Accepting request 977470 from network

OBS-URL: https://build.opensuse.org/request/show/977470 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bind?expand=0&rev=178
2022-05-17 15:23:41 +00:00 · 2022-05-17 15:23:41 +00:00 · d4dcf9e60e
commit d4dcf9e60e
parent c4ea47b332 ed00a571eb
11 changed files with 469 additions and 143 deletions
--- a/bind-9.16.25.tar.xz
+++ b/bind-9.16.25.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9fa328850f82843ef8b7bf1ff5322cb68b110273a33f375ba41f35270f5e1ff3
-size 5086780
--- a/bind-9.16.25.tar.xz.sha512.asc
+++ b/bind-9.16.25.tar.xz.sha512.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmHnQzwACgkQxbTukxqf
-nf36OhAAyjIh6tcuDauRQQFfuyBIPHBCDybidjUxE5NsjMfd9EKR6QOp2rICgtJz
-4i/+UxQm0e6B1VmogdDddH5YL4NNk9aiNbeBXCeSVicA8jRwAI44lL5iVSSlBK+f
-4nQ1rWwlSoV7AkE1oDrTIxfz5wPm1gyG4FBxqrTxxsrqrKsrxKZbHjAqEUeBuEEz
-/MqfAkDpvV+JWSFbwp2f8igH/cHx06MCsUkWLuZPWiT3k1g+9lqgfcigcNN3yqoK
-tQQwnozLUwjRJt0t4dl99frb93KKkX4IMqk7Pevue2kEWx0yo1GbPLmPiOdrUeK3
-nFMgMopwAvPzla56RKf4gLpHerHR+YNWWFHoju71teg7/6b++LZEWMQ+7stP1wCj
-B9COURDClp/4Z7j7GuYgE8jVSvpemuHqlkHZyF/94EA1yY1d4fA0ViCsZVrRBfaj
-7QFaKDBl4Qj/5eY1DcP9QZ4t7z83ugSBqgVp5DxJgIqC+ZFPkQSPAy5AxHUILlqX
-/XRyLbRDSSp0ZJjt6G+aJ2C2nRKykrp4QcnVlfRo4AWEBfZ2hC5Q8DRP4nQdAVno
-2wSCDUt4TSXIJZp848PmbfcQccYEB9H5DBbR865nic8hmcT+CniflASwqATqL5PB
-1+RdrwKO1/K0VVrNhmtwswF8JvSMZktWlicqezdLhhQz8Bzdrbc=
-=phwZ
-----END PGP SIGNATURE-----
--- a/bind-9.18.2.tar.xz
+++ b/bind-9.18.2.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e4b38779bba0a23ee634fdf7c525fd9794c41d692bfd83cda25823a2a3ed969
+size 5109916
--- a/bind-9.18.2.tar.xz.sha512.asc
+++ b/bind-9.18.2.tar.xz.sha512.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmJdcqsACgkQxbTukxqf
+nf3E5xAApY6+1ckL4EJpdEJux9WHBoHKlnTFAaD1HKIGNbJUPwnfc0j9LgVgRXIH
+AClkZS+9n45+CJEAwaoWcCmfAF4fUnoPukF16XhtRFcDCW4CSGSIbhXVKrN5hWkP
+nhpjmLC3DVVxxCEBySK1TxUQUPeLC5cbdtozgkA/QL/LiMdm2gagBXlKRL9nVdIX
+v5Fm+ZyVAU22WG639y7MpiquXdZ3P9xcmLcu4gg3A2IQ25mF4yj3C/nxNmqpZCVj
+e4i3/jyrXliSEXJ5lCZ7k5JBziS67edpoEMUnQgVxEIcLabl4xB5Q114eU1RI4C+
+JX9EZdgmXClqkQrJXuIgu1usm+cjvhNkltokNz/FcpClaDUpXQptC56UNLQUfZS2
+ZBOfxUhJYR+Fzru3pO5rXgs99nZlphS6BAbwLEmvgP1Ws3x1ye7lVKWuytKCxRhM
+yuNK7o5PBzMK8iW+B3h0ok9JsakhEJH1sOqlthInfrcJO1GLox1v5Ih3cGrRHNLK
+CnU8AkZkFPuTtNJMGFOtkftckkufiIcisakTjF2jfr7eWkf3k/FN4+AWF+h4R7gD
+vFz0YMH9I9GdfMFbikh2KUm1sU3d1RQ1mf600vEGFAsjPRuZCCe6762g3OLr9Rza
+TN3/XeHFyjJep2P+RCUUdEGUcb0ry3qV9jr9wUyB/KkJNefScHE=
+=A7Yz
+-----END PGP SIGNATURE-----
--- a/bind-avoid-fallthrough-warning-error.patch
+++ b/bind-avoid-fallthrough-warning-error.patch
@ -1,26 +0,0 @@
-Index: bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c
-===================================================================
--- bind-9.16.23.orig/contrib/dlz/drivers/dlz_ldap_driver.c
-+++ bind-9.16.23/contrib/dlz/drivers/dlz_ldap_driver.c
-@@ -978,11 +978,13 @@ dlz_ldap_create(const char *dlzname, uns
- 		if (result != ISC_R_SUCCESS) {
- 			return (result);
- 		}
-+		/* FALLTHROUGH */
- 	case 11:
- 		result = dlz_ldap_checkURL(argv[10], 3, "all nodes");
- 		if (result != ISC_R_SUCCESS) {
- 			return (result);
- 		}
-+		/* FALLTHROUGH */
- 	case 10:
- 		if (strlen(argv[9]) > 0) {
- 			result = dlz_ldap_checkURL(argv[9], 3, "authority");
-@@ -990,6 +992,7 @@ dlz_ldap_create(const char *dlzname, uns
- 				return (result);
- 			}
- 		}
-+		/* FALLTHROUGH */
- 	case 9:
