diff --git a/cve-2016-2776.patch b/cve-2016-2776.patch
deleted file mode 100644
index 23078f5..0000000
--- a/cve-2016-2776.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-Index: bind-9.10.3-P4/lib/dns/message.c
-===================================================================
---- bind-9.10.3-P4.orig/lib/dns/message.c	2016-09-27 18:38:44.843342507 +0200
-+++ bind-9.10.3-P4/lib/dns/message.c	2016-09-27 18:38:47.871359253 +0200
-@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *m
- 	if (r.length < DNS_MESSAGE_HEADERLEN)
- 		return (ISC_R_NOSPACE);
- 
--	if (r.length < msg->reserved)
-+	if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
- 		return (ISC_R_NOSPACE);
- 
- 	/*
-@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *
- 
- 	return (ISC_TRUE);
- }
--
- #endif
-+
-+static isc_result_t
-+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
-+	  dns_compress_t *cctx, isc_buffer_t *target,
-+	  unsigned int reserved, unsigned int options, unsigned int *countp)
-+{
-+	isc_result_t result;
-+
-+	/*
-+	 * Shrink the space in the buffer by the reserved amount.
-+	 */
-+	if (target->length - target->used < reserved)
-+		return (ISC_R_NOSPACE);
-+
-+	target->length -= reserved;
-+	result = dns_rdataset_towire(rdataset, owner_name,
-+				     cctx, target, options, countp);
-+	target->length += reserved;
-+
-+	return (result);
-+}
-+
- isc_result_t
- dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
- 			  unsigned int options)
-@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t
- 	/*
- 	 * Shrink the space in the buffer by the reserved amount.
- 	 */
-+	if (msg->buffer->length - msg->buffer->used < msg->reserved)
-+		return (ISC_R_NOSPACE);
- 	msg->buffer->length -= msg->reserved;
- 
- 	total = 0;
-@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg
- 		 * Render.
- 		 */
- 		count = 0;
--		result = dns_rdataset_towire(msg->opt, dns_rootname,
--					     msg->cctx, msg->buffer, 0,
--					     &count);
-+		result = renderset(msg->opt, dns_rootname, msg->cctx,
-+				   msg->buffer, msg->reserved, 0, &count);
- 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
- 		if (result != ISC_R_SUCCESS)
- 			return (result);
-@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg
- 		if (result != ISC_R_SUCCESS)
- 			return (result);
- 		count = 0;
--		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
--					     msg->cctx, msg->buffer, 0,
--					     &count);
-+		result = renderset(msg->tsig, msg->tsigname, msg->cctx,
-+				   msg->buffer, msg->reserved, 0, &count);
- 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
- 		if (result != ISC_R_SUCCESS)
- 			return (result);
-@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg
- 		 * the owner name of a SIG(0) is irrelevant, and will not
- 		 * be set in a message being rendered.
- 		 */
--		result = dns_rdataset_towire(msg->sig0, dns_rootname,
--					     msg->cctx, msg->buffer, 0,
--					     &count);
-+		result = renderset(msg->sig0, dns_rootname, msg->cctx,
-+				   msg->buffer, msg->reserved, 0, &count);
- 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
- 		if (result != ISC_R_SUCCESS)
- 			return (result);
diff --git a/cve-2016-8864.patch b/cve-2016-8864.patch
deleted file mode 100644
index 93953a1..0000000
--- a/cve-2016-8864.patch
+++ /dev/null
@@ -1,174 +0,0 @@
-Index: bind-9.10.3-P4/lib/dns/resolver.c
-===================================================================
---- bind-9.10.3-P4.orig/lib/dns/resolver.c	2016-11-01 22:26:50.371704363 +0100
-+++ bind-9.10.3-P4/lib/dns/resolver.c	2016-11-01 22:26:54.311721418 +0100
-@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddri
- 	valarg->addrinfo = addrinfo;
- 
- 	if (!ISC_LIST_EMPTY(fctx->validators))
--		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
-+		valoptions |= DNS_VALIDATOR_DEFER;
-+	else
-+		valoptions &= ~DNS_VALIDATOR_DEFER;
- 
- 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
- 				      sigrdataset, fctx->rmessage,
-@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t
- 							   rdataset,
- 							   sigrdataset,
- 							   valoptions, task);
--					/*
--					 * Defer any further validations.
--					 * This prevents multiple validators
--					 * from manipulating fctx->rmessage
--					 * simultaneously.
