dns_zone_t *zone = (dns_zone_t *)event->ev_arg; + bool free_needed, linked = false; + dns_zone_t *raw = NULL, *secure = NULL; ++ dns_view_t *view = NULL, *prev_view = NULL; + + UNUSED(task); + REQUIRE(DNS_ZONE_VALID(zone)); +@@ -14968,13 +14969,15 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) { + LOCK_ZONE(zone); + INSIST(zone != zone->raw); + +- /* Detach the views early, we don't need them anymore */ +- if (zone->view != NULL) { +- dns_view_weakdetach(&zone->view); +- } +- if (zone->prev_view != NULL) { +- dns_view_weakdetach(&zone->prev_view); +- } ++ /* ++ * Detach the views early, we don't need them anymore. However, we need ++ * to detach them outside of the zone lock to break the lock loop ++ * between view, adb and zone locks. ++ */ ++ view = zone->view; ++ zone->view = NULL; ++ prev_view = zone->prev_view; ++ zone->prev_view = NULL; + + if (linked) { + isc_refcount_decrement(&zone->irefs); +@@ -15036,6 +15039,14 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) { + zone->secure = NULL; + } + UNLOCK_ZONE(zone); ++ ++ if (view != NULL) { ++ dns_view_weakdetach(&view); ++ } ++ if (prev_view != NULL) { ++ dns_view_weakdetach(&prev_view); ++ } ++ + if (raw != NULL) { + dns_zone_detach(&raw); + } +-- +2.23.0 diff --git a/backport-Don-t-perform-arithmetic-on-NULL-pointers.patch b/backport-Don-t-perform-arithmetic-on-NULL-pointers.patch new file mode 100644 index 0000000000000000000000000000000000000000..9883c3553aa87f9ed4c51f2171e5a1e8284636d4 --- /dev/null +++ b/backport-Don-t-perform-arithmetic-on-NULL-pointers.patch @@ -0,0 +1,84 @@ +From 2a9300a3bcd2c2cb5027e3435c53d2b8d94d72fd Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 10 Jan 2023 17:15:09 +1100 +Subject: [PATCH] Don't perform arithmetic on NULL pointers + +When node is NULL when calling getparent() et al. they return NULL +but performing arithmetic on the NULL pointer is undefined. Check +if 'node' or 'header' is NULL and skip the adjustment. + +Conflict: The content of the patch has not been changed, the patch context does not match, it is suitable for the patch +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2a9300a3bcd2c2cb5027e3435c53d2b8d94d72fd + +--- + lib/dns/rbt.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c +index 7f2c2d2..3fa2999 100644 +--- a/lib/dns/rbt.c ++++ b/lib/dns/rbt.c +@@ -166,6 +166,10 @@ serialize_nodes(FILE *file, dns_rbtnode_t *node, uintptr_t parent, + dns_rbtdatawriter_t datawriter, void *writer_arg, + uintptr_t *where, uint64_t *crc); + ++#define ADJUST_ADDRESS(address, relative, header) \ ++ if (address != NULL && header != NULL) { \ ++ address += relative * (uintptr_t)header; \ ++ } + /* + * The following functions allow you to get the actual address of a pointer + * without having to use an if statement to check to see if that address is +@@ -174,7 +178,8 @@ serialize_nodes(FILE *file, dns_rbtnode_t *node, uintptr_t parent, + static inline dns_rbtnode_t * + getparent(dns_rbtnode_t *node, file_header_t *header) { + char *adjusted_address = (char *)(node->parent); +- adjusted_address += node->parent_is_relative * (uintptr_t)header; ++ ++ ADJUST_ADDRESS(adjusted_address, node->parent_is_relative, header); + + return ((dns_rbtnode_t *)adjusted_address); + } +@@ -182,7 +187,8 @@ getparent(dns_rbtnode_t *node, file_header_t *header) { + static inline dns_rbtnode_t * + getleft(dns_rbtnode_t *node, file_header_t *header) { + char *adjusted_address = (char *)(node->left); +- adjusted_address += node->left_is_relative * (uintptr_t)header; ++ ++ ADJUST_ADDRESS(adjusted_address, node->left_is_relative, header); + + return ((dns_rbtnode_t *)adjusted_address); + } +@@ -190,7 +196,8 @@ getleft(dns_rbtnode_t *node, file_header_t *header) { + static inline dns_rbtnode_t * + getright(dns_rbtnode_t *node, file_header_t *header) { + char *adjusted_address = (char *)(node->right); +- adjusted_address += node->right_is_relative * (uintptr_t)header; ++ ++ ADJUST_ADDRESS(adjusted_address, node->right_is_relative, header); + + return ((dns_rbtnode_t *)adjusted_address); + } +@@ -198,7 +205,8 @@ getright(dns_rbtnode_t *node, file_header_t *header) { + static inline dns_rbtnode_t * + getdown(dns_rbtnode_t *node, file_header_t *header) { + char *adjusted_address = (char *)(node->down); +- adjusted_address += node->down_is_relative * (uintptr_t)header; ++ ++ ADJUST_ADDRESS(adjusted_address, node->down_is_relative, header); + + return ((dns_rbtnode_t *)adjusted_address); + } +@@ -206,7 +214,8 @@ getdown(dns_rbtnode_t *node, file_header_t *header) { + static inline dns_rbtnode_t * + getdata(dns_rbtnode_t *node, file_header_t *header) { + char *adjusted_address = (char *)(node->data); +- adjusted_address += node->data_is_relative * (uintptr_t)header; ++ ++ ADJUST_ADDRESS(adjusted_address, node->data_is_relative, header); + + return ((dns_rbtnode_t *)adjusted_address); + } +-- +2.33.0 + diff --git a/backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch b/backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch new file mode 100644 index 0000000000000000000000000000000000000000..2063c9281ad2f156e194a55810139a1a4aa67890 --- /dev/null +++ b/backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch @@ -0,0 +1,33 @@ +From 466a05eaf0070f6984d50428454ab399258da5e1 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Mon, 27 Feb 2023 12:06:37 +0000 +Subject: [PATCH] Fix a cleanup bug when isc_task_create() fails in + dns_catz_new_zones() + +Use isc_mem_putanddetach() instead of isc_mem_put() to detach from the +memory context. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/466a05eaf0070f6984d50428454ab399258da5e1 + +(cherry picked from commit 9050481d1f3db1a007fb02ab1b186af94d2de1bc) +--- + lib/dns/catz.