bind:backport some patches

Signed-off-by: huangyu <huangyu106@huawei.com>
(cherry picked from commit cd59b6ec71f1147990c7f96b1e74baf413b7d4c9)

backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch

@@ -0,0 +1,28 @@
+From b485d95c661606e07dd99dbfbd366538694114b0 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 3 Jun 2022 16:55:56 +1000
+Subject: [PATCH] Clone the message buffer before forwarding UPDATE messages
+
+this prevents named forwarding a buffer that may have been over
+written.
+
+(cherry picked from commit 7a42417d61b4273a5819899232e4342b2ae79f03)
+---
+ lib/ns/update.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/ns/update.c b/lib/ns/update.c
+index 067ff990bdc..c4bde3d4eb2 100644
+--- a/lib/ns/update.c
++++ b/lib/ns/update.c
+@@ -1671,6 +1671,7 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
+ 		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
+ 				     "update forwarding", zonename, true,
+ 				     false));
++		dns_message_clonebuffer(client->message);
+ 		CHECK(send_forward_event(client, zone));
+ 		break;
+ 	default:
+-- 
+GitLab
+

backport-Fix-fetch-context-use-after-free-bugs.patch

@@ -0,0 +1,95 @@
+From 6505056267dffada1d0fa326f318b241f4b64747 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Fri, 8 Jul 2022 11:26:34 +0200
+Subject: [PATCH] Fix fetch context use-after-free bugs
+
+fctx_decreference() may call fctx_destroy(), which in turn may free the
+fetch context by calling isc_mem_putanddetach().  This means that
+whenever fctx_decreference() is called, the fetch context pointer should
+be assumed to point to garbage after that call.  Meanwhile, the
+following pattern is used in several places in lib/dns/resolver.c:
+
+    LOCK(&res->buckets[fctx->bucketnum].lock);
+    bucket_empty = fctx_decreference(fctx);
+    UNLOCK(&res->buckets[fctx->bucketnum].lock);
+
+Given that 'fctx' may be freed by the fctx_decreference() call, there is
+no guarantee that the value of fctx->bucketnum will be the same before
+and after the fctx_decreference() call.  This can cause all kinds of
+locking issues as LOCK() calls no longer match up with their UNLOCK()
+counterparts.
+
+Fix by always using a helper variable to hold the bucket number when the
+pattern above is used.
+
+Note that fctx_try() still uses 'fctx' after calling fctx_decreference()
+(it calls fctx_done()).  This is safe to do because the reference count
+for 'fctx' is increased a few lines earlier and it also cannot be zero
+right before that increase happens, so the fctx_decreference() call in
+that particular location never invokes fctx_destroy().  Nevertheless,
+use a helper variable for that call site as well, to retain consistency
+and to prevent copy-pasted code from causing similar problems in the
+future.
+---
+ lib/dns/resolver.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 15297024c0e..154248ec891 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -4357,9 +4357,9 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
+ 			options, 0, fctx->qc, task, resume_qmin, fctx,
+ 			&fctx->qminrrset, NULL, &fctx->qminfetch);
+ 		if (result != ISC_R_SUCCESS) {
+-			LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
++			LOCK(&res->buckets[bucketnum].lock);
+ 			RUNTIME_CHECK(!fctx_decreference(fctx));
+-			UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
++			UNLOCK(&res->buckets[bucketnum].lock);
+ 			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+ 		}
+ 		return;
+@@ -6138,9 +6138,9 @@ cleanup_event:
+ 	dns_message_detach(&message);
+ 	isc_event_free(&event);
+ 
+-	LOCK(&res->buckets[fctx->bucketnum].lock);
++	LOCK(&res->buckets[bucketnum].lock);
+ 	bucket_empty = fctx_decreference(fctx);
+-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
++	UNLOCK(&res->buckets[bucketnum].lock);
+ 	if (bucket_empty) {
+ 		empty_bucket(res);
+ 	}
+@@ -7528,6 +7528,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
+ 	dns_resolver_t *res;
+ 	fetchctx_t *fctx;
+ 	isc_result_t result;
++	uint32_t bucketnum;
+ 	bool bucket_empty;
+ 	dns_rdataset_t nameservers;
+ 	dns_fixedname_t fixed;
+@@ -7538,6 +7539,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
+ 	fctx = event->ev_arg;
+ 	REQUIRE(VALID_FCTX(fctx));
+ 	res = fctx->res;
++	bucketnum = fctx->bucketnum;
+ 
+ 	UNUSED(task);
+ 	FCTXTRACE("resume_dslookup");
+@@ -7665,9 +7667,9 @@ cleanup:
+ 	if (dns_rdataset_isassociated(&nameservers)) {
+ 		dns_rdataset_disassociate(&nameservers);
+ 	}
+-	LOCK(&res->buckets[fctx->bucketnum].lock);
++	LOCK(&res->buckets[bucketnum].lock);
+ 	bucket_empty = fctx_decreference(fctx);
+-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
++	UNLOCK(&res->buckets[bucketnum].lock);
+ 	if (bucket_empty) {
+ 		empty_bucket(res);
+ 	}
+-- 
+GitLab
+

backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch

@@ -0,0 +1,107 @@
+From f8ad7501dcc3a4008764c5bdd78ae65622c8b905 Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Wed, 20 Jul 2022 11:22:01 +0200
+Subject: [PATCH] Fix rndc dumpdb -expired for stuck cache contents
+
+The command 'rndc dumpdb -expired' will include expired RRsets in the
+output, but only for the RBTDB_VIRTUAL time (of 5 minutes). This means
+that if there is a cache cleaning problem and contents are not cleaned
+up, the rndc command has little diagnostic value. Fix this by including
+all RRsets in the dumpdb output if the '-expired' flag is set.
+
+(cherry picked from commit 930ba2c914a0abc07fd087d663a7bfb57850d4ca)
+---
+ lib/dns/rbtdb.c | 43 +++++++------------------------------------
+ 1 file changed, 7 insertions(+), 36 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index 87944980ec0..75832e32085 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -9102,15 +9102,10 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+ 	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+ 	rbtdb_version_t *rbtversion = rbtiterator->common.version;
+ 	rdatasetheader_t *header, *top_next;
+-	rbtdb_serial_t serial;
+-	isc_stdtime_t now;
++	rbtdb_serial_t serial = 1;
+ 
+-	if (IS_CACHE(rbtdb)) {
+-		serial = 1;
+-		now = rbtiterator->common.now;
+-	} else {
++	if (!IS_CACHE(rbtdb)) {
+ 		serial = rbtversion->serial;
+-		now = 0;
+ 	}
+ 
+ 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+@@ -9122,19 +9117,9 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+ 			if (header->serial <= serial && !IGNORE(header)) {
+ 				/*
+ 				 * Is this a "this rdataset doesn't exist"
+-				 * record?  Or is it too old in the cache?
+-				 *
+-				 * Note: unlike everywhere else, we
+-				 * check for now > header->rdh_ttl instead
+-				 * of ">=".  This allows ANY and RRSIG
+-				 *  queries for 0 TTL rdatasets to work.
++				 * record?
+ 				 */
+-				if (NONEXISTENT(header) ||
+-				    (now != 0 &&
+-				     (now - RBTDB_VIRTUAL) >
+-					     header->rdh_ttl +
+-						     rbtdb->serve_stale_ttl))
+-				{
++				if (NONEXISTENT(header)) {
+ 					header = NULL;
+ 				}
+ 				break;
+@@ -9166,22 +9151,17 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+ 	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+ 	rbtdb_version_t *rbtversion = rbtiterator->common.version;
+ 	rdatasetheader_t *header, *top_next;
+-	rbtdb_serial_t serial;
+-	isc_stdtime_t now;
+ 	rbtdb_rdatatype_t type, negtype;
+ 	dns_rdatatype_t rdtype, covers;
++	rbtdb_serial_t serial = 1;
+ 
+ 	header = rbtiterator->current;
+ 	if (header == NULL) {
+ 		return (ISC_R_NOMORE);
+ 	}
+ 
+-	if (IS_CACHE(rbtdb)) {
+-		serial = 1;
+-		now = rbtiterator->common.now;
+-	} else {
++	if (!IS_CACHE(rbtdb)) {
+ 		serial = rbtversion->serial;
+-		now = 0;
+ 	}
+ 
+ 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+@@ -9207,17 +9187,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+ 					/*
+ 					 * Is this a "this rdataset doesn't
+ 					 * exist" record?
+-					 *
+-					 * Note: unlike everywhere else, we
+-					 * check for now > header->ttl instead
+-					 * of ">=".  This allows ANY and RRSIG
+-					 * queries for 0 TTL rdatasets to work.
+ 					 */
+-					if (NONEXISTENT(header) ||
+-					    (now != 0 &&
+-					     (now - RBTDB_VIRTUAL) >
+-						     header->rdh_ttl))
+-					{
++					if (NONEXISTENT(header)) {
+ 						header = NULL;
+ 					}
+ 					break;
+-- 
+GitLab
+