--					 */
--					valoptions |= DNS_VALIDATOR_DEFER;
- 				}
- 			} else if (CHAINING(rdataset)) {
- 				if (rdataset->type == dns_rdatatype_cname)
-@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t
- 				       eresult == DNS_R_NCACHENXRRSET);
- 			}
- 			event->result = eresult;
-+			if (adbp != NULL && *adbp != NULL) {
-+				if (anodep != NULL && *anodep != NULL)
-+					dns_db_detachnode(*adbp, anodep);
-+				dns_db_detach(adbp);
-+			}
- 			dns_db_attach(fctx->cache, adbp);
- 			dns_db_transfernode(fctx->cache, &node, anodep);
- 			clone_results(fctx);
-@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adb
- 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
- 		if (event != NULL) {
- 			event->result = eresult;
-+			if (adbp != NULL && *adbp != NULL) {
-+				if (anodep != NULL && *anodep != NULL)
-+					dns_db_detachnode(*adbp, anodep);
-+				dns_db_detach(adbp);
-+			}
- 			dns_db_attach(fctx->cache, adbp);
- 			dns_db_transfernode(fctx->cache, &node, anodep);
- 			clone_results(fctx);
-@@ -6718,13 +6723,15 @@ static isc_result_t
- answer_response(fetchctx_t *fctx) {
- 	isc_result_t result;
- 	dns_message_t *message;
--	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
-+	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
-+	dns_name_t *cname = NULL;
- 	dns_rdataset_t *rdataset, *ns_rdataset;
- 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
--	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
-+	isc_boolean_t have_answer, found_cname, found_dname, found_type;
-+	isc_boolean_t wanted_chaining;
- 	unsigned int aflag;
- 	dns_rdatatype_t type;
--	dns_fixedname_t fdname, fqname;
-+	dns_fixedname_t fdname, fqname, fqdname;
- 	dns_view_t *view;
- 
- 	FCTXTRACE("answer_response");
-@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
- 
- 	done = ISC_FALSE;
- 	found_cname = ISC_FALSE;
-+	found_dname = ISC_FALSE;
- 	found_type = ISC_FALSE;
- 	chaining = ISC_FALSE;
- 	have_answer = ISC_FALSE;
-@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
- 		aa = ISC_TRUE;
- 	else
- 		aa = ISC_FALSE;
--	qname = &fctx->name;
-+	dqname = qname = &fctx->name;
- 	type = fctx->type;
- 	view = fctx->res->view;
-+	dns_fixedname_init(&fqdname);
- 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
- 	while (!done && result == ISC_R_SUCCESS) {
--		dns_namereln_t namereln;
-+		dns_namereln_t namereln, dnamereln;
- 		int order;
- 		unsigned int nlabels;
- 
-@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
- 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
- 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
- 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
-+		dnamereln = dns_name_fullcompare(dqname, name, &order,
-+						 &nlabels);
- 		if (namereln == dns_namereln_equal) {
- 			wanted_chaining = ISC_FALSE;
- 			for (rdataset = ISC_LIST_HEAD(name->list);
-@@ -6884,9 +6895,16 @@ answer_response(fetchctx_t *fctx) {
- 						 * a CNAME or DNAME).
- 						 */
- 						INSIST(!external);
--						if (aflag ==
--						    DNS_RDATASETATTR_ANSWER) {
-+						if ((rdataset->type !=
-+						     dns_rdatatype_cname) ||
-+						    !found_dname ||
-+						    (aflag ==
-+						     DNS_RDATASETATTR_ANSWER))
-+						{
- 							have_answer = ISC_TRUE;
-+							if (rdataset->type ==
-+							    dns_rdatatype_cname)
-+								cname = name;
- 							name->attributes |=
- 								DNS_NAMEATTR_ANSWER;
- 						}
-@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
- 					return (DNS_R_FORMERR);
- 				}
- 
--				if (namereln != dns_namereln_subdomain) {
-+				if (dnamereln != dns_namereln_subdomain) {
- 					char qbuf[DNS_NAME_FORMATSIZE];
- 					char obuf[DNS_NAME_FORMATSIZE];
- 
--					dns_name_format(qname, qbuf,
-+					dns_name_format(dqname, qbuf,
- 							sizeof(qbuf));
- 					dns_name_format(name, obuf,
- 							sizeof(obuf));
-@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
- 					want_chaining = ISC_TRUE;
- 					POST(want_chaining);
- 					aflag = DNS_RDATASETATTR_ANSWER;
--					result = dname_target(rdataset, qname,
-+					result = dname_target(rdataset, dqname,
- 							      nlabels, &fdname);
- 					if (result == ISC_R_NOSPACE) {
- 						/*
-@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
- 
- 					dname = dns_fixedname_name(&fdname);
- 					if (!is_answertarget_allowed(view,
--							qname, rdataset->type,
--							dname, &fctx->domain)) {
-+						     dqname, rdataset->type,
-+						     dname, &fctx->domain))
-+					{
- 						return (DNS_R_SERVFAIL);
- 					}
-+					dqname = dns_fixedname_name(&fqdname);
-+					dns_name_copy(dname, dqname, NULL);
- 				} else {
- 					/*
- 					 * We've found a signature that
-@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
- 					INSIST(!external);
- 					if (aflag == DNS_RDATASETATTR_ANSWER) {
- 						have_answer = ISC_TRUE;
-+						found_dname = ISC_TRUE;
-+						if (cname != NULL)
-+							cname->attributes &=
-+							   ~DNS_NAMEATTR_ANSWER;
- 						name->attributes |=
- 							DNS_NAMEATTR_ANSWER;
- 					}