Sync from SUSE:SLFO:1.1 bind revision 5611014a1cd1e4302729c582d8f43f18

2025-04-15 16:46:05 +02:00
11 changed files with 39 additions and 509 deletions
--- a/15
+++ b/15
@@ -1,15 +0,0 @@
 <services>
  <service name="obs_scm" mode="manual">
    <param name="scm">git</param>
    <param name="url">https://gitlab.isc.org/isc-projects/dlz-modules.git</param>
    <param name="revision">main</param>
    <param name="versionformat">%h</param>
    <param name="filename">dlz-modules</param>
    <param name="package-meta">yes</param>
  </service>
  <service name="tar" mode="buildtime"/>
  <service name="recompress" mode="buildtime">
    <param name="file">*.tar</param>
    <param name="compression">gz</param>
  </service>
 </services>
--- a/bind-9.20.0.tar.xz
+++ b/bind-9.20.0.tar.xz
--- a/bind-9.20.0.tar.xz.asc
+++ b/bind-9.20.0.tar.xz.asc
@@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmaNMyYACgkQUQpkKgbF
 LOzwnBAAgICQ7MC0rkXZxD/8X3vatdpDZ4MkUvkhOR+J4kkKWBuSqZJQvuWA8XeS
 /rycCHWFeUf3V9Wj6XbCPa1l4eV5rAnSVJtHHoDoK9Tt/1H6HCd0v2b270a9q1pU
 ra5Jdi/ZP76iRYAAse8FpRymMcjEk/aXnnnOsCACOY8MNvxC83mmrciPJJxloEBy
 9zGPGzkvnYTM1H/qSR0GrUsGLtzKPiXbvtsRo9jI3f8kL9Tdxw9IlmH0OY14L26L
 QKgaFC4Sa3J2PmELLCORtvUEDeKi9FAG9+6ua3h7ork2n/cARmOhvmZ8FFgLlB1e
 7GSWCMujw+h44vNJrz1w14Bm1sN3k9PgY34i7ter/WA6ZTFDIWyhQh5tHrbjsdyv
 DTlE8EvVNIg4fYMCew57yedXqzWO6bavwFlsiPyjXyG9+k9xSeQEYuuLGismF3gQ
 AGXPyUUAiqhnyQd1uCf8qK5sgkH39+g5TRFl5oSvZavOAr/GtzsNhAo5Ii5ia8qL
 mUVESk+Jyl4/rKJAAMwWtdl8mk8RYx1BF0XAG/mnvC81HBcuiu5aRBa5N3p8Kg+W
 cUMPOjDhXn90pxEcD1MSg6nH1P0sVVOYWaQvJ1FtzKUp7JKNJus0yjgQarF5VI/l
 7VSUi36dGSlDyM4EvspS/KAnItErzA8Vn40R9x8qbmzjD1Ka5LU=
 =wneo
 -----END PGP SIGNATURE-----
--- a/bind-9.20.5.tar.xz
+++ b/bind-9.20.5.tar.xz
--- a/bind-9.20.5.tar.xz.asc
+++ b/bind-9.20.5.tar.xz.asc
@@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEE2ZzOr4eXRwFPA41jGC4jV5Ri76oFAmePY/EACgkQGC4jV5Ri
 76ooCg/+OByGJ88fMah4PitzldOXKmOaxeCb3G2S3vuWr50jDe57nsjhEceKbZG+
 1o3op3DmC+PvZNJo1ax/cvPBZeVo1WLFigX8Lt+wLZlttq9mSvx37V9AZCW1K3xc
 H67lOXm09Ar2a4PuTR9ReVSx8alcJ+TvBKqZyEHsEaNX+RSYPQEJwdiQifW2uaqI
 3Mq8pYZprY/Us3gbITfHK+/+pcUdD1XgnVraVrLSPSjRVK16JEWhRXl5RWZ0nacM
 JzHNA4IJ0IKLLLIKTxS1e+4cB7jThglufAKHaj0hzaa/34Mwa+T+tRLR4Y8efisc
 re75OHt1Jt2uh34nD8x5454R41fAiufPcEwGWwBAiJiWg59rRlFh40EQ0WLvAGk3
 uKHS+cE7Sd6h6wklPdlmfl9wDiPx/ufk2MljqA3fnVhAftvKrUXrqEnxw4+SxRXe
 UJGPY4G1FxQ2CrHqIaDliwIwUOUWalroGmSvSOCWszjwMv/WyXJVKvpJjzlPp1a4
 yDqPJqTfighdpAcm62f2mgPltVSp9qEN5vGeNrec6WJHcw6vQIUfwzfGi9gMrzBr
 kqs22sHo7d4dXv3rs6iCmWhQhM0lcJkkLcWypaS7cmkJWNCBLvU994eV1bNe+4Xn
 YYB6Ov0j9Cdus12jjqHn+5vmxQ5N1GIlpuCxbEOaSEvJD+QHleQ=
 =lBqR
 -----END PGP SIGNATURE-----
--- a/bind.changes
+++ b/bind.changes
@@ -1,444 +1,3 @@
 -------------------------------------------------------------------
 Thu Jan 30 11:44:58 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 - Upgrade to release 9.20.5
  Security Fixes:
  * DNS-over-HTTPS flooding fixes.