- 		result = dlz_ldap_checkURL(argv[8], 3, "lookup");
- 		if (result != ISC_R_SUCCESS) {
--- a/bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch
+++ b/bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch
@ -0,0 +1,38 @@
+Index: bind-9.18.2/contrib/dlz/modules/include/dlz_minimal.h
+===================================================================
+--- bind-9.18.2.orig/contrib/dlz/modules/include/dlz_minimal.h
+++ bind-9.18.2/contrib/dlz/modules/include/dlz_minimal.h
+@@ -27,6 +27,7 @@
+ 
+ #include <inttypes.h>
+ #include <stdbool.h>
+#include <stdlib.h>
+ 
+ #include <arpa/inet.h>
+ #include <net/if.h>
+@@ -85,6 +86,25 @@ typedef uint32_t     dns_ttl_t;
+ 		var = _u.v;            \
+ 	} while (0)
+ 
+
+#if !defined(__has_attribute)
+#define __has_attribute(x) 0
+#endif /* if !defined(__has_attribute) */
+
+#if __GNUC__ >= 7 || __has_attribute(fallthrough)
+#define FALLTHROUGH __attribute__((fallthrough))
+#else
+/* clang-format off */
+#define FALLTHROUGH do {} while (0) /* FALLTHROUGH */
+/* clang-format on */
+#endif
+
+#ifdef __GNUC__
+#define UNREACHABLE() __builtin_unreachable()
+#else
+#define UNREACHABLE() abort()
+#endif
+
+ /* opaque structures */
+ typedef void *dns_sdlzlookup_t;
+ typedef void *dns_sdlzallnodes_t;
--- a/bind-prevent-buffer-overflow.patch
+++ b/bind-prevent-buffer-overflow.patch
@ -0,0 +1,38 @@
+From 921043b54161c7a3e6dc4036b038ca4dbc5fe472 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Fri, 13 May 2022 19:59:58 -0700
+Subject: [PATCH] prevent a possible buffer overflow in configuration check
+
+corrected code that could have allowed a buffer overfow while
+parsing named.conf.
+---
+ lib/bind9/check.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/bind9/check.c b/lib/bind9/check.c
+index 658daec76d..baacd29a84 100644
+--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
+@@ -3009,8 +3009,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+ 		} else if (dns_name_isula(zname)) {
+ 			ula = true;
+ 		}
+-		tmp += strlen(tmp);
+ 		len -= strlen(tmp);
+		tmp += strlen(tmp);
+ 		(void)snprintf(tmp, len, "%u/%s", zclass,
+ 			       (ztype == CFG_ZONE_INVIEW) ? target
+ 			       : (viewname != NULL)	  ? viewname
+@@ -3719,8 +3719,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+ 		char *tmp = keydirbuf;
+ 		size_t len = sizeof(keydirbuf);
+ 		dns_name_format(zname, keydirbuf, sizeof(keydirbuf));
+-		tmp += strlen(tmp);
+ 		len -= strlen(tmp);
+		tmp += strlen(tmp);
+ 		(void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir);
+ 		tresult = keydirexist(zconfig, (const char *)keydirbuf,
+ 				      kaspname, keydirs, logctx, mctx);
+-- 
+GitLab
+
--- a/bind.changes
+++ b/bind.changes
@ -1,3 +1,177 @@
+-------------------------------------------------------------------
+Mon May 16 08:14:55 UTC 2022 - Martin Liška <mliska@suse.cz>
+
+- Add upstream patch bind-prevent-buffer-overflow.patch.
+
+-------------------------------------------------------------------
+Thu May 12 14:25:28 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
+
+- The named-checkconf had been moved from /usr/sbin to /usr/bin
+  but that had not been reflected in scripts that called this,
+  eg named.prep. So these scripts failed.
+  Some installations still have "createNamedConfInclude" in the
+  NAMED_INITIALIZE_SCRIPTS in /etc/sysconfig/named. The named.prep
+  will now report this but continue.
