packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!169 [sync] PR-168: fix some patches from commity

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw
This commit is contained in:
openeuler-ci-bot 2023-04-12 07:09:28 +00:00 committed by Gitee
commit 2c6607f78f
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
17 changed files with 1230 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch Normal file
View File

@ -0,0 +1,60 @@
From f1c08fe93ba35343534d893f3efcfa6f5d97fdf0 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 10 Jan 2023 13:51:49 +1100
Subject: [PATCH] Accept 'in=NULL' with 'inlen=0' in isc_{half}siphash24
Arthimetic on NULL pointers is undefined. Avoid arithmetic operations
when 'in' is NULL and require 'in' to be non-NULL if 'inlen' is not zero.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/f1c08fe93ba35343534d893f3efcfa6f5d97fdf0
(cherry picked from commit 349c23dbb7a4f3ffe29f3c9deff418aab6266fd0)
---
lib/isc/siphash.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/lib/isc/siphash.c b/lib/isc/siphash.c
index 1a863ff8e1..a6e60cf02f 100644
--- a/lib/isc/siphash.c
+++ b/lib/isc/siphash.c
@@ -91,6 +91,7 @@ isc_siphash24(const uint8_t *k, const uint8_t *in, const size_t inlen,
uint8_t *out) {
REQUIRE(k != NULL);
REQUIRE(out != NULL);
+ REQUIRE(inlen == 0 || in != NULL);
uint64_t k0 = U8TO64_LE(k);
uint64_t k1 = U8TO64_LE(k + 8);
@@ -102,7 +103,9 @@ isc_siphash24(const uint8_t *k, const uint8_t *in, const size_t inlen,
uint64_t b = ((uint64_t)inlen) << 56;
- const uint8_t *end = in + inlen - (inlen % sizeof(uint64_t));
+ const uint8_t *end = (in == NULL)
+ ? NULL
+ : in + inlen - (inlen % sizeof(uint64_t));
const size_t left = inlen & 7;
for (; in != end; in += 8) {
@@ -169,6 +172,7 @@ isc_halfsiphash24(const uint8_t *k, const uint8_t *in, const size_t inlen,
uint8_t *out) {
REQUIRE(k != NULL);
REQUIRE(out != NULL);
+ REQUIRE(inlen == 0 || in != NULL);
uint32_t k0 = U8TO32_LE(k);
uint32_t k1 = U8TO32_LE(k + 4);
@@ -180,7 +184,9 @@ isc_halfsiphash24(const uint8_t *k, const uint8_t *in, const size_t inlen,
uint32_t b = ((uint32_t)inlen) << 24;
- const uint8_t *end = in + inlen - (inlen % sizeof(uint32_t));
+ const uint8_t *end = (in == NULL)
+ ? NULL
+ : in + inlen - (inlen % sizeof(uint32_t));
const int left = inlen & 3;
for (; in != end; in += 4) {
--
2.23.0

67
backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch Normal file
View File

@ -0,0 +1,67 @@
From cb083876c192fa32d2984508491bac96a4236137 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 17 Jan 2023 07:18:16 +0100
Subject: [PATCH] Detach the views in zone_shutdown(), not in zone_free()
The .view (and possibly .prev_view) would be kept attached to the
removed zone until the zone is fully removed from the memory in
zone_free(). If this process is delayed because server is busy
something else like doing constant `rndc reconfig`, it could take
seconds to detach the view, possibly keeping multiple dead views in the
memory. This could quickly lead to a massive memory bloat.
Release the views early in the zone_shutdown() call, and don't wait
until the zone is freed.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/cb083876c192fa32d2984508491bac96a4236137
(cherry picked from commit 13bb8212804ce385010387d681a6623481921023)
---
lib/dns/zone.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 51e2fc6cf2..9b025cdcaf 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1246,6 +1246,8 @@ zone_free(dns_zone_t *zone) {
INSIST(zone->readio == NULL);
INSIST(zone->statelist == NULL);
INSIST(zone->writeio == NULL);
+ INSIST(zone->view == NULL);
+ INSIST(zone->prev_view == NULL);
if (zone->task != NULL) {
isc_task_detach(&zone->task);
@@ -1253,12 +1255,6 @@ zone_free(dns_zone_t *zone) {
if (zone->loadtask != NULL) {
isc_task_detach(&zone->loadtask);
}
- if (zone->view != NULL) {
- dns_view_weakdetach(&zone->view);
- }
- if (zone->prev_view != NULL) {
- dns_view_weakdetach(&zone->prev_view);
- }
/* Unmanaged objects */
while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
@@ -14971,6 +14967,15 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) {
LOCK_ZONE(zone);
INSIST(zone != zone->raw);
+
+ /* Detach the views early, we don't need them anymore */
+ if (zone->view != NULL) {
+ dns_view_weakdetach(&zone->view);
+ }
+ if (zone->prev_view != NULL) {
+ dns_view_weakdetach(&zone->prev_view);
+ }
+
if (linked) {
isc_refcount_decrement(&zone->irefs);
}
--
2.23.0