    Fix DNS-over-HTTPS implementation issues that arise under heavy
    query load. Optimize resource usage for named instances that
    accept queries over DNS-over-HTTPS.
    Previously, named processed all incoming HTTP/2 data at once,
    which could overwhelm the server, especially when dealing with
    clients that sent requests but did not wait for responses. That
    has been fixed. Now, named handles HTTP/2 data in smaller
    chunks and throttles reading until the remote side reads the
    response data. It also throttles clients that send too many
    requests at once.
    In addition, named now evaluates excessive streams opened by
    clients that include no DNS data, which is considered
    “flooding.” It logs these clients and drops connections from
    them.
    In some cases, named could leave DNS-over-HTTPS connections in
    the CLOSE_WAIT state indefinitely. That has also been fixed.
    (CVE-2024-12705)
    [bsc#1236597]
  * Limit additional section processing for large RDATA sets.
    When answering queries, don’t add data to the additional
    section if the answer has more than 13 names in the RDATA. This
    limits the number of lookups into the database(s) during a
    single client query, reducing the query-processing load.
    (CVE-2024-11187)
    [bsc#1236596]
  New Features:
  * Add Extended DNS Error Code 22 - No Reachable Authority.
    When the resolver is trying to query an authoritative server
    and eventually times out, a SERVFAIL answer is given to the
    client. Add the Extended DNS Error Code 22 - No Reachable
    Authority to the response.
  * Add a new option to configure the maximum number of outgoing
    queries per client request.
    The configuration option max-query-count sets how many outgoing
    queries per client request are allowed. The existing
    max-recursion-queries value is the number of permissible
    queries for a single name and is reset on every CNAME
    redirection. This new option is a global limit on the client
    request. The default is 200.
    The default for max-recursion-queries is changed from 32 to 50.
    This allows named to send a few more queries while looking up a
    single name.
  * Use the Server Name Indication (SNI) extension for all outgoing
    TLS connections.
    This improves compatibility with other DNS server software.
  Feature Changes:
  * Performance optimization for NSEC3 lookups introduced in BIND
    9.20.2 was reverted to avoid risks associated with a complex
    code change.
  * The configuration clauses parental-agents and primaries are
    renamed to remote-servers.
    The top blocks primaries and parental-agents are no longer
    preferred and should be renamed to remote-servers. The zone
    statements parental-agents and primaries are still used, and
    may refer to any remote-servers top block.
  * Add none parameter to query-source and query-source-v6 to
    disable IPv4 or IPv6 upstream queries but allow listening to
    queries from clients on IPv4 or IPv6.
  Bug Fixes:
  * Fix nsupdate hang when processing a large update.
    To mitigate DNS flood attacks over a single TCP connection,
    throttle the connection when the other side does not read the
    data. Throttling should only occur on server-side sockets, but
    erroneously also happened for nsupdate, which acts as a client.
    When nsupdate started throttling the connection, it never
    attempted to read again. This has been fixed.
  * Fix possible assertion failure when reloading server while
    processing update policy rules.
  * Preserve cache across reconfig when using attach-cache.