+  [bsc#1199044, vendor-files.tar.bz2]
+
+-------------------------------------------------------------------
+Mon Apr 25 06:56:58 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
+
+- Upgrade to 9.18.2:
+  Most important bugs fixed:
+  * The "starting maxtime timer" message related to outgoing
+    zone transfers was incorrectly logged at the ERROR level
+    instead of DEBUG(1).
+  * Ensure that zone maintenance queries have a retry limit.
+  * When using both the `+qr` and `+y` options `dig` could
+    crash if the connection to the first server was not
+    successful.
+  * dig could hang in some cases involving multiple servers
+    in a lookup, when a request fails and the next one
+    refuses to start for some reason, for example if it was
+    an IPv4 mapped IPv6 address.
+  * dig +nssearch was hanging until manually interrupted.
+  * When an UPDATE targets a zone that is not configured,
+    the requested zone name is now logged in the "not
+    authoritative" error message, so that it is easier to
+    track down problematic update clients.
+  * Quote the dns64 prefix in error messages that complain
+    about problems with it, to avoid confusion with the
+    following dns64 ACLs.
+  * When encountering socket error while trying to initiate
+    a TCP connection to a server, dig could hang
+    indefinitely, when there were more servers to try.
+  * When timing-out or having other types of socket errors
+    during a query, dig wasn't trying to perform the lookup
+    using other servers, in case they exist.
+  * Resending a UDP request in the result of a timeout
+    could cause an assertion failure when the resent
+    query's result was SERVFAIL.
+  * Replace single TCP write timer with per-TCP write
+    timers.
+  * Invalid dnssec-policy definitions were being accepted
+    where the defined keys did not cover both KSK and ZSK
+    roles for a given algorithm.  This is now checked for
+    and the dnssec-policy is rejected if both roles are
+    not present for all algorithms in use.
+  * Fix query context management issues in the TCP part
+    of dig.
+
+  Noteworthy functional changes:
+  * Add new "reuseport" option to enable/disable load
+    balancing of sockets.
+  * Set the minimum MTU on UDPv6 and TCPv6 sockets and
+    limit TCP maximum segment size (TCP_MAXSEG) to (1220)
+    for both TCPv4 and TCPv6 sockets.
+  
+  Needed to define two macros in contrib code:
+  FALLTHOUGH is a copy of how it is defined in <isc/util.h>
+
+  UNREACHABLE follows the model used in MacOS /usr/include/c++/v1/cstdlib
+  to determine if __builtin_ureachable is available
+  [bind-9.18.2.tar.xz, bind-9.18.2.tar.xz.sha512.asc,
+  bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch]
+
+-------------------------------------------------------------------
+Thu Mar 17 07:28:25 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
+
+- * When using forwarders, bogus NS records supplied by, or via, those
+    forwarders may be cached and used by named if it needs to recurse
+    for any reason, causing it to obtain and pass on potentially
+    incorrect answers. [CVE-2021-25220]
+  * TCP connection slots may be consumed for an indefinite time frame
+    via a specifically crafted TCP stream sent from a client.
+    This issue can only be triggered on BIND servers which have
+    keep-response-order enabled, which is not the default configuration.
+    The keep-response-order option is an ACL block, and as such, any
+    hosts specified within it will be able to trigger this issue on
+    affected versions. [CVE-2022-0396]
+  * The RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature
+    (synth-from-dnssec) had been refactored and the default has been
+    changed so that is now automatically enabled for dnssec-validating
+    resolvers. Subsequently it was found that repeated patterns of
+    specific queries to servers with this feature enabled could cause
+    an INSIST failure in query.c:query_dname which causes named to
+    terminate unexpectedly.
+    The vulnerability affects BIND resolvers running 9.18.0 that have
+    both dnssec-validation and synth-from-dnssec enabled. (Note that
+    dnssec-validation auto; is the default setting unless configured
+    otherwise in named.conf and that enabling dnssec-validation
+    automatically enables synth-from-dnssec unless explicitly disabled)
+    [CVE-2022-0635]
+  * The refactoring of the recursive client code introduced a
+    "backstop lifetime timer."
+    While BIND is processing a request for a DS record that needs to be
+    forwarded, it waits until this processing is complete or until the
+    backstop lifetime timer has timed out. When the resume_dslookup() function
+    is called as a result of such a timeout, the function does not test
+    whether the fetch has previously been shut down. This introduces the
+    possibility of triggering an assertion failure, which could cause the BIND
+    process to terminate. [CVE-2022-0667]
+  * Reset client TCP connection when data received cannot
+    be parsed as a valid DNS request.
+  For a complete list of changes, see
+  * Bind Release Notes
+    https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html
+  * The CHANGES file in the source RPM
+  This obsoletes bind-define-missing-threads.patch
+  Also, removed bind-python3 from the spec file as it is not build
+  any longer.