70
backport-Detach-the-zone-views-outside-of-the-zone-lock.patch Normal file
View File

@ -0,0 +1,70 @@
From 4b222f154bc3d5d6755cf7089948bd4522ddb7af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 19 Jan 2023 09:14:53 +0100
Subject: [PATCH] Detach the zone views outside of the zone lock
Detaching the views in the zone_shutdown() could lead to
lock-order-inversion between adb->namelocks[bucket], adb->lock,
view->lock and zone->lock. Detach the views outside of the section that
zone-locked.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b222f154bc3d5d6755cf7089948bd4522ddb7af
(cherry picked from commit 978a0ef84cfb08435c1b7664c6328521b743fb02)
---
lib/dns/zone.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 9b025cdcaf..1763dbc306 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -14922,6 +14922,7 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) {
dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
bool free_needed, linked = false;
dns_zone_t *raw = NULL, *secure = NULL;
+ dns_view_t *view = NULL, *prev_view = NULL;
UNUSED(task);
REQUIRE(DNS_ZONE_VALID(zone));
@@ -14968,13 +14969,15 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) {
LOCK_ZONE(zone);
INSIST(zone != zone->raw);
- /* Detach the views early, we don't need them anymore */
- if (zone->view != NULL) {
- dns_view_weakdetach(&zone->view);
- }
- if (zone->prev_view != NULL) {
- dns_view_weakdetach(&zone->prev_view);
- }
+ /*
+ * Detach the views early, we don't need them anymore. However, we need
+ * to detach them outside of the zone lock to break the lock loop
+ * between view, adb and zone locks.
+ */
+ view = zone->view;
+ zone->view = NULL;
+ prev_view = zone->prev_view;
+ zone->prev_view = NULL;
if (linked) {
isc_refcount_decrement(&zone->irefs);
@@ -15036,6 +15039,14 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) {
zone->secure = NULL;
}
UNLOCK_ZONE(zone);
+
+ if (view != NULL) {
+ dns_view_weakdetach(&view);
+ }
+ if (prev_view != NULL) {
+ dns_view_weakdetach(&prev_view);
+ }
+
if (raw != NULL) {
dns_zone_detach(&raw);
}
--
2.23.0

84
backport-Don-t-perform-arithmetic-on-NULL-pointers.patch Normal file
View File