    When the attach-cache option is used in the options block with
    an arbitrary name, it causes all views to use the same cache.
    Previously, this configuration caused the cache to be deleted
    and a new cache to be created every time the server was
    reconfigured. This has been fixed.
  * Resolve the spurious drops in performance due to glue cache.
    For performance reasons, the returned glue records are cached
    on the first use. The current implementation could randomly
    cause a performance drop and increased memory use. This has
    been fixed.
  * Fix dnssec-signzone signing non-DNSKEY RRsets with revoked
    keys.
    dnssec-signzone was using revoked keys for signing RRsets other
    than DNSKEY. This has been corrected.
  * Fix improper handling of unknown directives in resolv.conf.
    The line after an unknown directive in resolv.conf could
    accidentally be skipped, potentially affecting dig, host,
    nslookup, nsupdate, or delv. This has been fixed.
  * Fix response policy zones and catalog zones with an $INCLUDE
    statement defined.
    Response policy zones (RPZ) and catalog zones were not working
    correctly if they had an $INCLUDE statement defined. This has
    been fixed
 - Remove desktop file and BuildRequires: update-desktop-files
 -------------------------------------------------------------------
 Tue Jan 21 00:37:45 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
 - Explicitly BuildRequire sphinx_rtd_theme. 
 -------------------------------------------------------------------
 Thu Dec 12 12:38:04 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 - Add new dlz-modules source
 - Update to release 9.20.4
  New Features:
  * Update built-in bind.keys file with the new 2025 IANA root key.
  * Add an initial-ds entry to bind.keys for the new root key, ID
    38696, which is scheduled for publication in January 2025.
  Removed Features:
  * Move contributed DLZ modules into a separate repository. DLZ
    modules should not be used except in testing.
  * The DLZ modules were not maintained, the DLZ interface itself
    is going to be scheduled for removal, and the DLZ interface is
    blocking. Any module that blocks the query to the database
    blocks the whole server.
  * The DLZ modules now live in
    https://gitlab.isc.org/isc-projects/dlz-modules repository.
  Feature Changes:
  * dnssec-ksr now supports KSK rollovers.
  * The tool now allows for KSK generation, as well as planned KSK
    rollovers. When signing a bundle from a Key Signing Request
    (KSR), only the key that is active in that time frame is used
    for signing. Also, the CDS and CDNSKEY records are now added
    and removed at the correct time.
  * Print RFC 7314: EXPIRE option in transfer summary.
  * Emit more helpful log messages for exceeding
    max-records-per-type.
  * The new log message is emitted when adding or updating an RRset
    fails due to exceeding the max-records-per-type limit. The log
    includes the owner name and type, corresponding zone name, and
    the limit value. It will be emitted on loading a zone file,
    inbound zone transfer (both AXFR and IXFR), handling a DDNS
    update, or updating a cache DB. It’s especially helpful in the
    case of zone transfer, since the secondary side doesn’t have
    direct access to the offending zone data.
  * It could also be used for max-types-per-name, but this change
    doesn’t implement it yet as it’s much less likely to happen in
    practice.
  * Harden key management when key files have become unavailable.
  * Prior to doing key management, BIND 9 will check if the key
    files on disk match the expected keys. If key files for
    previously observed keys have become unavailable, this will
    prevent the internal key manager from running.
  Bug Fixes:
  * Use TLS for notifies if configured to do so.
  * Notifies configured to use TLS will now be sent over TLS,
    instead of plain text UDP or TCP. Also, failing to load the TLS
    configuration for notify now results in an error.
  * {&dns} is as valid as {?dns} in a SVCB’s dohpath.
  * dig failed to parse a valid SVCB record with a dohpath URI
    template containing a {&dns}, like
    dohpath=/some/path?key=value{&dns}”.
  * Fix NSEC3 closest encloser lookup for names with empty
    non-terminals.
  * A previous performance optimization for finding the NSEC3
    closest encloser when generating authoritative responses could
    cause servers to return incorrect NSEC3 records in some cases.
    This has been fixed.
  * recursive-clients statement with value 0 triggered an assertion
    failure.
  * BIND 9.20.0 broke recursive-clients 0;. This has now been
    fixed.