+  [bind.spec, bind-9.18.1.tar.xz, bind-9.18.1.tar.xz.sha512.asc,
+   bind-define-missing-threads.patch]
+
+-------------------------------------------------------------------
+Mon Jan 31 13:49:51 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
+
+- Update to new MAJOR VERSION 9.18.0.
+  This has many enhnancements, bug fixes and changes.
+  The spec file also has mechanisms to run the integrated test suite.
+
+  MAJOR CHANGES:
+  * Support for securing DNS traffic using Transport Layer Security (TLS).
+    TLS is used by both DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).
+  * Support for zone transfers over TLS (XFR-over-TLS, XoT) for both
+    incoming and outgoing zone transfers.
+  * The dig tool is now able to send DoT queries (+tls option).
+  * Support for OpenSSL 3.0 APIs was added. 
+
+  A number of utilities have been removed: dnssec-checkds,
+  dnssec-coverage, dnssec-keymgr, which have been deprecated in
+  favor of dnssec-policy feature, as well as python support
+  (package python3-bind). 
+  A number of utilities have been moved from (/usr)/sbin to (/usr)/bin
+  The DLZ modules have been put into seperate sub-packages
+  to keep unwanted dependencies out of the main package:
+  * bind-modules-perl: dlz_perl_driver.so
+  * bind-modules-mysql: dlz_mysql_dynamic.so, dlz_mysqldyn_mod.so
+  * bind-modules-ldap: dlz_ldap_dynamic.so
+  * bind-modules-bdbhpt: dlz_bdbhpt_dynamic.so
+  * bind-modules-sqlite3: dlz_sqlite3_dynamic.so
+  * bind-modules-generic: dlz_filesystem_dynamic.so, dlz_wildcard_dynamic.so
+  For a complete list of changes, see
+  * Bind Release Notes
+    https://downloads.isc.org/isc/bind9/9.18.0/doc/arm/html/notes.html
+  * The CHANGES file in the source RPM
+  [bind.spec, bind-9.18.0.tar.xz, bind-9.18.0.tar.xz.sha512.asc,
+   bind-avoid-fallthrough-warning-error.patch,
+   bind-contrib-pthread.patch, named-bootconf.diff, bind-define-missing-threads.patch]
+
+-------------------------------------------------------------------
+Mon Jan 24 13:18:35 UTC 2022 - Josef Möllers <josef.moellers@suse.com>
+
+- Old-style DLZ drivers have been deprecated in favor of
+  DLZ modules. The DLZ drivers configuration option will
+  be removed from the next major BIND 9 release.
+
+  The option to use the DLZ modules is already available
+  in BIND 9; please see the ARM section on DLZ modules.
+
+  The dynamically lodable driver modules are stored in
+  /usr/lib64/bind-plugins
+  Example configurations for ldap and mysql are provided in
+  named.conf.
+  [bind.spec, vendor-files/config/named.conf]
+
 -------------------------------------------------------------------
 Fri Jan 21 16:24:16 UTC 2022 - Callum Farmer <gmbr3@opensuse.org>

--- a/bind.spec
+++ b/bind.spec
@ -17,6 +17,16 @@


 %define _buildshell /bin/bash
+%bcond_with check
+
+# DLZ modules
+%bcond_without modules_bdbhpt
+%bcond_without modules_ldap
+%bcond_without modules_mysql
+%bcond_without modules_sqlite3
+%bcond_without modules_perl
+%bcond_without modules_generic
+# end DLZ modules

 %define	VENDOR SUSE
 %if 0%{?suse_version} >= 1500
@ -46,7 +56,7 @@
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.16.25
+Version:        9.18.2
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0
@ -64,24 +74,24 @@ Source60:       dlz-schema.txt
 Source70:       bind.conf
 # configuation file for systemd-sysusers
 Source72:       named.conf
-Patch52:        named-bootconf.diff
 Patch56:        bind-ldapdump-use-valid-host.patch
-Patch57:        bind-avoid-fallthrough-warning-error.patch
+Patch57:        bind-define-local-instances-of-FALLTHROUGH-and-UNREACHABLE.patch
+Patch58:        bind-prevent-buffer-overflow.patch
 BuildRequires:  libcap-devel
-BuildRequires:  libmysqlclient-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  libtool
-BuildRequires:  openldap2-devel
 BuildRequires:  openssl
 BuildRequires:  pkgconfig
 BuildRequires:  python3
 BuildRequires:  python3-Sphinx
 BuildRequires:  python3-ply
 BuildRequires:  update-desktop-files
+BuildRequires:  pkgconfig(jemalloc)
 BuildRequires:  pkgconfig(json)
 BuildRequires:  pkgconfig(krb5)
 BuildRequires:  pkgconfig(libidn2)
 BuildRequires:  pkgconfig(libmaxminddb)
+BuildRequires:  pkgconfig(libnghttp2)
 BuildRequires:  pkgconfig(libuv)
 BuildRequires:  pkgconfig(libxml-2.0)
 Requires:       %{name}-utils
@ -125,7 +135,6 @@ includes also the BIND Administrator Reference Manual (ARM).