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/catz.c b/lib/dns/catz.c +index 92823a3..eb28838 100644 +--- a/lib/dns/catz.c ++++ b/lib/dns/catz.c +@@ -661,7 +661,7 @@ cleanup_ht: + cleanup_refcount: + isc_refcount_destroy(&new_zones->refs); + isc_mutex_destroy(&new_zones->lock); +- isc_mem_put(mctx, new_zones, sizeof(*new_zones)); ++ isc_mem_putanddetach(&new_zones->mctx, new_zones, sizeof(*new_zones)); + + return (result); + } +-- +2.33.0 + diff --git a/backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch b/backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch new file mode 100644 index 0000000000000000000000000000000000000000..313b6fb410b375fcfe3553e9508fd737f1eeb5a6 --- /dev/null +++ b/backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch @@ -0,0 +1,62 @@ +From 272afcd999cb07593f5dd943e22dc1a03d42b090 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Thu, 5 Jan 2023 15:01:35 +0000 +Subject: [PATCH] Fix a use-after-free bug in dns_zonemgr_releasezone() + +The dns_zonemgr_releasezone() function makes a decision to destroy +'zmgr' (based on its references count, after decreasing it) inside +a lock, and then destroys the object outside of the lock. + +This causes a race with dns_zonemgr_detach(), which could destroy +the object in the meantime. + +Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy +the object (if needed) using dns_zonemgr_detach(), outside of the +lock. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/272afcd999cb07593f5dd943e22dc1a03d42b090 + +(cherry picked from commit c1fc2122531bdd27ca38434a2632e8dac532bc13) +--- + lib/dns/zone.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 4b864da..bf47aa0 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -18815,8 +18815,6 @@ unlock: + + void + dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) { +- bool free_now = false; +- + REQUIRE(DNS_ZONE_VALID(zone)); + REQUIRE(DNS_ZONEMGR_VALID(zmgr)); + REQUIRE(zone->zmgr == zmgr); +@@ -18828,19 +18826,13 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) { + + zonemgr_keymgmt_delete(zmgr, zone); + ++ /* Detach below, outside of the write lock. */ + zone->zmgr = NULL; + +- if (isc_refcount_decrement(&zmgr->refs) == 1) { +- free_now = true; +- } +- + UNLOCK_ZONE(zone); + RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write); + +- if (free_now) { +- zonemgr_free(zmgr); +- } +- ENSURE(zone->zmgr == NULL); ++ dns_zonemgr_detach(&zmgr); + } + + void +-- +2.33.0 + diff --git a/backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch b/backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch new file mode 100644 index 0000000000000000000000000000000000000000..d0c0b8b56b2b6c9f93eac8f3b5bdbb7b996b7666 --- /dev/null +++ b/backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch @@ -0,0 +1,62 @@ +From e4b5ca92ea33c3a08403b84f6b5260ba89206d8c Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 23 Feb 2023 15:43:51 +1100 +Subject: [PATCH] Fix backport error in + 84929d1cd7e1042452094ceeae969324b9df504f + +Not all the RETERR's in named_zone_configure where converted to +CHECK's, as was the case in main, leading to a memory leak with +the early returns. + +Conflict: The content of the patch has not been changed, the patch context does not match, it is suitable for the patch +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/e4b5ca92ea33c3a08403b84f6b5260ba89206d8c + +--- + bin/named/zoneconf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index 8656602..8de3a88 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -1272,9 +1272,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + zone, ipkl.addrs, ipkl.dscps, ipkl.keys, + ipkl.count); + dns_ipkeylist_clear(mctx, &ipkl); +- RETERR(result); ++ CHECK(result); + } else { +- RETERR(dns_zone_setalsonotify(zone, NULL, 0)); ++ CHECK(dns_zone_setalsonotify(zone, NULL, 0)); + } + + obj = NULL; +@@ -1721,9 +1721,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + result = dns_zone_setparentals(zone, ipkl.addrs, + ipkl.keys, ipkl.count); + dns_ipkeylist_clear(mctx, &ipkl); +- RETERR(result); ++ CHECK(result); + } else { +- RETERR(dns_zone_setparentals(zone, NULL, NULL, 0)); ++ CHECK(dns_zone_setparentals(zone, NULL, NULL, 0)); + } + } + +@@ -1936,11 +1936,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + mayberaw, ipkl.addrs, ipkl.keys, ipkl.count); + count = ipkl.count; + dns_ipkeylist_clear(mctx, &ipkl); +- RETERR(result); ++ CHECK(result); + } else { + result = dns_zone_setprimaries(mayberaw, NULL, 0); + } +- RETERR(result); ++ CHECK(result); + + multi = false; + if (count > 1) { +-- +2.33.0 + diff --git a/backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch b/backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch new file mode 100644 index 0000000000000000000000000000000000000000..033426552edb1bf647075278f17c215efd1da149 --- /dev/null +++ b/backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch @@ -0,0 +1,32 @@ +From 1950629ffade5531d102639261a31321f8cdbb39 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Fri, 9 Dec 2022 12:41:38 +0000 +Subject: [PATCH] Fix dns_fwdtable_addfwd() error path cleanup bug + +Free 'sizeof(dns_forwarder_t)' bytes of memory instead of +'sizeof(dns_sockaddr_t)' bytes, because `fwd` is a pointer +to a 'dns_forwarder_t' type structure. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1950629ffade5531d102639261a31321f8cdbb39 + +(cherry picked from commit 0cc1b06d98676ab66200d388c48c3cd615aa0109) +--- + lib/dns/forward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/forward.c b/lib/dns/forward.c +index 53d0c5ee4e..c7c54cddce 100644 +--- a/lib/dns/forward.c ++++ b/lib/dns/forward.c +@@ -103,7 +103,7 @@ cleanup: + while (!ISC_LIST_EMPTY(forwarders->fwdrs)) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link); +- isc_mem_put(fwdtable->mctx, fwd, sizeof(isc_sockaddr_t)); ++ isc_mem_put(fwdtable->mctx, fwd, sizeof(dns_forwarder_t)); + } + isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t)); + return (result); +-- +2.23.0 diff --git a/backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch b/backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch new file mode 100644 index 0000000000000000000000000000000000000000..10fb847b23659a6e0936a536934b86c45c97ebf6 --- /dev/null +++ b/backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch @@ -0,0 +1,474 @@ +From b49a3a56c92c65c53561bbd5f01738689aea335f Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 21 Feb 2023 12:15:01 +1100 +Subject: [PATCH] Fix dns_kasp_attach / dns_kasp_detach usage + +The kasp pointers in dns_zone_t should consistently be changed by +dns_kasp_attach and dns_kasp_detach so the usage is balanced. + +Conflict:The content of the patch has not been changed, the patch context does not match, it is suitable for the patch +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/b49a3a56c92c65c53561bbd5f01738689aea335f + +(cherry picked from commit b41882cc75c9d820c5642c88a6cd90fec32b8397) +--- + bin/named/zoneconf.c | 154 ++++++++++++++++++++++--------------------- + lib/dns/zone.c | 8 +-- + 2 files changed, 83 insertions(+), 79 deletions(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index 4691fdc..8656602 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -924,8 +924,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + maps[i] = NULL; + + if (vconfig != NULL) { +- RETERR(named_config_getclass(cfg_tuple_get(vconfig, "class"), +- dns_rdataclass_in, &vclass)); ++ CHECK(named_config_getclass(cfg_tuple_get(vconfig, "class"), ++ dns_rdataclass_in, &vclass)); + } else { + vclass = dns_rdataclass_in; + } +@@ -936,8 +936,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + + zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); + +- RETERR(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass, +- &zclass)); ++ CHECK(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass, ++ &zclass)); + dns_zone_setclass(zone, zclass); + if (raw != NULL) { + dns_zone_setclass(raw, zclass); +@@ -957,7 +957,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj)); + } + if (cpval == NULL) { +- return (ISC_R_NOMEMORY); ++ CHECK(ISC_R_NOMEMORY); + } + + obj = NULL; +@@ -972,7 +972,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + "zone '%s': both 'database' and 'dlz' " + "specified", + zname); +- return (ISC_R_FAILURE); ++ CHECK(ISC_R_FAILURE); + } + + len = strlen(dlzname) + 5; +@@ -983,7 +983,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + result = strtoargv(mctx, cpval, &dbargc, &dbargv); + if (result != ISC_R_SUCCESS && cpval != default_dbtype) { + isc_mem_free(mctx, cpval); +- return (result); ++ CHECK(result); + } + + /* +@@ -1012,7 +1012,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "zone '%s': 'file' not specified", zname); +- return (ISC_R_FAILURE); ++ CHECK(ISC_R_FAILURE); + } + + if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { +@@ -1051,7 +1051,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + "can only be used with " + "'masterfile-format text'", + zname); +- return (ISC_R_FAILURE); ++ CHECK(ISC_R_FAILURE); + } + + if (strcasecmp(masterstylestr, "full") == 0) { +@@ -1077,47 +1077,45 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + size_t signedlen = strlen(filename) + sizeof(SIGNED); + char *signedname; + +- RETERR(dns_zone_setfile(raw, filename, masterformat, +- masterstyle)); ++ CHECK(dns_zone_setfile(raw, filename, masterformat, ++ masterstyle)); + signedname = isc_mem_get(mctx, signedlen); + + (void)snprintf(signedname, signedlen, "%s" SIGNED, filename); + result = dns_zone_setfile(zone, signedname, + dns_masterformat_raw, NULL); + isc_mem_put(mctx, signedname, signedlen); +- if (result != ISC_R_SUCCESS) { +- return (result); +- } ++ CHECK(result); + } else { +- RETERR(dns_zone_setfile(zone, filename, masterformat, +- masterstyle)); ++ CHECK(dns_zone_setfile(zone, filename, masterformat, ++ masterstyle)); + } + + obj = NULL; + result = cfg_map_get(zoptions, "journal", &obj); + if (result == ISC_R_SUCCESS) { +- RETERR(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj))); ++ CHECK(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj))); + } + + /* + * Notify messages are processed by the raw zone if it exists. + */ + if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { +- RETERR(configure_zone_acl( +- zconfig, vconfig, config, allow_notify, ac, mayberaw, +- dns_zone_setnotifyacl, dns_zone_clearnotifyacl)); ++ CHECK(configure_zone_acl(zconfig, vconfig, config, allow_notify, ++ ac, mayberaw, dns_zone_setnotifyacl, ++ dns_zone_clearnotifyacl)); + } + + /* + * XXXAG This probably does not make sense for stubs. + */ +- RETERR(configure_zone_acl(zconfig, vconfig, config, allow_query, ac, +- zone, dns_zone_setqueryacl, +- dns_zone_clearqueryacl)); ++ CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query, ac, ++ zone, dns_zone_setqueryacl, ++ dns_zone_clearqueryacl)); + +- RETERR(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac, +- zone, dns_zone_setqueryonacl, +- dns_zone_clearqueryonacl)); ++ CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac, ++ zone, dns_zone_setqueryonacl, ++ dns_zone_clearqueryonacl)); + + obj = NULL; + result = named_config_get(maps, "dialup", &obj); +@@ -1176,10 +1174,10 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + rcvquerystats = NULL; + dnssecsignstats = NULL; + if (statlevel == dns_zonestat_full) { +- RETERR(isc_stats_create(mctx, &zoneqrystats, +- ns_statscounter_max)); +- RETERR(dns_rdatatypestats_create(mctx, &rcvquerystats)); +- RETERR(dns_dnssecsignstats_create(mctx, &dnssecsignstats)); ++ CHECK(isc_stats_create(mctx, &zoneqrystats, ++ ns_statscounter_max)); ++ CHECK(dns_rdatatypestats_create(mctx, &rcvquerystats)); ++ CHECK(dns_dnssecsignstats_create(mctx, &dnssecsignstats)); + } + dns_zone_setrequeststats(zone, zoneqrystats); + dns_zone_setrcvquerystats(zone, rcvquerystats); +@@ -1218,7 +1216,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + ISC_LOG_ERROR, + "dnssec-policy '%s' not found ", + kaspname); +- RETERR(result); ++ CHECK(result); + } + dns_zone_setkasp(zone, kasp); + use_kasp = true; +@@ -1268,8 +1266,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + dns_ipkeylist_t ipkl; + dns_ipkeylist_init(&ipkl); + +- RETERR(named_config_getipandkeylist(config, "primaries", +- obj, mctx, &ipkl)); ++ CHECK(named_config_getipandkeylist(config, "primaries", ++ obj, mctx, &ipkl)); + result = dns_zone_setalsonotifydscpkeys( + zone, ipkl.addrs, ipkl.dscps, ipkl.keys, + ipkl.count); +@@ -1282,48 +1280,48 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + obj = NULL; + result = named_config_get(maps, "parental-source", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj))); ++ CHECK(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj))); + dscp = cfg_obj_getdscp(obj); + if (dscp == -1) { + dscp = named_g_dscp; + } +- RETERR(dns_zone_setparentalsrc4dscp(zone, dscp)); ++ CHECK(dns_zone_setparentalsrc4dscp(zone, dscp)); + named_add_reserved_dispatch(named_g_server, + cfg_obj_assockaddr(obj)); + + obj = NULL; + result = named_config_get(maps, "parental-source-v6", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj))); ++ CHECK(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj))); + dscp = cfg_obj_getdscp(obj); + if (dscp == -1) { + dscp = named_g_dscp; + } +- RETERR(dns_zone_setparentalsrc6dscp(zone, dscp)); ++ CHECK(dns_zone_setparentalsrc6dscp(zone, dscp)); + named_add_reserved_dispatch(named_g_server, + cfg_obj_assockaddr(obj)); + + obj = NULL; + result = named_config_get(maps, "notify-source", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj))); ++ CHECK(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj))); + dscp = cfg_obj_getdscp(obj); + if (dscp == -1) { + dscp = named_g_dscp; + } +- RETERR(dns_zone_setnotifysrc4dscp(zone, dscp)); ++ CHECK(dns_zone_setnotifysrc4dscp(zone, dscp)); + named_add_reserved_dispatch(named_g_server, + cfg_obj_assockaddr(obj)); + + obj = NULL; + result = named_config_get(maps, "notify-source-v6", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); ++ CHECK(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); + dscp = cfg_obj_getdscp(obj); + if (dscp == -1) { + dscp = named_g_dscp; + } +- RETERR(dns_zone_setnotifysrc6dscp(zone, dscp)); ++ CHECK(dns_zone_setnotifysrc6dscp(zone, dscp)); + named_add_reserved_dispatch(named_g_server, + cfg_obj_assockaddr(obj)); + +@@ -1335,7 +1333,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + + dns_zone_setisself(zone, isself, named_g_server->interfacemgr); + +- RETERR(configure_zone_acl( ++ CHECK(configure_zone_acl( + zconfig, vconfig, config, allow_transfer, ac, zone, + dns_zone_setxfracl, dns_zone_clearxfracl)); + +@@ -1373,7 +1371,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + "%" PRId64 "' " + "is too large", + value); +- RETERR(ISC_R_RANGE); ++ CHECK(ISC_R_RANGE); + } + journal_size = (uint32_t)value; + } +@@ -1515,7 +1513,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + "%" PRId64 "' " + "is too large", + value); +- RETERR(ISC_R_RANGE); ++ CHECK(ISC_R_RANGE); + } + journal_size = (uint32_t)value; + } +@@ -1545,9 +1543,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + if (ztype == dns_zone_primary) { + dns_acl_t *updateacl; + +- RETERR(configure_zone_acl( +- zconfig, vconfig, config, allow_update, ac, mayberaw, +- dns_zone_setupdateacl, dns_zone_clearupdateacl)); ++ CHECK(configure_zone_acl(zconfig, vconfig, config, allow_update, ++ ac, mayberaw, dns_zone_setupdateacl, ++ dns_zone_clearupdateacl)); + + updateacl = dns_zone_getupdateacl(mayberaw); + if (updateacl != NULL && dns_acl_isinsecure(updateacl)) { +@@ -1558,7 +1556,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + zname); + } + +- RETERR(configure_zone_ssutable(zoptions, mayberaw, zname)); ++ CHECK(configure_zone_ssutable(zoptions, mayberaw, zname)); + } + + if (ztype == dns_zone_primary || raw != NULL) { +@@ -1631,7 +1629,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + result = named_config_get(maps, "key-directory", &obj); + if (result == ISC_R_SUCCESS) { + filename = cfg_obj_asstring(obj); +- RETERR(dns_zone_setkeydirectory(zone, filename)); ++ CHECK(dns_zone_setkeydirectory(zone, filename)); + } + + obj = NULL; +@@ -1673,8 +1671,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + result = named_config_get(maps, "dnssec-loadkeys-interval", + &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setrefreshkeyinterval(zone, +- cfg_obj_asuint32(obj))); ++ CHECK(dns_zone_setrefreshkeyinterval(zone, ++ cfg_obj_asuint32(obj))); + + obj = NULL; + result = cfg_map_get(zoptions, "auto-dnssec", &obj); +@@ -1703,10 +1701,10 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + } + + if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { +- RETERR(configure_zone_acl(zconfig, vconfig, config, +- allow_update_forwarding, ac, mayberaw, +- dns_zone_setforwardacl, +- dns_zone_clearforwardacl)); ++ CHECK(configure_zone_acl(zconfig, vconfig, config, ++ allow_update_forwarding, ac, mayberaw, ++ dns_zone_setforwardacl, ++ dns_zone_clearforwardacl)); + } + + /*% +@@ -1718,7 +1716,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + if (obj != NULL) { + dns_ipkeylist_t ipkl; + dns_ipkeylist_init(&ipkl); +- RETERR(named_config_getipandkeylist( ++ CHECK(named_config_getipandkeylist( + config, "parental-agents", obj, mctx, &ipkl)); + result = dns_zone_setparentals(zone, ipkl.addrs, + ipkl.keys, ipkl.count); +@@ -1901,7 +1899,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + (void)cfg_map_get(zoptions, "allow-transfer", &obj); + if (obj == NULL) { + dns_acl_t *none; +- RETERR(dns_acl_none(mctx, &none)); ++ CHECK(dns_acl_none(mctx, &none)); + dns_zone_setxfracl(zone, none); + dns_acl_detach(&none); + } +@@ -1926,14 +1924,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + result = named_config_getremotesdef( + named_g_config, "primaries", + DEFAULT_IANA_ROOT_ZONE_PRIMARIES, &obj); +- RETERR(result); ++ CHECK(result); + } + if (obj != NULL) { + dns_ipkeylist_t ipkl; + dns_ipkeylist_init(&ipkl); + +- RETERR(named_config_getipandkeylist(config, "primaries", +- obj, mctx, &ipkl)); ++ CHECK(named_config_getipandkeylist(config, "primaries", ++ obj, mctx, &ipkl)); + result = dns_zone_setprimarieswithkeys( + mayberaw, ipkl.addrs, ipkl.keys, ipkl.count); + count = ipkl.count; +@@ -1986,50 +1984,50 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + obj = NULL; + result = named_config_get(maps, "transfer-source", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setxfrsource4(mayberaw, +- cfg_obj_assockaddr(obj))); ++ CHECK(dns_zone_setxfrsource4(mayberaw, ++ cfg_obj_assockaddr(obj))); + dscp = cfg_obj_getdscp(obj); + if (dscp == -1) { + dscp = named_g_dscp; + } +- RETERR(dns_zone_setxfrsource4dscp(mayberaw, dscp)); ++ CHECK(dns_zone_setxfrsource4dscp(mayberaw, dscp)); + named_add_reserved_dispatch(named_g_server, + cfg_obj_assockaddr(obj)); + + obj = NULL; + result = named_config_get(maps, "transfer-source-v6", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setxfrsource6(mayberaw, +- cfg_obj_assockaddr(obj))); ++ CHECK(dns_zone_setxfrsource6(mayberaw, ++ cfg_obj_assockaddr(obj))); + dscp = cfg_obj_getdscp(obj); + if (dscp == -1) { + dscp = named_g_dscp; + } +- RETERR(dns_zone_setxfrsource6dscp(mayberaw, dscp)); ++ CHECK(dns_zone_setxfrsource6dscp(mayberaw, dscp)); + named_add_reserved_dispatch(named_g_server, + cfg_obj_assockaddr(obj)); + + obj = NULL; + result = named_config_get(maps, "alt-transfer-source", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setaltxfrsource4(mayberaw, +- cfg_obj_assockaddr(obj))); ++ CHECK(dns_zone_setaltxfrsource4(mayberaw, ++ cfg_obj_assockaddr(obj))); + dscp = cfg_obj_getdscp(obj); + if (dscp == -1) { + dscp = named_g_dscp; + } +- RETERR(dns_zone_setaltxfrsource4dscp(mayberaw, dscp)); ++ CHECK(dns_zone_setaltxfrsource4dscp(mayberaw, dscp)); + + obj = NULL; + result = named_config_get(maps, "alt-transfer-source-v6", &obj); + INSIST(result == ISC_R_SUCCESS && obj != NULL); +- RETERR(dns_zone_setaltxfrsource6(mayberaw, +- cfg_obj_assockaddr(obj))); ++ CHECK(dns_zone_setaltxfrsource6(mayberaw, ++ cfg_obj_assockaddr(obj))); + dscp = cfg_obj_getdscp(obj); + if (dscp == -1) { + dscp = named_g_dscp; + } +- RETERR(dns_zone_setaltxfrsource6dscp(mayberaw, dscp)); ++ CHECK(dns_zone_setaltxfrsource6dscp(mayberaw, dscp)); + + obj = NULL; + (void)named_config_get(maps, "use-alt-transfer-source", &obj); +@@ -2057,15 +2055,21 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, + break; + + case dns_zone_staticstub: +- RETERR(configure_staticstub(zoptions, zone, zname, +- default_dbtype)); ++ CHECK(configure_staticstub(zoptions, zone, zname, ++ default_dbtype)); + break; + + default: + break; + } + +- return (ISC_R_SUCCESS); ++ result = ISC_R_SUCCESS; ++ ++cleanup: ++ if (kasp != NULL) { ++ dns_kasp_detach(&kasp); ++ } ++ return (result); + } + + /* +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 787a52c..6a62de0 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -5818,11 +5818,11 @@ dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) { + + LOCK_ZONE(zone); + if (zone->kasp != NULL) { +- dns_kasp_t *oldkasp = zone->kasp; +- zone->kasp = NULL; +- dns_kasp_detach(&oldkasp); ++ dns_kasp_detach(&zone->kasp); ++ } ++ if (kasp != NULL) { ++ dns_kasp_attach(kasp, &zone->kasp); + } +- zone->kasp = kasp; + UNLOCK_ZONE(zone); + } + +-- +2.33.0 + diff --git a/backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch b/backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch new file mode 100644 index 0000000000000000000000000000000000000000..49ab6d49528a1e38790abc97dc5b610d255a0a5f --- /dev/null +++ b/backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch @@ -0,0 +1,90 @@ +From 2fba2822067cd54ce8f30bf5b7c07076fc99368c Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Wed, 1 Mar 2023 12:30:46 +0000 +Subject: [PATCH] Fix view's zones reverting bug during reconfiguration + +During reconfiguration, the configure_view() function reverts the +configured zones to the previous view in case if there is an error. + +It uses the 'zones_configured' boolean variable to decide whether +it is required to revert the zones, i.e. the error happened after +all the zones were successfully configured. + +The problem is that it does not account for the case when an error +happens during the configuration of one of the zones (not the first), +in which case there are zones that are already configured for the +new view (and they need to be reverted), and there are zones that +are not (starting from the failed one). + +Since 'zones_configured' remains 'false', the configured zones are +not reverted. + +Replace the 'zones_configured' variable with a pointer to the latest +successfully configured zone configuration element, and when reverting, +revert up to and including that zone. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2fba2822067cd54ce8f30bf5b7c07076fc99368c + +(cherry picked from commit 84c235a4b0477a34c0ac2054af98b39efc5b0df5) +--- + bin/named/server.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 4ab75044f6..6695fb6286 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -3979,7 +3979,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, + const cfg_obj_t *dyndb_list, *plugin_list; + const cfg_obj_t *disabled; + const cfg_obj_t *obj, *obj2; +- const cfg_listelt_t *element; ++ const cfg_listelt_t *element = NULL; ++ const cfg_listelt_t *zone_element_latest = NULL; + in_port_t port; + dns_cache_t *cache = NULL; + isc_result_t result; +@@ -3996,7 +3997,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, + dns_dispatch_t *dispatch6 = NULL; + bool rpz_configured = false; + bool catz_configured = false; +- bool zones_configured = false; + bool reused_cache = false; + bool shared_cache = false; + int i = 0, j = 0, k = 0; +@@ -4100,8 +4100,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, + CHECK(configure_zone(config, zconfig, vconfig, mctx, view, + viewlist, kasplist, actx, false, + old_rpz_ok, false)); ++ zone_element_latest = element; + } +- zones_configured = true; + + /* + * Check that a master or slave zone was found for each +@@ -5907,7 +5907,7 @@ cleanup: + dns_view_detach(&pview); + } + +- if (zones_configured) { ++ if (zone_element_latest != NULL) { + for (element = cfg_list_first(zonelist); + element != NULL; element = cfg_list_next(element)) + { +@@ -5915,6 +5915,13 @@ cleanup: + cfg_listelt_value(element); + configure_zone_setviewcommit(result, zconfig, + view); ++ if (element == zone_element_latest) { ++ /* ++ * This was the latest element that was ++ * successfully configured earlier. ++ */ ++ break; ++ } + } + } + } +-- +2.23.0 diff --git a/backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch b/backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch new file mode 100644 index 0000000000000000000000000000000000000000..b70a8194d5d392175e34623ca1b9645bb60ac100 --- /dev/null +++ b/backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch @@ -0,0 +1,27 @@ +From d0c92a31a997d8c2fa48dd3a2ed90b11e54cfabf Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Fri, 17 Feb 2023 11:44:45 +1100 +Subject: [PATCH] In hmac_createctx free ctx on isc_hmac_init failure + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d0c92a31a997d8c2fa48dd3a2ed90b11e54cfabf + +(cherry picked from commit d22257a370c69060e17a466db7698c96e23526b5) +--- + lib/dns/hmac_link.