  * Parsing of hostnames in rndc.conf was broken.
  * When DSCP support was removed, parsing of hostnames in
    rndc.conf was accidentally broken, resulting in an assertion
    failure. This has been fixed.
  * dig options of the form [+-]option=<value> failed to display
    the value on the printed command line. This has been fixed.
  * Provide more visibility into TLS configuration errors by
    logging SSL_CTX_use_certificate_chain_file() and
    SSL_CTX_use_PrivateKey_file() errors individually.
  * Fix a race condition when canceling ADB find which could cause
    an assertion failure.
  * SERVFAIL cache memory cleaning is now more aggressive; it no
    longer consumes a lot of memory if the server encounters many
    SERVFAILs at once.
  * Fix trying the next primary XoT server when the previous one
    was marked as unreachable.
  * In some cases named failed to try the next primary server in
    the primaries list when the previous one was marked as
    unreachable. This has been fixed.
 -------------------------------------------------------------------
 Thu Dec 12 09:54:08 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
 - update root hints file to 2024-11-20 version (boo#1234406)
 -------------------------------------------------------------------
 Mon Oct 21 08:42:47 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 - Update to release 9.20.3
  New Features:
  * Log query response status to the query log.
  * Log a query response summary using the new responses category.
    Logging can be controlled via the responselog option and via
    rndc responselog.
  * Added WALLET type.
  * Add the new record type WALLET (262). This provides a mapping
    from a domain name to a cryptographic currency wallet. Multiple
    mappings can exist if multiple records exist.
  Feature Changes:
  * Set logging category for notify/xfer-in-related messages.
  * Some notify and xfer-in-related log messages were logged at the
    “general” category level instead of their own category. This
    has been fixed.
  * Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
  * This change allows fallback from an IXFR failure to AXFR when
    the reason is DNS_R_TOOMANYRECORDS.
  Bug Fixes:
  * Fix a statistics channel counter bug when “forward only” zones
    are used.
  * When resolving a zone with a “forward only” policy, and finding
    out that all the forwarders were marked as “bad”, the
    “ServerQuota” counter of the statistics channel was incorrectly
    increased. This has been fixed.
  * Fix a bug in the static-stub implementation.
  * Static-stub addresses and addresses from other sources were
    being mixed together, resulting in static-stub queries going to
    addresses not specified in the configuration, or alternatively,
    static-stub addresses being used instead of the correct server
    addresses.
  * Don’t allow statistics-channels if libxml2 and libjson-c are
    not configured.
  * When BIND 9 is not configured with the libxml2 and libjson-c
    libraries, the use of the statistics-channels option is a fatal
    error.
  * Separate DNSSEC validation from long-running tasks.
  * Split CPU-intensive and long-running tasks into separate
    threadpools in a way that the long-running tasks - like RPZ,
    catalog zone processing, or zone file operations - don’t block
    CPU-intensive operations like DNSSEC validations.
  * Fix an assertion failure when processing access control lists.
  * The named process could terminate unexpectedly when processing
    ACLs. This has been fixed.
  * Fix a bug in Offline KSK using a ZSK with an unlimited
    lifetime.
  * If the ZSK had an unlimited lifetime, the timing metadata
    Inactive and Delete could not be found and were treated as an
    error, preventing the zone from being signed. This has been
    fixed.
  * Limit the outgoing UDP send queue size.
  * If the operating system UDP queue got full and the outgoing UDP
    sending started to be delayed, BIND 9 could exhibit memory
    spikes as it tried to enqueue all the outgoing UDP messages. It
    now tries to deliver the outgoing UDP messages synchronously;
    if that fails, it drops the outgoing DNS message that would get
    queued up and then timeout on the client side.
  * Do not set SO_INCOMING_CPU.
  * Remove the SO_INCOMING_CPU setting as kernel scheduling
    performs better without constraints.
  * Fix the rndc dumpdb command’s error reporting.
  * The rndc dumpdb command was not reporting errors that occurred
    when named started up the database dump process. This has been
    fixed.
  * Fix long-running incoming transfers.
  * Incoming transfers that took longer than 30 seconds would stop
    reading from the TCP stream and the incoming transfer would be
    indefinitely stuck, causing BIND 9 to hang during shutdown.