@ -0,0 +1,84 @@
From 2a9300a3bcd2c2cb5027e3435c53d2b8d94d72fd Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 10 Jan 2023 17:15:09 +1100
Subject: [PATCH] Don't perform arithmetic on NULL pointers
When node is NULL when calling getparent() et al. they return NULL
but performing arithmetic on the NULL pointer is undefined. Check
if 'node' or 'header' is NULL and skip the adjustment.
Conflict: The content of the patch has not been changed, the patch context does not match, it is suitable for the patch
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2a9300a3bcd2c2cb5027e3435c53d2b8d94d72fd
---
lib/dns/rbt.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 7f2c2d2..3fa2999 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -166,6 +166,10 @@ serialize_nodes(FILE *file, dns_rbtnode_t *node, uintptr_t parent,
dns_rbtdatawriter_t datawriter, void *writer_arg,
uintptr_t *where, uint64_t *crc);
+#define ADJUST_ADDRESS(address, relative, header) \
+ if (address != NULL && header != NULL) { \
+ address += relative * (uintptr_t)header; \
+ }
/*
* The following functions allow you to get the actual address of a pointer
* without having to use an if statement to check to see if that address is
@@ -174,7 +178,8 @@ serialize_nodes(FILE *file, dns_rbtnode_t *node, uintptr_t parent,
static inline dns_rbtnode_t *
getparent(dns_rbtnode_t *node, file_header_t *header) {
char *adjusted_address = (char *)(node->parent);
- adjusted_address += node->parent_is_relative * (uintptr_t)header;
+
+ ADJUST_ADDRESS(adjusted_address, node->parent_is_relative, header);
return ((dns_rbtnode_t *)adjusted_address);
}
@@ -182,7 +187,8 @@ getparent(dns_rbtnode_t *node, file_header_t *header) {
static inline dns_rbtnode_t *
getleft(dns_rbtnode_t *node, file_header_t *header) {
char *adjusted_address = (char *)(node->left);
- adjusted_address += node->left_is_relative * (uintptr_t)header;
+
+ ADJUST_ADDRESS(adjusted_address, node->left_is_relative, header);
return ((dns_rbtnode_t *)adjusted_address);
}
@@ -190,7 +196,8 @@ getleft(dns_rbtnode_t *node, file_header_t *header) {
static inline dns_rbtnode_t *
getright(dns_rbtnode_t *node, file_header_t *header) {
char *adjusted_address = (char *)(node->right);
- adjusted_address += node->right_is_relative * (uintptr_t)header;
+
+ ADJUST_ADDRESS(adjusted_address, node->right_is_relative, header);
return ((dns_rbtnode_t *)adjusted_address);
}
@@ -198,7 +205,8 @@ getright(dns_rbtnode_t *node, file_header_t *header) {
static inline dns_rbtnode_t *
getdown(dns_rbtnode_t *node, file_header_t *header) {
char *adjusted_address = (char *)(node->down);
- adjusted_address += node->down_is_relative * (uintptr_t)header;
+
+ ADJUST_ADDRESS(adjusted_address, node->down_is_relative, header);
return ((dns_rbtnode_t *)adjusted_address);
}
@@ -206,7 +214,8 @@ getdown(dns_rbtnode_t *node, file_header_t *header) {
static inline dns_rbtnode_t *
getdata(dns_rbtnode_t *node, file_header_t *header) {
char *adjusted_address = (char *)(node->data);
- adjusted_address += node->data_is_relative * (uintptr_t)header;
+
+ ADJUST_ADDRESS(adjusted_address, node->data_is_relative, header);
return ((dns_rbtnode_t *)adjusted_address);
}
--
2.33.0

33
backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch Normal file
View File

@ -0,0 +1,33 @@
From 466a05eaf0070f6984d50428454ab399258da5e1 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 27 Feb 2023 12:06:37 +0000
Subject: [PATCH] Fix a cleanup bug when isc_task_create() fails in
dns_catz_new_zones()
Use isc_mem_putanddetach() instead of isc_mem_put() to detach from the
memory context.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/466a05eaf0070f6984d50428454ab399258da5e1
(cherry picked from commit 9050481d1f3db1a007fb02ab1b186af94d2de1bc)
---
lib/dns/catz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 92823a3..eb28838 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -661,7 +661,7 @@ cleanup_ht:
cleanup_refcount:
isc_refcount_destroy(&new_zones->refs);
isc_mutex_destroy(&new_zones->lock);
- isc_mem_put(mctx, new_zones, sizeof(*new_zones));
+ isc_mem_putanddetach(&new_zones->mctx, new_zones, sizeof(*new_zones));
return (result);
}
--
2.33.0

62
backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch Normal file
View File