 Summary:        Libraries for "bind" and utilities to query and test DNS
 # Needed for dnssec parts
 Group:          Productivity/Networking/DNS/Utilities
-Requires:       python3-bind = %{version}
 Provides:       bind9-utils
 Provides:       bindutil
 Provides:       dns_utils
@ -140,15 +149,81 @@ test and query the Domain Name System (DNS) and also the libraries rquired
 for the base "bind" package. The Berkeley Internet
 Name Domain (BIND) DNS server is found in the package named bind.

-%package -n python3-bind
-Summary:        A module allowing rndc commands to be sent from Python programs
-Group:          Development/Languages/Python
-Requires:       python3
-Requires:       python3-ply
-BuildArch:      noarch
+%if %{with_modules_perl}
+%package modules-perl
+Summary:        A dynamically loadable zone (DLZ) plugin embedding a Perl interpreter in BIND
+Group:          Productivity/Networking/DNS/Servers
+BuildRequires:  perl

-%description -n python3-bind
-This package provides a module which allows commands to be sent to rndc directly from Python programs.
+%description modules-perl
+This package includes a dynamically loadable zone (DLZ) plugin
+embedding a Perl interpreter in BIND, allowing Perl scripts
+to be written to integrate with BIND and serve DNS data.
+%endif
+
+%if %{with_modules_mysql}
+%package modules-mysql
+Summary:        DLZ modules which store zone data in a MySQL database
+Group:          Productivity/Networking/DNS/Servers
+BuildRequires:  libmysqlclient-devel
+
+%description modules-mysql
+This package includes dynamically loadable zone (DLZ) plugins
+which store zone data in a MySQL database
+The dlz_mysql_dynamic.so plugin does not support dynamic updates
+the dlz_mysqldyn_mod.so plugin is a dynamically loadable zone (DLZ)
+plugin that uses a fixed-schema MySQL database for back-end storage.
+It allows zone data to be updated via dynamic DNS updates, and
+sends DNS NOTIFY packets to other name servers when appropriate.
+%endif
+
+%if %{with_modules_ldap}
+%package modules-ldap
+Summary:        A DLZ module which stores zone data in an LDAP directory
+Group:          Productivity/Networking/DNS/Servers
+BuildRequires:  openldap2-devel
+
+%description modules-ldap
+This package provides the externally loadable ldap DLZ module, without
+update support
+%endif
+
+%if %{with_modules_bdbhpt}
+%package modules-bdbhpt
+Summary:        A DLZ module which stores zone data in a BerkeleyDB
+Group:          Productivity/Networking/DNS/Servers
+BuildRequires:  libdb-4_8-devel
+
+%description modules-bdbhpt
+This package provides the externally loadable bdbhpt DLZ driver, without
+update support
+%endif
+
+%if %{with_modules_sqlite3}
+%package modules-sqlite3
+Summary:        A DLZ module which stores zone data in an sqlite3 db
+Group:          Productivity/Networking/DNS/Servers
+BuildRequires:  sqlite3-devel
+
+%description modules-sqlite3
+This package provides the externally loadable SQLitee DLZ module, without
+update support.
+%endif
+
+%if %{with_modules_generic}
+%package modules-generic
+Summary:        DLZ module which store zone data in plain files
+Group:          Productivity/Networking/DNS/Servers
+
+%description modules-generic
+This package provides the externally loadable filesystem DLZ module, without
+update support and the externally loadable wildcard DLZ module.
+The "wildcard" DLZ module provides a "template" zone for domains matching
+a wildcard name.
+For any zone name matching the wildcard, it would return the data from
+the template.  "$zone$" is replaced with zone name: i.e., the shortest
+possible string of labels in the query name that matches the wildcard.