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c +index d839f1123b..2872ff2c89 100644 +--- a/lib/dns/hmac_link.c ++++ b/lib/dns/hmac_link.c +@@ -170,6 +170,7 @@ hmac_createctx(const isc_md_type_t *type, const dst_key_t *key, + result = isc_hmac_init(ctx, hkey->key, isc_md_type_get_block_size(type), + type); + if (result != ISC_R_SUCCESS) { ++ isc_hmac_free(ctx); + return (DST_R_UNSUPPORTEDALG); + } + +-- +2.23.0 diff --git a/backport-Searching-catzs-zones-requires-a-read-lock.patch b/backport-Searching-catzs-zones-requires-a-read-lock.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f1b2e247932a5d86c6175caf80fa3113e426b62 --- /dev/null +++ b/backport-Searching-catzs-zones-requires-a-read-lock.patch @@ -0,0 +1,33 @@ +From 79ee7353ad5eda781c4f9d2297ddff32682731d6 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Fri, 27 Jan 2023 18:04:41 +0000 +Subject: [PATCH] Searching catzs->zones requires a read lock + +Lock the catzs->lock mutex before searching in the catzs->zones +hash table. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/79ee7353ad5eda781c4f9d2297ddff32682731d6 + +(cherry picked from commit 0ef0c86632c838c3f342fe1c6d8cdef1b327cde6) +--- + lib/dns/catz.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/dns/catz.c b/lib/dns/catz.c +index 9a9ecd0dc9..eef688a1d0 100644 +--- a/lib/dns/catz.c ++++ b/lib/dns/catz.c +@@ -752,8 +752,10 @@ dns_catz_get_zone(dns_catz_zones_t *catzs, const dns_name_t *name) { + REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); + REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC)); + ++ LOCK(&catzs->lock); + result = isc_ht_find(catzs->zones, name->ndata, name->length, + (void **)&found); ++ UNLOCK(&catzs->lock); + if (result != ISC_R_SUCCESS) { + return (NULL); + } +-- +2.23.0 diff --git a/backport-delay-trust-anchor-management-until-zones-are-loaded.patch b/backport-delay-trust-anchor-management-until-zones-are-loaded.patch new file mode 100644 index 0000000000000000000000000000000000000000..d8297f29fc09a35e090ead16776c4e754dfdd0ba --- /dev/null +++ b/backport-delay-trust-anchor-management-until-zones-are-loaded.patch @@ -0,0 +1,103 @@ +From aca10608b64b161bc9e4b03f0f70b9a5f07ed08f Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Fri, 27 Jan 2023 14:43:11 -0800 +Subject: [PATCH] delay trust anchor management until zones are loaded + +it was possible for a managed trust anchor needing to send a key +refresh query to be unable to do so because an authoritative zone +was not yet loaded. this has been corrected by delaying the +synchronization of managed-keys zones until after all zones are +loaded. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/aca10608b64b161bc9e4b03f0f70b9a5f07ed08f + +(cherry picked from commit bafbbd24653dc80a29ebd4e0569f77166123c3d1) +--- + bin/named/server.c | 23 +++++++++++++++++++++++ + lib/dns/zone.c | 15 ++------------- + 2 files changed, 25 insertions(+), 13 deletions(-) + +diff --git a/bin/named/server.c b/bin/named/server.c +index ed0ee59552..a23c4ed107 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -9658,6 +9658,7 @@ view_loaded(void *arg) { + if (isc_refcount_decrement(&zl->refs) == 1) { + named_server_t *server = zl->server; + bool reconfig = zl->reconfig; ++ dns_view_t *view = NULL; + + isc_refcount_destroy(&zl->refs); + isc_mem_put(server->mctx, zl, sizeof(*zl)); +@@ -9678,6 +9679,28 @@ view_loaded(void *arg) { + "all zones loaded"); + } + ++ for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; ++ view = ISC_LIST_NEXT(view, link)) ++ { ++ if (view->managed_keys != NULL) { ++ result = dns_zone_synckeyzone( ++ view->managed_keys); ++ if (result != ISC_R_SUCCESS) { ++ isc_log_write( ++ named_g_lctx, ++ DNS_LOGCATEGORY_DNSSEC, ++ DNS_LOGMODULE_DNSSEC, ++ ISC_LOG_ERROR, ++ "failed to initialize " ++ "managed-keys for view %s " ++ "(%s): DNSSEC validation is " ++ "at risk", ++ view->name, ++ isc_result_totext(result)); ++ } ++ } ++ } ++ + CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr), + "forcing zone maintenance"); + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index c418be5da4..a2fe9f6d24 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -4730,8 +4730,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) { + } + + failure: +- if (result != ISC_R_SUCCESS && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) +- { ++ if (result != ISC_R_SUCCESS) { + dnssec_log(zone, ISC_LOG_ERROR, + "unable to synchronize managed keys: %s", + dns_result_totext(result)); +@@ -5196,10 +5195,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, + break; + + case dns_zone_key: +- result = sync_keyzone(zone, db); +- if (result != ISC_R_SUCCESS) { +- goto cleanup; +- } ++ /* Nothing needs to be done now */ + break; + + default: +@@ -5357,13 +5353,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime, + goto done; + + cleanup: +- if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) { +- dnssec_log(zone, ISC_LOG_ERROR, +- "failed to initialize managed-keys (%s): " +- "DNSSEC validation is at risk", +- isc_result_totext(result)); +- } +- + if (result != ISC_R_SUCCESS) { + dns_zone_rpz_disable_db(zone, db); + dns_zone_catz_disable_db(zone, db); +-- +2.23.0 diff --git a/bind-9.11-fips-disable.patch b/bind-9.11-fips-disable.patch deleted file mode 100644 index c01d914d34dd024bb83117284294189b2eb7e82f..0000000000000000000000000000000000000000 --- a/bind-9.11-fips-disable.