@ -0,0 +1,62 @@
From 272afcd999cb07593f5dd943e22dc1a03d42b090 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Thu, 5 Jan 2023 15:01:35 +0000
Subject: [PATCH] Fix a use-after-free bug in dns_zonemgr_releasezone()
The dns_zonemgr_releasezone() function makes a decision to destroy
'zmgr' (based on its references count, after decreasing it) inside
a lock, and then destroys the object outside of the lock.
This causes a race with dns_zonemgr_detach(), which could destroy
the object in the meantime.
Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy
the object (if needed) using dns_zonemgr_detach(), outside of the
lock.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/272afcd999cb07593f5dd943e22dc1a03d42b090
(cherry picked from commit c1fc2122531bdd27ca38434a2632e8dac532bc13)
---
lib/dns/zone.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 4b864da..bf47aa0 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -18815,8 +18815,6 @@ unlock:
void
dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
- bool free_now = false;
-
REQUIRE(DNS_ZONE_VALID(zone));
REQUIRE(DNS_ZONEMGR_VALID(zmgr));
REQUIRE(zone->zmgr == zmgr);
@@ -18828,19 +18826,13 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
zonemgr_keymgmt_delete(zmgr, zone);
+ /* Detach below, outside of the write lock. */
zone->zmgr = NULL;
- if (isc_refcount_decrement(&zmgr->refs) == 1) {
- free_now = true;
- }
-
UNLOCK_ZONE(zone);
RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
- if (free_now) {
- zonemgr_free(zmgr);
- }
- ENSURE(zone->zmgr == NULL);
+ dns_zonemgr_detach(&zmgr);
}
void
--
2.33.0

62
backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch Normal file
View File

@ -0,0 +1,62 @@
From e4b5ca92ea33c3a08403b84f6b5260ba89206d8c Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 23 Feb 2023 15:43:51 +1100
Subject: [PATCH] Fix backport error in
84929d1cd7e1042452094ceeae969324b9df504f
Not all the RETERR's in named_zone_configure where converted to
CHECK's, as was the case in main, leading to a memory leak with
the early returns.
Conflict: The content of the patch has not been changed, the patch context does not match, it is suitable for the patch
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/e4b5ca92ea33c3a08403b84f6b5260ba89206d8c
---
bin/named/zoneconf.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 8656602..8de3a88 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1272,9 +1272,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
zone, ipkl.addrs, ipkl.dscps, ipkl.keys,
ipkl.count);
dns_ipkeylist_clear(mctx, &ipkl);
- RETERR(result);
+ CHECK(result);
} else {
- RETERR(dns_zone_setalsonotify(zone, NULL, 0));
+ CHECK(dns_zone_setalsonotify(zone, NULL, 0));
}
obj = NULL;
@@ -1721,9 +1721,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
result = dns_zone_setparentals(zone, ipkl.addrs,
ipkl.keys, ipkl.count);
dns_ipkeylist_clear(mctx, &ipkl);
- RETERR(result);
+ CHECK(result);
} else {
- RETERR(dns_zone_setparentals(zone, NULL, NULL, 0));
+ CHECK(dns_zone_setparentals(zone, NULL, NULL, 0));
}
}
@@ -1936,11 +1936,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
mayberaw, ipkl.addrs, ipkl.keys, ipkl.count);
count = ipkl.count;
dns_ipkeylist_clear(mctx, &ipkl);
- RETERR(result);
+ CHECK(result);
} else {
result = dns_zone_setprimaries(mayberaw, NULL, 0);
}
- RETERR(result);
+ CHECK(result);
multi = false;
if (count > 1) {
--
2.33.0

32
backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch Normal file
View File

@ -0,0 +1,32 @@
From 1950629ffade5531d102639261a31321f8cdbb39 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Fri, 9 Dec 2022 12:41:38 +0000
Subject: [PATCH] Fix dns_fwdtable_addfwd() error path cleanup bug
Free 'sizeof(dns_forwarder_t)' bytes of memory instead of
'sizeof(dns_sockaddr_t)' bytes, because `fwd` is a pointer
to a 'dns_forwarder_t' type structure.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1950629ffade5531d102639261a31321f8cdbb39
(cherry picked from commit 0cc1b06d98676ab66200d388c48c3cd615aa0109)
---
lib/dns/forward.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
index 53d0c5ee4e..c7c54cddce 100644
--- a/lib/dns/forward.c
+++ b/lib/dns/forward.c
@@ -103,7 +103,7 @@ cleanup:
while (!ISC_LIST_EMPTY(forwarders->fwdrs)) {
fwd = ISC_LIST_HEAD(forwarders->fwdrs);
ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link);
- isc_mem_put(fwdtable->mctx, fwd, sizeof(isc_sockaddr_t));
+ isc_mem_put(fwdtable->mctx, fwd, sizeof(dns_forwarder_t));
}
isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
return (result);
--
2.23.0