+%endif

 %prep
 %autosetup -p1 -a2
@ -192,23 +267,25 @@ export LDFLAGS="-pie"
 	--enable-threads \
 	--with-libtool \
 	--with-libxml2 \
-	--with-libjson \
+	--with-dlz_filesystem \
+	--with-json-c \
 	--with-libidn2 \
-	--with-dlz-mysql \
-	--with-dlz-ldap \
 	--with-randomdev=/dev/urandom \
 	--enable-ipv6 \
 	--with-pic \
 	--disable-openssl-version-check \
 	--with-tuning=large \
 	--with-maxminddb \
-	--with-dlopen \
+	--with-dlopen=auto \
 	--with-gssapi=yes \
 	--disable-isc-spnego \
 	--enable-fixed-rrset \
 	--enable-filter-aaaa \
 %if %{with_systemd}
        --with-systemd \
+%endif
+%if %{with check}
+	--enable-querytrace \
 %endif
 	--enable-full-report
 # disable rpath
@ -224,6 +301,10 @@ done
 %if %{with_systemd}
 %sysusers_generate_pre %{SOURCE72} named named.conf
 %endif
+# special build for the plugins
+for d in contrib/dlz/modules/*; do
+	[ -e $d/Makefile ] && make -C $d
+done

 %install
 mkdir -p \
@ -245,12 +326,32 @@ mkdir -p \
 mkdir -p %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
 %endif
 %make_install
-install -m 0644 .clang-format.headers %{buildroot}/%{_defaultdocdir}/bind
 # remove useless .h files
 rm -rf %{buildroot}%{_includedir}

+# Install the plugins
+mkdir -p %{buildroot}/%{_libdir}/bind-plugins
+%if %{with_modules_perl}
+    install -m 0644 contrib/dlz/modules/perl/*.so %{buildroot}/%{_libdir}/bind-plugins
+%endif
+%if %{with_modules_mysql}
+    install -m 0644 contrib/dlz/modules/mysql/*.so %{buildroot}/%{_libdir}/bind-plugins
+    install -m 0644 contrib/dlz/modules/mysqldyn/*.so %{buildroot}/%{_libdir}/bind-plugins
+%endif
+%if %{with_modules_ldap}
+    install -m 0644 contrib/dlz/modules/ldap/*.so %{buildroot}/%{_libdir}/bind-plugins
+%endif
+%if %{with_modules_bdbhpt}
+    install -m 0644 contrib/dlz/modules/bdbhpt/*.so %{buildroot}/%{_libdir}/bind-plugins
+%endif
+%if %{with_modules_sqlite3}
+    install -m 0644 contrib/dlz/modules/sqlite3/*.so %{buildroot}/%{_libdir}/bind-plugins
+%endif
+%if %{with_modules_generic}
+    install -m 0644 contrib/dlz/modules/{filesystem,wildcard}/*.so %{buildroot}/%{_libdir}/bind-plugins
+%endif
 # remove useless .la files
-rm -f %{buildroot}/%{_libdir}/lib*.{la,a}
+rm -f %{buildroot}/%{_libdir}/lib*.{la,a} %{buildroot}/%{_libdir}/bind/*.la
 mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir}
 mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d
 mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
@ -286,21 +387,24 @@ done
 %if %{with_sfw2}
 install -m 644 vendor-files/sysconfig/SuSEFirewall.named %{buildroot}/%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/bind
 %endif
+%if ! %{with check}
 # Cleanup doc
 rm doc/misc/Makefile*
 find doc/arm -type f ! -name '*.html' -delete
+%endif
 # Create doc as we want it in bind and not bind-doc
 for file in vendor-files/docu/README*; do
 	basename=$( basename ${file})
 	cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}.%{VENDOR}
 done
-mkdir -p vendor-files/config/ISC-examples
-cp -a bin/tests/*.conf* vendor-files/config/ISC-examples
+# mkdir -p vendor-files/config/ISC-examples
+# cp -a bin/tests/*.conf* vendor-files/config/ISC-examples
 for d in arm; do
 	cp -a doc/${d}/_build %{buildroot}/%{_defaultdocdir}/bind/${d}
 	echo "%doc %{_defaultdocdir}/bind/${d}" >>filelist-bind-doc
 done
-for file in CHANGES COPYRIGHT README version contrib doc/misc vendor-files/config; do
+for file in CHANGES COPYRIGHT README* version contrib/README* doc/misc vendor-files/config; do
+	[ -r ${file} ] || continue
 	basename=$( basename ${file})
 	cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}