  * This has been fixed, and the max-transfer-time-in and
    max-transfer-idle-in timeouts are now honored.
  * Fix an assertion failure when receiving DNS responses over TCP.
  * When matching the received Query ID in the TCP connection, an
    invalid Query ID could cause an assertion failure. This has
    been fixed.
 -------------------------------------------------------------------
 Thu Sep 19 08:57:57 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 - Update to release 9.20.2
  New Features:
  * Support for Offline KSK implemented.
  * Add a new configuration option offline-ksk to enable Offline
    KSK key management. Signed Key Response (SKR) files created
    with dnssec-ksr (or other programs) can now be imported into
    named with the new rndc skr -import command. Rather than
    creating new DNSKEY, CDS, and CDNSKEY records and generating
    signatures covering these types, these records are loaded from
    the currently active bundle from the imported SKR.
  * The implementation is loosely based on
    draft-icann-dnssec-keymgmt-01.txt.
  * Print the full path of the working directory in startup log
    messages.
  * named now prints its initial working directory during startup,
    and the changed working directory when loading or reloading its
    configuration file, if it has a valid directory option defined.
  * Support a restricted key tag range when generating new keys.
  * When multiple signers are being used to sign a zone, it is
    useful to be able to specify a restricted range of key tags to
    be used by an operator to sign the zone. The range can be
    specified with tag-range in dnssec-policy’s keys (for named and
    dnssec-ksr) and with the new options dnssec-keyfromlabel -M and
    dnssec-keygen -M.
  Feature Changes:
  * Exempt prefetches from the fetches-per-zone and
    fetches-per-server quotas.
  * Fetches generated automatically as a result of prefetch are now
    exempt from the fetches-per-zone and fetches-per-server quotas.
    This should help in maintaining the cache from which query
    responses can be given.
  * Follow the number of CPUs set by taskset/cpuset.
  * Administrators may wish to constrain the set of cores that
    named runs on via the taskset, cpuset, or numactl programs (or
    equivalents on other OSes).
  * If the admin has used taskset, named now automatically uses the
    given number of CPUs rather than the system-wide count.
  Bug Fixes:
  * Delay the release of root privileges until after configuring
    controls.
  * Delay relinquishing root privileges until the control channel
    has been configured, for the benefit of systems that require
    root to use privileged port numbers. This mostly affects
    systems without fine- grained privilege systems (i.e., other
    than Linux).
  * Fix a rare assertion failure when shutting down incoming
    transfer.
  * A very rare assertion failure could be triggered when the
    incoming transfer was either forcefully shut down, or it
    finished during the printing of the details about the
    statistics channel. This has been fixed.
  * Fix algorithm rollover bug when there are two keys with the
    same keytag.
  * If there was an algorithm rollover and two keys of different
    algorithms shared the same keytags, there was the possibility
    that the check of whether the key matched a specific state
    could be performed against the wrong key. This has been fixed
    by not only checking for the matching key tag but also the key
    algorithm.
  * Fix an assertion failure in validate_dnskey_dsset_done().
  * Under rare circumstances, named could terminate unexpectedly
    when validating a DNSKEY resource record if the validation had
    been canceled in the meantime. This has been fixed.
  Known Issues:
  * Long-running tasks in offloaded threads (e.g. the loading of
    RPZ zones or processing zone transfers) may block the
    resolution of queries during these operations and cause the
    queries to time out. To work around the issue, the
    UV_THREADPOOL_SIZE environment variable can be set to a larger
    value before starting named. The recommended value is the
    number of RPZ zones (or number of transfers) plus the number of
    threads BIND should use, which is typically the number of CPUs.
 -------------------------------------------------------------------
 Fri Aug 23 09:26:22 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
 - Update to release 9.20.1
  New Features:
  * Implement rndc retransfer -force.
  * A new optional argument -force has been added to the command
    rndc retransfer. When it is specified, named aborts the ongoing
    zone transfer (if there is one) and starts a new transfer.
  * dig now reports a missing QUESTION section for messages with
    opcode QUERY.
  * Query responses should contain the QUESTION section, with some
    exceptions. dig was not reporting this.