backport-Fix-tkey-buildquery-function-s-error-handling.patch

@@ -0,0 +1,38 @@
+From eb72c81e6ac422f2332c6e8410461b3c0c9067b2 Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Mon, 15 Aug 2022 11:40:21 +0000
+Subject: [PATCH] Fix tkey.c:buildquery() function's error handling
+
+Add the missing cleanup code.
+
+(cherry picked from commit 4237ab9550eeaea7121e3e3392fd14c26b5150f0)
+---
+ lib/dns/tkey.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
+index 9259a513188..2ca78b8bd9b 100644
+--- a/lib/dns/tkey.c
++++ b/lib/dns/tkey.c
+@@ -1019,6 +1019,18 @@ failure:
+ 	if (dynbuf != NULL) {
+ 		isc_buffer_free(&dynbuf);
+ 	}
++	if (rdata != NULL) {
++		dns_message_puttemprdata(msg, &rdata);
++	}
++	if (tkeylist != NULL) {
++		dns_message_puttemprdatalist(msg, &tkeylist);
++	}
++	if (tkeyset != NULL) {
++		if (dns_rdataset_isassociated(tkeyset)) {
++			dns_rdataset_disassociate(tkeyset);
++		}
++		dns_message_puttemprdataset(msg, &tkeyset);
++	}
+ 	return (result);
+ }
+ 
+-- 
+GitLab
+