 	echo "%doc %{_defaultdocdir}/bind/${basename}" >>filelist-bind-doc
@ -313,11 +417,14 @@ install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key
 mkdir -p %{buildroot}%{_sysusersdir}
 install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
 %endif
+find %{buildroot}/usr/share/doc/packages/bind -name cfg_test* -exec rm {} \;
+rm -rf %{buildroot}/usr/share/doc/packages/bind/misc/.libs

 %if %{with_systemd}
 %pre -f named.pre
 %service_add_pre named.service
 %else
+
 %pre
 %{GROUPADD_NAMED}
 %{USERADD_NAMED}
@ -325,6 +432,12 @@ install -m 644 %{SOURCE72} %{buildroot}%{_sysusersdir}/
 %{USERMOD_NAMED}
 %endif

+%if %{with check}
+%check
+sudo bin/tests/system/ifconfig.sh up
+make test
+%endif
+
 %preun
 %if %{with_systemd}
 %service_del_preun named.service
@ -365,7 +478,7 @@ fi
 %dir %{_sysconfdir}/slp.reg.d
 %attr(0644,root,root) %config /%{_sysconfdir}/slp.reg.d/bind.reg
 %if %{with_systemd}
-%config %{_unitdir}/named.service
+%{_unitdir}/named.service
 %{_prefix}/lib/tmpfiles.d/bind.conf
 %{_sysusersdir}/named.conf
 %{_datadir}/factory
@ -378,17 +491,21 @@ fi
 %{_bindir}/named-rrchecker
 %{_sbindir}/rcnamed
 %{_sbindir}/named
-%{_sbindir}/named-checkconf
-%{_sbindir}/named-checkzone
-%{_sbindir}/named-compilezone
-%dir %{_libdir}/named
-%{_libdir}/named/filter-aaaa.so
+%{_bindir}/named-checkconf
+%{_bindir}/named-checkzone
+%{_bindir}/named-compilezone
+%{_bindir}/named-journalprint
+%{_bindir}/nsec3hash
+%dir %{_libdir}/bind
+%{_libdir}/bind/filter-aaaa.so
+%{_libdir}/bind/filter-a.so
 %{_mandir}/man1/named-rrchecker.1%{ext_man}
 %{_mandir}/man5/named.conf.5%{ext_man}
-%{_mandir}/man8/named-checkconf.8%{ext_man}
-%{_mandir}/man8/named-checkzone.8%{ext_man}
+%{_mandir}/man1/named-checkconf.1%{ext_man}
+%{_mandir}/man1/named-checkzone.1%{ext_man}
 %{_mandir}/man8/named.8%{ext_man}
 %{_mandir}/man8/filter-aaaa.8%{ext_man}
+%{_mandir}/man8/filter-a.8%{ext_man}
 %dir %{_datadir}/bind
 %{_datadir}/bind/ldapdump
 %ghost %{_rundir}/named
@ -403,6 +520,34 @@ fi
 %config %{_var}/lib/named/named.root.key
 %dir %{_libexecdir}/bind
 %{_libexecdir}/bind/named.prep
+%dir %{_libdir}/bind-plugins
+
+%if %{with_modules_perl}
+%files modules-perl
+%{_libdir}/bind-plugins/dlz_perl_driver.so
+%endif
+%if %{with_modules_mysql}
+%files modules-mysql
+%{_libdir}/bind-plugins/dlz_mysql_dynamic.so
+%{_libdir}/bind-plugins/dlz_mysqldyn_mod.so
+%endif
+%if %{with_modules_ldap}
+%files modules-ldap
+%{_libdir}/bind-plugins/dlz_ldap_dynamic.so
+%endif
+%if %{with_modules_bdbhpt}
+%files modules-bdbhpt
+%{_libdir}/bind-plugins/dlz_bdbhpt_dynamic.so
+%endif
+%if %{with_modules_sqlite3}
+%files modules-sqlite3
+%{_libdir}/bind-plugins/dlz_sqlite3_dynamic.so
+%endif
+%if %{with_modules_generic}
+%files modules-generic
+%{_libdir}/bind-plugins/dlz_filesystem_dynamic.so
+%{_libdir}/bind-plugins/dlz_wildcard_dynamic.so
+%endif

 %files doc -f filelist-bind-doc
 %dir %doc %{_defaultdocdir}/bind
@ -424,27 +569,19 @@ fi
 %{_bindir}/nsupdate
 %{_bindir}/genDDNSkey
 %{_bindir}/arpaname
+%{_bindir}/dnssec-dsfromkey
+%{_bindir}/dnssec-importkey
+%{_bindir}/dnssec-keyfromlabel
+%{_bindir}/dnssec-keygen
+%{_bindir}/dnssec-revoke
+%{_bindir}/dnssec-settime
+%{_bindir}/dnssec-signzone
+%{_bindir}/dnssec-verify
+%{_bindir}/dnssec-cds
 %{_sbindir}/ddns-confgen
-%{_sbindir}/dnssec-dsfromkey
-%{_sbindir}/dnssec-importkey
-%{_sbindir}/dnssec-keyfromlabel
-%{_sbindir}/dnssec-keygen
-%{_sbindir}/dnssec-revoke
-%{_sbindir}/dnssec-settime
-%{_sbindir}/dnssec-signzone
-%{_sbindir}/dnssec-verify
-%{_sbindir}/dnssec-checkds