  Feature Changes:
  * Tighten max-recursion-queries and add max-query-restarts
    configuration statement.
  * There were cases when the max-recursion-queries quota was
    ineffective. It was possible to craft zones that would cause a
    resolver to waste resources by sending excessive queries while
    attempting to resolve a name. This has been addressed by
    correcting errors in the implementation of
    max-recursion-queries and by reducing the default value from
    100 to 32.
  * In addition, a new max-query-restarts configuration statement
    has been added, which limits the number of times a recursive
    server will follow CNAME or DNAME records before terminating
    resolution. This was previously a hard-coded limit of 16 but is
    now configurable with a default value of 11.
  * ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli,
    and Cagin Tanir from NetSec group, ETH Zurich for discovering
    and notifying us about the issue.
  * Allow shorter resolver-query-timeout configuration.
  * The minimum allowed value of resolver-query-timeout was lowered
    from its previous value of 10 000 milliseconds (which is still
    the default) to 301 milliseconds. Note however that values of 1
    to 300 inclusive are interpreted as seconds before applying the
    limit. A value of zero is interpreted as the default.
  * Raise the log level of priming failures.
  * When a priming query is complete, it was previously logged at
    level DEBUG(1), regardless of success or failure. It is now
    logged to NOTICE in the case of failure.
  Bug Fixes:
  * Fix a crash caused by valid TSIG signatures with invalid time.
  * An assertion failure was triggered when the TSIG had a valid
    cryptographic signature but the time was invalid. This could
    happen when the times between the primary and secondary servers
    were not synchronised. The crash has now been fixed.
  * Return SERVFAIL for a too long CNAME chain.
  * When following long CNAME chains, named was returning NOERROR
    (along with a partial answer) instead of SERVFAIL, if the chain
    exceeded the maximum length. This has been fixed.
  * Reconfigure catz member zones during named reconfiguration.
  * During a reconfiguration, named wasn’t reconfiguring catalog
    zones’ member zones. This has been fixed.
  * Update key lifetime and metadata after dnssec-policy
    reconfiguration.
  * Adjust key state and timing metadata if dnssec-policy key
    lifetime configuration is updated, so that it also affects
    existing keys.
  * Fix a crash during zone modification.
  * Fix an assertion failure that could happen when an
    authoritative zone was modified while the server was generating
    an answer from that zone.
  * Fix assertion failure when executing named-checkconf -v to
    print its version.
  * Fix generation of 6to4-self name expansion from IPv4 address.
  * The period between the most significant nibble of the encoded
    IPv4 address and the 2.0.0.2.IP6.ARPA suffix was missing,
    resulting in the wrong name being checked. This has been fixed.
  * dig +yaml was producing unexpected and/or invalid YAML. output.
  * SVBC ALPN text parsing failed to reject zero-length ALPN.
  * Fix false QNAME minimisation error being reported.
  * Remove the false positive success resolving log message when
    QNAME minimisation is in effect and the final result is an
    NXDOMAIN.
  * Fix --enable-tracing build on systems without dtrace.
  * A missing util/dtrace.sh file prevented builds on systems
    without the dtrace utility. This has been corrected.
 -------------------------------------------------------------------
 Wed Jul 24 09:03:08 UTC 2024 - Jorik Cronenberg <jorik.cronenberg@suse.com>
--- a/bind.spec
+++ b/bind.spec
@@ -1,8 +1,7 @@
 #
 # spec file for package bind
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 # Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -52,14 +51,12 @@
 %define with_sfw2 0
 %endif
 %define dlz_modules_hash 5923650
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.20.5
+Version:        9.20.0
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
@@ -70,8 +67,7 @@ Source1:        https://downloads.isc.org/isc/bind9/%{version}/bind-%{version}.t
 Source2:        vendor-files.tar.bz2
 # from http://www.isc.org/about/openpgp/ ... changes yearly apparently.
 Source3:        %{name}.keyring
-Source4:        dlz-modules-%{dlz_modules_hash}.tar.gz
+Source9:        ftp://ftp.internic.net/domain/named.root
 Source9:        https://www.internic.net/domain/named.root
 Source40:       dnszone-schema.txt
 Source60:       dlz-schema.txt
 # configuration file for systemd-tmpfiles
@@ -89,7 +85,7 @@ BuildRequires:  protobuf-c
 BuildRequires:  python3
 BuildRequires:  python3-Sphinx
 BuildRequires:  python3-ply
-BuildRequires:  python3-sphinx_rtd_theme
+BuildRequires:  update-desktop-files
 BuildRequires:  pkgconfig(jemalloc)
 BuildRequires:  pkgconfig(json)
 BuildRequires:  pkgconfig(krb5)
@@ -235,7 +231,6 @@ possible string of labels in the query name that matches the wildcard.