474
backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch Normal file
View File

@ -0,0 +1,474 @@
From b49a3a56c92c65c53561bbd5f01738689aea335f Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 21 Feb 2023 12:15:01 +1100
Subject: [PATCH] Fix dns_kasp_attach / dns_kasp_detach usage
The kasp pointers in dns_zone_t should consistently be changed by
dns_kasp_attach and dns_kasp_detach so the usage is balanced.
Conflict:The content of the patch has not been changed, the patch context does not match, it is suitable for the patch
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/b49a3a56c92c65c53561bbd5f01738689aea335f
(cherry picked from commit b41882cc75c9d820c5642c88a6cd90fec32b8397)
---
bin/named/zoneconf.c | 154 ++++++++++++++++++++++---------------------
lib/dns/zone.c | 8 +--
2 files changed, 83 insertions(+), 79 deletions(-)
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 4691fdc..8656602 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -924,8 +924,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
maps[i] = NULL;
if (vconfig != NULL) {
- RETERR(named_config_getclass(cfg_tuple_get(vconfig, "class"),
- dns_rdataclass_in, &vclass));
+ CHECK(named_config_getclass(cfg_tuple_get(vconfig, "class"),
+ dns_rdataclass_in, &vclass));
} else {
vclass = dns_rdataclass_in;
}
@@ -936,8 +936,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
- RETERR(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass,
- &zclass));
+ CHECK(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass,
+ &zclass));
dns_zone_setclass(zone, zclass);
if (raw != NULL) {
dns_zone_setclass(raw, zclass);
@@ -957,7 +957,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
}
if (cpval == NULL) {
- return (ISC_R_NOMEMORY);
+ CHECK(ISC_R_NOMEMORY);
}
obj = NULL;
@@ -972,7 +972,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
"zone '%s': both 'database' and 'dlz' "
"specified",
zname);
- return (ISC_R_FAILURE);
+ CHECK(ISC_R_FAILURE);
}
len = strlen(dlzname) + 5;
@@ -983,7 +983,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
result = strtoargv(mctx, cpval, &dbargc, &dbargv);
if (result != ISC_R_SUCCESS && cpval != default_dbtype) {
isc_mem_free(mctx, cpval);
- return (result);
+ CHECK(result);
}
/*
@@ -1012,7 +1012,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
"zone '%s': 'file' not specified", zname);
- return (ISC_R_FAILURE);
+ CHECK(ISC_R_FAILURE);
}
if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
@@ -1051,7 +1051,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
"can only be used with "
"'masterfile-format text'",
zname);
- return (ISC_R_FAILURE);
+ CHECK(ISC_R_FAILURE);
}
if (strcasecmp(masterstylestr, "full") == 0) {
@@ -1077,47 +1077,45 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
size_t signedlen = strlen(filename) + sizeof(SIGNED);
char *signedname;
- RETERR(dns_zone_setfile(raw, filename, masterformat,
- masterstyle));
+ CHECK(dns_zone_setfile(raw, filename, masterformat,
+ masterstyle));
signedname = isc_mem_get(mctx, signedlen);
(void)snprintf(signedname, signedlen, "%s" SIGNED, filename);
result = dns_zone_setfile(zone, signedname,
dns_masterformat_raw, NULL);
isc_mem_put(mctx, signedname, signedlen);
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
+ CHECK(result);
} else {
- RETERR(dns_zone_setfile(zone, filename, masterformat,
- masterstyle));
+ CHECK(dns_zone_setfile(zone, filename, masterformat,
+ masterstyle));
}
obj = NULL;
result = cfg_map_get(zoptions, "journal", &obj);
if (result == ISC_R_SUCCESS) {
- RETERR(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj)));
+ CHECK(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj)));
}
/*
* Notify messages are processed by the raw zone if it exists.
*/
if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
- RETERR(configure_zone_acl(