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2b0dce163a119f5f62eb4428b485f7575f321d6f Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Mon, 5 Aug 2019 11:54:03 +0200 -Subject: [PATCH] Allow explicit disabling of autodisabled MD5 - -Default security policy might include explicitly disabled RSAMD5 -algorithm. Current FIPS code automatically disables in FIPS mode. But if -RSAMD5 is included in security policy, it fails to start, because that -algorithm is not recognized. Allow it disabled, but fail on any -other usage. ---- - bin/named/server.c | 4 ++-- - lib/bind9/check.c | 4 ++++ - lib/dns/rcode.c | 1 + - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/bin/named/server.c b/bin/named/server.c -index ee23f10..22a5c01 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -1689,12 +1689,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { - r.length = strlen(r.base); - - result = dns_secalg_fromtext(&alg, &r); -- if (result != ISC_R_SUCCESS) { -+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { - uint8_t ui; - result = isc_parse_uint8(&ui, r.base, 10); - alg = ui; - } -- if (result != ISC_R_SUCCESS) { -+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) { - cfg_obj_log(cfg_listelt_value(element), named_g_lctx, - ISC_LOG_ERROR, "invalid algorithm"); - CHECK(result); -diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index f49a346..dbf9ddb 100644 ---- a/lib/bind9/check.c -+++ b/lib/bind9/check.c -@@ -317,6 +317,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) { - r.length = strlen(r.base); - - tresult = dns_secalg_fromtext(&alg, &r); -+ if (tresult == ISC_R_DISABLED) { -+ // Recognize disabled algorithms, disable it explicitly -+ tresult = ISC_R_SUCCESS; -+ } - if (tresult != ISC_R_SUCCESS) { - cfg_obj_log(cfg_listelt_value(element), logctx, - ISC_LOG_ERROR, "invalid algorithm '%s'", -diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c -index 327248e..78adf63 100644 ---- a/lib/dns/rcode.c -+++ b/lib/dns/rcode.c -@@ -152,6 +152,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES }; - static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES }; - static struct tbl certs[] = { CERTNAMES }; - static struct tbl secalgs[] = { SECALGNAMES }; -+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES }; - static struct tbl secprotos[] = { SECPROTONAMES }; - static struct tbl hashalgs[] = { HASHALGNAMES }; - static struct tbl dsdigests[] = { DSDIGESTNAMES }; --- -2.21.1 - diff --git a/bind-9.14-json-c.patch b/bind-9.14-json-c.patch deleted file mode 100644 index 870b46bdce1d4473bdb34f52f79755058f30f161..0000000000000000000000000000000000000000 --- a/bind-9.14-json-c.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 0698eb93f6e618d2882ae2c8758c5fa87524bea6 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 23 Jul 2019 12:10:39 +0200 -Subject: [PATCH] Allow explicitly using json-c but not libjson - -Separate detection of json support. Allows explicit use of json-c when -jsoncpp package is found. Have to use --without-libjson --with-json-c. ---- - configure.ac | 52 +++++++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 41 insertions(+), 11 deletions(-) - -diff --git a/configure.ac b/configure.ac -index f7978e4..40b4f9f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1331,7 +1331,6 @@ AC_ARG_WITH(libjson, - use_libjson="$withval", use_libjson="auto") - - have_libjson="" --have_libjson_c="" - case "$use_libjson" in - no) - libjson_libs="" -@@ -1347,7 +1346,43 @@ case "$use_libjson" in - LIBS="$LIBS -L${d}/lib" - fi - have_libjson="yes" -- elif test -f "${d}/include/json-c/json.h" -+ fi -+ done -+ ;; -+ *) -+ if test -f "${use_libjson}/include/json/json.h" -+ then -+ libjson_cflags="-I${use_libjson}/include" -+ LIBS="$LIBS -L${use_libjson}/lib" -+ have_libjson="yes" -+ else -+ AC_MSG_ERROR([$use_libjson/include/json/json.h not found.]) -+ fi -+ ;; -+esac -+ -+# -+# was --with-json-c specified? -+# -+AC_ARG_WITH(json-c, -+ AS_HELP_STRING([--with-json-c[=PATH]], -+ [build with json-c library [yes|no|path]]), -+ use_json_c="$withval", use_json_c="$use_libjson") -+ -+if test "X${have_libjson}" != "X" -+then -+ # Do not use if libjson were found -+ use_json_c=no -+fi -+ -+have_libjson_c="" -+case "$use_json_c" in -+ no) -+ ;; -+ auto|yes) -+ for d in /usr /usr/local /opt/local -+ do -+ if test -f "${d}/include/json-c/json.h" - then - if test ${d} != /usr - then -@@ -1360,19 +1395,14 @@ case "$use_libjson" in - done - ;; - *) -- if test -f "${use_libjson}/include/json/json.h" -- then -- libjson_cflags="-I${use_libjson}/include" -- LIBS="$LIBS -L${use_libjson}/lib" -- have_libjson="yes" -- elif test -f "${use_libjson}/include/json-c/json.h" -+ if test -f "${use_json_c}/include/json-c/json.h" - then -- libjson_cflags="-I${use_libjson}/include" -- LIBS="$LIBS -L${use_libjson}/lib" -+ libjson_cflags="-I${use_json_c}/include" -+ LIBS="$LIBS -L${use_json_c}/lib" - have_libjson="yes" - have_libjson_c="yes" - else -- AC_MSG_ERROR([$use_libjson/include/json{,-c}/json.h not found.]) -+ AC_MSG_ERROR([$use_json_c/include/json-c/json.h not found.]) - fi - ;; - esac --- -2.20.1 - diff --git a/bind.spec b/bind.spec index 10d032749c57dde89ef16d7be21bcd04eab32f5a..fd23630b0ca968ac63536a73904a20eefe1294ed 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 16 +Release: 17 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -191,6 +191,20 @@ Patch6109:backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.pat Patch6110:backport-Release-unused-key-file-IO-lock-objects.patch Patch6111:backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch +Patch6112:backport-Don-t-perform-arithmetic-on-NULL-pointers.patch +Patch6113:backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch +Patch6114:backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch +Patch6115:backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch +Patch6116:backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch +Patch6117:backport-Detach-the-zone-views-outside-of-the-zone-lock.patch +Patch6118:backport-delay-trust-anchor-management-until-zones-are-loaded.patch +Patch6119:backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch +Patch6120:backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch +Patch6121:backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch +Patch6122:backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch +Patch6123:backport-Searching-catzs-zones-requires-a-read-lock.patch +Patch6124:backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch + Patch9000:bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -1199,6 +1213,24 @@ fi; %endif %changelog +* Tue Apr 11 2023 zhanghao - 32:9.16.23-17 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: Don't perform arithmetic on NULL pointers +Accept 'in=NULL' with 'inlen=0' in isc_{half}siphash24 +Fix a use-after-free bug in dns_zonemgr_releasezone() +Fix dns_fwdtable_addfwd() error path cleanup bug +Detach the views in zone_shutdown(), not in zone_free() +Detach the zone views outside of the zone lock +delay trust anchor management until zones are loaded +In hmac_createctx free ctx on isc_hmac_init failure +Fix dns_kasp_attach / dns_kasp_detach usage +Fix backport error in 84929d1c +Fix a cleanup bug when isc_task_create() fails in dns_catz_new_zones() +Searching catzs->zones requires a read lock +Fix view's zones reverting bug during reconfiguration + * Sat Feb 25 2023 zhanghao - 32:9.16.23-16 - Type:bugfix - CVE:NA diff --git a/bind97-exportlib.patch b/bind97-exportlib.patch deleted file mode 100644 index 4468ef526f9821004a3b1f3839c0090936b5253b..0000000000000000000000000000000000000000 --- a/bind97-exportlib.patch +++ /dev/null @@ -1,226 +0,0 @@ -diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in -diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in ---- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/dns/Makefile.in 2013-05-13 10:45:22.574089729 +0200 -@@ -35,9 +35,9 @@ CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_ - - CWARNINGS = - --ISCLIBS = ../isc/libisc.@A@ -+ISCLIBS = ../isc/libisc-export.@A@ - --ISCDEPLIBS = ../isc/libisc.@A@ -+ISCDEPLIBS = ../isc/libisc-export.@A@ - - LIBS = @LIBS@ - -@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libdns.@SA@: ${OBJS} -+libdns-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libdns.la: ${OBJS} -+libdns-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} - --timestamp: libdns.@A@ -+timestamp: libdns-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libdns.@A@ timestamp -+ rm -f libdns-export.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - -diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in ---- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/irs/Makefile.in 2013-05-13 10:45:22.575089729 +0200 -@@ -43,9 +43,9 @@ SRCS = context.c \ - gai_sterror.c getaddrinfo.c getnameinfo.c \ - resconf.c - --ISCLIBS = ../isc/libisc.@A@ --DNSLIBS = ../dns/libdns.@A@ --ISCCFGLIBS = ../isccfg/libisccfg.@A@ -+ISCLIBS = ../isc/libisc-export.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ -+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@ - - LIBS = @LIBS@ - -@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libirs.@SA@: ${OBJS} version.@O@ -+libirs-export.@SA@: ${OBJS} version.@O@ - ${AR} ${ARFLAGS} $@ ${OBJS} version.@O@ - ${RANLIB} $@ - --libirs.la: ${OBJS} version.@O@ -+libirs-export.la: ${OBJS} version.@O@ - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} - --timestamp: libirs.@A@ -+timestamp: libirs-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libirs.@A@ libirs.la timestamp -+ rm -f libirs-export.@A@ libirs-export.la timestamp -diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in ---- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in 2013-05-13 10:45:22.576089729 +0200 -@@ -30,11 +30,11 @@ CINCLUDES = -I. ${DNS_INCLUDES} -I${expo - CDEFINES = - CWARNINGS = - --ISCLIBS = ../isc/libisc.@A@ --DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -+ISCLIBS = ../isc/libisc-export.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@ - - ISCDEPLIBS = ../../lib/isc/libisc.@A@ --ISCCFGDEPLIBS = libisccfg.@A@ -+ISCCFGDEPLIBS = libisccfg-export.@A@ - - LIBS = @LIBS@ - -@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libisccfg.@SA@: ${OBJS} -+libisccfg-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libisccfg.la: ${OBJS} -+libisccfg-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS} - --timestamp: libisccfg.@A@ -+timestamp: libisccfg-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libisccfg.@A@ timestamp -+ rm -f libisccfg-export.@A@ timestamp -diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in ---- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/isc/Makefile.in 2013-05-13 10:45:22.576089729 +0200 -@@ -100,6 +100,10 @@ SRCS = @ISC_EXTRA_SRCS@ \ - - LIBS = @LIBS@ - -+# Note: the order of SUBDIRS is important. -+# Attempt to disable parallel processing. -+.NOTPARALLEL: -+.NO_PARALLEL: - SUBDIRS = include unix nls @ISC_THREAD_DIR@ - TARGETS = timestamp - -@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libisc.@SA@: ${OBJS} -+libisc-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libisc.la: ${OBJS} -+libisc-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${LIBS} - --timestamp: libisc.@A@ -+timestamp: libisc-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \ - ${DESTDIR}${export_libdir} - - clean distclean:: -- rm -f libisc.@A@ libisc.la timestamp -+ rm -f libisc-export.@A@ libisc-export.la timestamp -diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in ---- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 -+++ bind-9.9.3rc2/lib/export/samples/Makefile.in 2013-05-13 10:45:22.577089729 +0200 -@@ -31,15 +31,15 @@ CINCLUDES = -I${srcdir}/include -I../dns - CDEFINES = - CWARNINGS = - --DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ --ISCLIBS = ../isc/libisc.@A@ --ISCCFGLIBS = ../isccfg/libisccfg.@A@ --IRSLIBS = ../irs/libirs.@A@ -+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@ -+ISCLIBS = ../isc/libisc-export.@A@ -+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@ -+IRSLIBS = ../irs/libirs-export.@A@ - --DNSDEPLIBS = ../dns/libdns.@A@ --ISCDEPLIBS = ../isc/libisc.@A@ --ISCCFGDEPLIBS = ../isccfg/libisccfg.@A@ --IRSDEPLIBS = ../irs/libirs.@A@ -+DNSDEPLIBS = ../dns/libdns-export.@A@ -+ISCDEPLIBS = ../isc/libisc-export.@A@ -+ISCCFGDEPLIBS = ../isccfg/libisccfg-export.@A@ -+IRSDEPLIBS = ../irs/libirs-export.@A@ - - DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} -