 %prep
 %autosetup -p1 -a2
 %setup -T -D -a4
 # use the year from source gzip header instead of current one to make reproducible rpms
 year=$(perl -e 'sysread(STDIN, $h, 8); print (1900+(gmtime(unpack("l",substr($h,4))))[5])' < %{SOURCE0})
@@ -312,8 +307,8 @@ done
 %sysusers_generate_pre %{SOURCE72} named named.conf
 %endif
 # special build for the plugins
-for d in dlz-modules-%{dlz_modules_hash}/modules/*; do
+for d in contrib/dlz/modules/*; do
-       [ -e $d/Makefile ] && make -C $d
+	[ -e $d/Makefile ] && make -C $d
 done
 %install
@@ -344,28 +339,25 @@ rm -rf %{buildroot}%{_includedir}
 # Install the plugins
 mkdir -p %{buildroot}/%{_libdir}/bind-plugins
 pushd dlz-modules-%{dlz_modules_hash}/modules
 %if %{with_modules_perl}
-    install -m 0644 perl/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 contrib/dlz/modules/perl/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_mysql}
-    install -m 0644 mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 contrib/dlz/modules/mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
-    install -m 0644 mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 contrib/dlz/modules/mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_ldap}
-    install -m 0644 ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 contrib/dlz/modules/ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_bdbhpt}
-    install -m 0644 bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 contrib/dlz/modules/bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_sqlite3}
-    install -m 0644 sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 contrib/dlz/modules/sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 %if %{with_modules_generic}
-    install -m 0644 {filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 contrib/dlz/modules/{filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
 %endif
 popd
 # remove useless .la files
 rm -f %{buildroot}/%{_libdir}/lib*.{la,a} %{buildroot}/%{_libdir}/bind/*.la
 mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir}
@@ -394,6 +386,7 @@ mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
 install -m 0644 %{_sourcedir}/named.root %{buildroot}%{_localstatedir}/lib/named/root.hint
 mv vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_localstatedir}/lib/named
 install -m 0755 vendor-files/tools/bind.genDDNSkey %{buildroot}/%{_bindir}/genDDNSkey
 cp -a vendor-files/docu/BIND.desktop %{buildroot}/%{_datadir}/susehelp/meta/Administration/System
 cp -p %{_sourcedir}/dnszone-schema.txt %{buildroot}/%{_sysconfdir}/openldap/schema/dnszone.schema
 cp -p "%{SOURCE60}" "%{buildroot}/%{_sysconfdir}/openldap/schema/dlz.schema"
 install -m 0754 vendor-files/tools/ldapdump %{buildroot}/%{_datadir}/bind
--- a/dlz-modules-5923650.obscpio
+++ b/dlz-modules-5923650.obscpio
--- a/dlz-modules.obsinfo
+++ b/dlz-modules.obsinfo
@@ -1,4 +0,0 @@
 name: dlz-modules
 version: 5923650
 mtime: 1731483151
 commit: 5923650dbb69eac5006938218d0bc11ad9b41696
--- a/named.root
+++ b/named.root
@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ;
-;       last update:     December 18, 2024
+;       last update:     July 28, 2021
-;       related version of root zone:     2024121801
+;       related version of root zone:     2021072802
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;
@@ -21,8 +21,8 @@ A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
 ; FORMERLY NS1.ISI.EDU 
 ;
 .                        3600000      NS    B.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
+B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
-B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
 ; 
 ; FORMERLY C.PSI.NET 
 ;
--- a/vendor-files.tar.bz2
+++ b/vendor-files.tar.bz2