backport-Increase-the-BUFSIZ-long-buffers.patch

@@ -0,0 +1,123 @@
+From c1b8f5f30c602fd39f0f92523485587c3c32708d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 14 Jul 2022 13:48:45 +0200
+Subject: [PATCH] Increase the BUFSIZ-long buffers
+
+The BUFSIZ value varies between platforms, it could be 8K on Linux and
+512 bytes on mingw.  Make sure the buffers are always big enough for the
+output data to prevent truncation of the output by appropriately
+enlarging or sizing the buffers.
+
+(cherry picked from commit b19d932262e84608174cb89eeed32ae0212f8a87)
+---
+ bin/named/server.c              |  7 ++++++-
+ bin/tests/system/feature-test.c | 13 +++++--------
+ lib/dns/private.c               |  3 ++-
+ lib/ns/client.c                 |  7 ++++++-
+ 4 files changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index d3595c37a19..c339cfbc54b 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -14582,7 +14582,12 @@ named_server_signing(named_server_t *server, isc_lex_t *lex,
+ 		     result = dns_rdataset_next(&privset))
+ 		{
+ 			dns_rdata_t priv = DNS_RDATA_INIT;
+-			char output[BUFSIZ];
++			/*
++			 * In theory, the output buffer could hold a full RDATA
++			 * record which is 16-bit and then some text around
++			 * it
++			 */
++			char output[UINT16_MAX + BUFSIZ];
+ 			isc_buffer_t buf;
+ 
+ 			dns_rdataset_current(&privset, &priv);
+diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
+index 4f422323434..99e1b80bb1d 100644
+--- a/bin/tests/system/feature-test.c
++++ b/bin/tests/system/feature-test.c
+@@ -11,6 +11,7 @@
+  * information regarding copyright ownership.
+  */
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -26,13 +27,9 @@
+ #include <Winsock2.h>
+ #endif /* ifdef WIN32 */
+ 
+-#ifndef MAXHOSTNAMELEN
+-#ifdef HOST_NAME_MAX
+-#define MAXHOSTNAMELEN HOST_NAME_MAX
+-#else /* ifdef HOST_NAME_MAX */
+-#define MAXHOSTNAMELEN 256
+-#endif /* ifdef HOST_NAME_MAX */
+-#endif /* ifndef MAXHOSTNAMELEN */
++#ifndef _POSIX_HOST_NAME_MAX
++#define _POSIX_HOST_NAME_MAX 255
++#endif
+ 
+ static void
+ usage() {
+@@ -86,7 +83,7 @@ main(int argc, char **argv) {
+ 	}
+ 
+ 	if (strcmp(argv[1], "--gethostname") == 0) {
+-		char hostname[MAXHOSTNAMELEN];
++		char hostname[_POSIX_HOST_NAME_MAX + 1];
+ 		int n;
+ #ifdef WIN32
+ 		/* From InitSocket() */
+diff --git a/lib/dns/private.c b/lib/dns/private.c
+index 58deda095a9..cbf947f8ccc 100644
+--- a/lib/dns/private.c
++++ b/lib/dns/private.c
+@@ -383,7 +383,8 @@ dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
+ 	} else if (private->length == 5) {
+ 		unsigned char alg = private->data[0];
+ 		dns_keytag_t keyid = (private->data[2] | private->data[1] << 8);
+-		char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE];
++		char keybuf[DNS_SECALG_FORMATSIZE + BUFSIZ],
++			algbuf[DNS_SECALG_FORMATSIZE];
+ 		bool del = private->data[3];
+ 		bool complete = private->data[4];
+ 
+diff --git a/lib/ns/client.c b/lib/ns/client.c
+index bf60746642d..54c35986b85 100644
+--- a/lib/ns/client.c
++++ b/lib/ns/client.c
+@@ -12,6 +12,7 @@
+  */
+ 
+ #include <inttypes.h>
++#include <limits.h>
+ #include <stdbool.h>
+ 
+ #include <isc/aes.h>
+@@ -64,6 +65,10 @@
+ #include <ns/stats.h>
+ #include <ns/update.h>
+ 
++#ifndef _POSIX_HOST_NAME_MAX
++#define _POSIX_HOST_NAME_MAX 255
++#endif
++
+ /***
+  *** Client
+  ***/
+@@ -918,7 +923,7 @@ isc_result_t
+ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+ 		 dns_rdataset_t **opt) {
+ 	unsigned char ecs[ECS_SIZE];
+-	char nsid[BUFSIZ], *nsidp;
++	char nsid[_POSIX_HOST_NAME_MAX + 1], *nsidp = NULL;
+ 	unsigned char cookie[COOKIE_SIZE];
+ 	isc_result_t result;
+ 	dns_view_t *view;
+-- 
+GitLab
+

backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch

@@ -0,0 +1,67 @@
+From 0d5e0867df94c05b7523b89e0a4135c0cec728e1 Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Mon, 11 Jul 2022 10:30:44 +0200
+Subject: [PATCH] Inherit dnssec-policy in check for inline-signing
+
+When dnssec-policy is used, and the zone is not dynamic, BIND will
+assume that the zone is inline-signed. But the function responsible
+for this did not inherit the dnssec-policy option from the view or
+options level, and thus never enabled inline-signing, while the zone
+should have been.
+
+This is fixed by this commit.
+
+(cherry picked from commit 576b21b1682605a7d04e51c8a7721180f828b2d7)
+---
+ bin/named/zoneconf.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
+index 7a414201709..d1d45d818bc 100644
+--- a/bin/named/zoneconf.c
++++ b/bin/named/zoneconf.c
+@@ -2171,6 +2171,7 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
+ 	const cfg_obj_t *updatepolicy = NULL;
+ 	bool zone_is_dynamic = false;
+ 	bool inline_signing = false;
++	bool dnssec_policy = false;
+ 
+ 	(void)cfg_map_get(config, "options", &options);
+ 
+@@ -2222,16 +2223,23 @@ named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig,
+ 	 * inline-signing.
+ 	 */
+ 	signing = NULL;
+-	if (!inline_signing && !zone_is_dynamic &&
+-	    cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS &&
+-	    signing != NULL)
+-	{
+-		if (strcmp(cfg_obj_asstring(signing), "none") != 0) {
+-			inline_signing = true;
+-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+-				     "inline-signing: "
+-				     "implicitly through dnssec-policy");
+-		}
++	res = cfg_map_get(zoptions, "dnssec-policy", &signing);
++	if (res != ISC_R_SUCCESS && voptions != NULL) {
++		res = cfg_map_get(voptions, "dnssec-policy", &signing);
++	}
++	if (res != ISC_R_SUCCESS && options != NULL) {
++		res = cfg_map_get(options, "dnssec-policy", &signing);
++	}
++	if (res == ISC_R_SUCCESS) {
++		dnssec_policy = (strcmp(cfg_obj_asstring(signing), "none") !=
++				 0);
++	}
++
++	if (!inline_signing && !zone_is_dynamic && dnssec_policy) {
++		inline_signing = true;
++		dns_zone_log(zone, ISC_LOG_DEBUG(1),
++			     "inline-signing: "
++			     "implicitly through dnssec-policy");
+ 	}
+ 
+ 	return (inline_signing);
+-- 
+GitLab
+

backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch

@@ -0,0 +1,80 @@
+From 111b215987a1cccc2e55a0fea4d8621103d9de9f Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Wed, 13 Jul 2022 10:28:59 +0200
+Subject: [PATCH] Reject zones with TTL higher than dnssec-policy max-zone-ttl
+
+Reject loading of zones with TTL higher than the max-zone-ttl
+from the dnssec-policy.
+
+With this change, any zone with a dnssec-policy in use will ignore
+the max-zone-ttl option in zone/view/options.
+---
+ bin/named/zoneconf.c | 38 +++++++++++++++++---------------------
+ 1 file changed, 17 insertions(+), 21 deletions(-)
+
+diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
+index d1d45d818bc..c918d0ac248 100644
+--- a/bin/named/zoneconf.c
++++ b/bin/named/zoneconf.c
+@@ -897,6 +897,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+ 	dns_stats_t *dnssecsignstats;
+ 	dns_zonestat_level_t statlevel = dns_zonestat_none;
+ 	int seconds;
++	dns_ttl_t maxttl = 0; /* unlimited */
+ 	dns_zone_t *mayberaw = (raw != NULL) ? raw : zone;
+ 	isc_dscp_t dscp;
+ 
+@@ -1060,27 +1061,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+ 		}
+ 	}
+ 
+-	obj = NULL;
+-	result = named_config_get(maps, "max-zone-ttl", &obj);
+-	if (result == ISC_R_SUCCESS && masterformat == dns_masterformat_map) {
+-		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+-			      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
+-			      "zone '%s': 'max-zone-ttl' is not compatible "
+-			      "with 'masterfile-format map'",
+-			      zname);
+-		return (ISC_R_FAILURE);
+-	} else if (result == ISC_R_SUCCESS) {
+-		dns_ttl_t maxttl = 0; /* unlimited */
+-
+-		if (cfg_obj_isduration(obj)) {
+-			maxttl = cfg_obj_asduration(obj);
+-		}
+-		dns_zone_setmaxttl(zone, maxttl);
+-		if (raw != NULL) {
+-			dns_zone_setmaxttl(raw, maxttl);
+-		}
+-	}
+-
+ 	obj = NULL;
+ 	result = named_config_get(maps, "max-records", &obj);
+ 	INSIST(result == ISC_R_SUCCESS && obj != NULL);
+@@ -1534,6 +1514,22 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+ 		dns_zone_setjournalsize(zone, journal_size);
+ 	}
+ 
++	if (use_kasp) {
++		maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone));
++	} else {
++		obj = NULL;
++		result = named_config_get(maps, "max-zone-ttl", &obj);
++		if (result == ISC_R_SUCCESS) {
++			if (cfg_obj_isduration(obj)) {
++				maxttl = cfg_obj_asduration(obj);
++			}
++		}
++	}
++	dns_zone_setmaxttl(zone, maxttl);
++	if (raw != NULL) {
++		dns_zone_setmaxttl(raw, maxttl);
++	}
++
+ 	/*
+ 	 * Configure update-related options.  These apply to
+ 	 * primary servers only.
+-- 
+GitLab
+