-%{_sbindir}/dnssec-coverage
-%{_sbindir}/dnssec-keymgr
-%{_sbindir}/dnssec-cds
-# %%{_sbindir}/genrandom
-# %%{_sbindir}/isc-hmac-fixup
-%{_sbindir}/named-journalprint
-%{_sbindir}/nsec3hash
 %{_sbindir}/rndc
 %{_sbindir}/rndc-confgen
 %{_sbindir}/tsig-keygen
-# Library files, formerly in their own, separate packages:
 %{_libdir}/libbind9-%{version}.so
 %{_libdir}/libdns-%{version}.so
 %{_libdir}/libirs-%{version}.so
@ -461,7 +598,6 @@ fi
 %{_libdir}/libns.so
 %dir %doc %{_defaultdocdir}/bind
 %{_defaultdocdir}/bind/README*.%{VENDOR}
-%{_defaultdocdir}/bind/.clang-format.headers
 %{_mandir}/man1/arpaname.1%{ext_man}
 %{_mandir}/man1/delv.1%{ext_man}
 %{_mandir}/man1/dig.1%{ext_man}
@ -469,33 +605,22 @@ fi
 %{_mandir}/man1/mdig.1%{ext_man}
 %{_mandir}/man1/nslookup.1%{ext_man}
 %{_mandir}/man1/nsupdate.1%{ext_man}
-# %%{_mandir}/man1/dnstap-read.1%%{ext_man}
+%{_mandir}/man1/dnssec-dsfromkey.1%{ext_man}
+%{_mandir}/man1/dnssec-importkey.1%{ext_man}
+%{_mandir}/man1/dnssec-keyfromlabel.1%{ext_man}
+%{_mandir}/man1/dnssec-keygen.1%{ext_man}
+%{_mandir}/man1/dnssec-revoke.1%{ext_man}
+%{_mandir}/man1/dnssec-settime.1%{ext_man}
+%{_mandir}/man1/dnssec-signzone.1%{ext_man}
+%{_mandir}/man1/dnssec-verify.1%{ext_man}
+%{_mandir}/man1/dnssec-cds.1%{ext_man}
+%{_mandir}/man1/named-compilezone.1%{ext_man}
+%{_mandir}/man1/named-journalprint.1%{ext_man}
+%{_mandir}/man1/nsec3hash.1%{ext_man}
 %{_mandir}/man5/rndc.conf.5%{ext_man}
 %{_mandir}/man8/ddns-confgen.8%{ext_man}
-%{_mandir}/man8/dnssec-dsfromkey.8%{ext_man}
-%{_mandir}/man8/dnssec-importkey.8%{ext_man}
-%{_mandir}/man8/dnssec-keyfromlabel.8%{ext_man}
-%{_mandir}/man8/dnssec-keygen.8%{ext_man}
-%{_mandir}/man8/dnssec-revoke.8%{ext_man}
-%{_mandir}/man8/dnssec-settime.8%{ext_man}
-%{_mandir}/man8/dnssec-signzone.8%{ext_man}
-%{_mandir}/man8/dnssec-verify.8%{ext_man}
-%{_mandir}/man8/dnssec-checkds.8%{ext_man}
-%{_mandir}/man8/dnssec-coverage.8%{ext_man}
-%{_mandir}/man8/dnssec-keymgr.8%{ext_man}
-%{_mandir}/man8/dnssec-cds.8%{ext_man}
-# %%{_mandir}/man8/named-nzd2nzf.8%%{ext_man}
-# %%{_mandir}/man8/genrandom.8%%{ext_man}
-# %%{_mandir}/man8/isc-hmac-fixup.8%%{ext_man}
-%{_mandir}/man8/named-journalprint.8%{ext_man}
-%{_mandir}/man8/nsec3hash.8%{ext_man}
 %{_mandir}/man8/rndc.8%{ext_man}
 %{_mandir}/man8/rndc-confgen.8%{ext_man}
-%{_mandir}/man8/named-compilezone.8%{ext_man}
 %{_mandir}/man8/tsig-keygen.8%{ext_man}

-%files -n python3-bind
-%{python3_sitelib}/isc
-%{python3_sitelib}/isc-*.egg-info
-
 %changelog
--- a/named-bootconf.diff
+++ b/named-bootconf.diff
@ -1,23 +0,0 @@
-Index: bind-9.14.7/contrib/scripts/named-bootconf.sh
-===================================================================
--- bind-9.14.7.orig/contrib/scripts/named-bootconf.sh
-+++ bind-9.14.7/contrib/scripts/named-bootconf.sh
-@@ -39,7 +39,8 @@
- # POSSIBILITY OF SUCH DAMAGE.
- 
- if [ ${OPTIONFILE-X} = X ]; then
-	WORKDIR=/tmp/`date +%s`.$$
-+        TMPDIR=`mktemp -p /tmp/ -d named-bootconf.XXXXXXXXXX` || exit 1
-+        WORKDIR=$TMPDIR/`date +%s`.$$
- 	( umask 077 ; mkdir $WORKDIR ) || {
- 		echo "unable to create work directory '$WORKDIR'" >&2 
- 		exit 1
-@@ -293,7 +294,7 @@ if [ $DUMP -eq 1 ]; then
- 	cat $ZONEFILE $COMMENTFILE
- 
- 	rm -f $OPTIONFILE $ZONEFILE $COMMENTFILE
-	rmdir $WORKDIR
-+	rm -rf $TMPDIR
- fi
- 
- exit 0
--- a/vendor-files.tar.bz2
+++ b/vendor-files.tar.bz2
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0fa62530ab1e30459f5846db88927c4eca95f557c686bc9cb1cb9efab455f1c2
-size 19509
+oid sha256:1bcc216c1bbd72cd737ee6119206121c0313a429492591335130068abcf41201
+size 20177