backport-disassociate-rdatasets-when-cleaning-up.patch

@@ -0,0 +1,31 @@
+From f2855facbeb19c51befed1c858f4d28b8306f886 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 21 Dec 2021 12:44:17 +1100
+Subject: [PATCH] disassociate rdatasets when cleaning up
+
+free_namelist could be passed names with associated rdatasets
+when handling errors.  These need to be disassociated before
+calling dns_message_puttemprdataset.
+
+(cherry picked from commit 745d5edc3a8ca6f232b2d700ae076c2caee2bfc5)
+---
+ lib/dns/tkey.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
+index e6e44526a9c..9259a513188 100644
+--- a/lib/dns/tkey.c
++++ b/lib/dns/tkey.c
+@@ -226,6 +226,9 @@ free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
+ 		while (!ISC_LIST_EMPTY(name->list)) {
+ 			set = ISC_LIST_HEAD(name->list);
+ 			ISC_LIST_UNLINK(name->list, set, link);
++			if (dns_rdataset_isassociated(set)) {
++				dns_rdataset_disassociate(set);
++			}
+ 			dns_message_puttemprdataset(msg, &set);
+ 		}
+ 		dns_message_puttempname(msg, &name);
+-- 
+GitLab
+

backport-dont-enabled-serve-stale-on-duplicate-queries.patch

@@ -0,0 +1,36 @@
+From dd7dde5743715dc0dec2defbb92b1a8637977bf9 Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Tue, 2 Aug 2022 14:21:40 +0200
+Subject: [PATCH] Don't enable serve-stale on duplicate queries
+
+When checking if we should enable serve-stale, add an early out case
+when the result is an error signalling a duplicate query or a query
+that would be dropped.
+
+(cherry picked from commit 059a4c2f4d9d3cff371842f43208d021509314fa)
+---
+ lib/ns/query.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index d0f025dbb9a..1bf36fea283 100644
+--- a/lib/ns/query.c
++++ b/lib/ns/query.c
+@@ -7230,6 +7230,14 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
+ 		return (false);
+ 	}
+ 
++	if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) {
++		/*
++		 * Don't enable serve-stale if the result signals a duplicate
++		 * query or query that is being dropped.
++		 */
++		return (false);
++	}
++
+ 	qctx_clean(qctx);
+ 	qctx_freedata(qctx);
+ 
+-- 
+GitLab
+

bind.spec

@@ -30,7 +30,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  12
+Release:  13
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -157,6 +157,15 @@ Patch6083:backport-0043-Check-for-overflow-in-GENERATE-computations.patch
 Patch6084:backport-0043-Tighten-GENERATE-directive-parsing.patch
 Patch6085:backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch
 Patch6086:backport-0045-Move-setting-the-sock-write_timeout-to-the-async_-se.patch
+Patch6087:backport-Clone-the-message-buffer-before-forwarding-UPDATE-me.patch
+Patch6088:backport-disassociate-rdatasets-when-cleaning-up.patch
+Patch6089:backport-dont-enabled-serve-stale-on-duplicate-queries.patch
+Patch6090:backport-Fix-fetch-context-use-after-free-bugs.patch
+Patch6091:backport-Fix-rndc-dumpdb-expired-for-stuck-cache-contents.patch
+Patch6092:backport-Fix-tkey-buildquery-function-s-error-handling.patch
+Patch6093:backport-Increase-the-BUFSIZ-long-buffers.patch
+Patch6094:backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch
+Patch6095:backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch
 
 Patch6002:backport-CVE-2022-2795.patch
 Patch6003:backport-CVE-2022-3080.patch
@@ -1173,6 +1182,12 @@ fi;
 %endif
 
 %changelog
+* Wed Dec 28 2022 huangyu <huangyu106@huawei.com> - 32:9.16.23-13
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: backport some patches from community
+
 * Sat Nov 26 2022 jiangheng <jiangheng14@huawei.com> - 32:9.16.23-12
 - Type:bugfix
 - CVE:NA