- zconfig, vconfig, config, allow_notify, ac, mayberaw,
- dns_zone_setnotifyacl, dns_zone_clearnotifyacl));
+ CHECK(configure_zone_acl(zconfig, vconfig, config, allow_notify,
+ ac, mayberaw, dns_zone_setnotifyacl,
+ dns_zone_clearnotifyacl));
}
/*
* XXXAG This probably does not make sense for stubs.
*/
- RETERR(configure_zone_acl(zconfig, vconfig, config, allow_query, ac,
- zone, dns_zone_setqueryacl,
- dns_zone_clearqueryacl));
+ CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query, ac,
+ zone, dns_zone_setqueryacl,
+ dns_zone_clearqueryacl));
- RETERR(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac,
- zone, dns_zone_setqueryonacl,
- dns_zone_clearqueryonacl));
+ CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac,
+ zone, dns_zone_setqueryonacl,
+ dns_zone_clearqueryonacl));
obj = NULL;
result = named_config_get(maps, "dialup", &obj);
@@ -1176,10 +1174,10 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
rcvquerystats = NULL;
dnssecsignstats = NULL;
if (statlevel == dns_zonestat_full) {
- RETERR(isc_stats_create(mctx, &zoneqrystats,
- ns_statscounter_max));
- RETERR(dns_rdatatypestats_create(mctx, &rcvquerystats));
- RETERR(dns_dnssecsignstats_create(mctx, &dnssecsignstats));
+ CHECK(isc_stats_create(mctx, &zoneqrystats,
+ ns_statscounter_max));
+ CHECK(dns_rdatatypestats_create(mctx, &rcvquerystats));
+ CHECK(dns_dnssecsignstats_create(mctx, &dnssecsignstats));
}
dns_zone_setrequeststats(zone, zoneqrystats);
dns_zone_setrcvquerystats(zone, rcvquerystats);
@@ -1218,7 +1216,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
ISC_LOG_ERROR,
"dnssec-policy '%s' not found ",
kaspname);
- RETERR(result);
+ CHECK(result);
}
dns_zone_setkasp(zone, kasp);
use_kasp = true;
@@ -1268,8 +1266,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_ipkeylist_t ipkl;
dns_ipkeylist_init(&ipkl);
- RETERR(named_config_getipandkeylist(config, "primaries",
- obj, mctx, &ipkl));
+ CHECK(named_config_getipandkeylist(config, "primaries",
+ obj, mctx, &ipkl));
result = dns_zone_setalsonotifydscpkeys(
zone, ipkl.addrs, ipkl.dscps, ipkl.keys,
ipkl.count);
@@ -1282,48 +1280,48 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = named_config_get(maps, "parental-source", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj)));
+ CHECK(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj)));
dscp = cfg_obj_getdscp(obj);
if (dscp == -1) {
dscp = named_g_dscp;
}
- RETERR(dns_zone_setparentalsrc4dscp(zone, dscp));
+ CHECK(dns_zone_setparentalsrc4dscp(zone, dscp));
named_add_reserved_dispatch(named_g_server,
cfg_obj_assockaddr(obj));
obj = NULL;
result = named_config_get(maps, "parental-source-v6", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj)));
+ CHECK(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj)));
dscp = cfg_obj_getdscp(obj);
if (dscp == -1) {
dscp = named_g_dscp;
}
- RETERR(dns_zone_setparentalsrc6dscp(zone, dscp));
+ CHECK(dns_zone_setparentalsrc6dscp(zone, dscp));
named_add_reserved_dispatch(named_g_server,
cfg_obj_assockaddr(obj));
obj = NULL;
result = named_config_get(maps, "notify-source", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
+ CHECK(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
dscp = cfg_obj_getdscp(obj);
if (dscp == -1) {
dscp = named_g_dscp;
}
- RETERR(dns_zone_setnotifysrc4dscp(zone, dscp));
+ CHECK(dns_zone_setnotifysrc4dscp(zone, dscp));
named_add_reserved_dispatch(named_g_server,
cfg_obj_assockaddr(obj));
obj = NULL;
result = named_config_get(maps, "notify-source-v6", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
+ CHECK(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
dscp = cfg_obj_getdscp(obj);
if (dscp == -1) {
dscp = named_g_dscp;
}
- RETERR(dns_zone_setnotifysrc6dscp(zone, dscp));
+ CHECK(dns_zone_setnotifysrc6dscp(zone, dscp));
named_add_reserved_dispatch(named_g_server,
cfg_obj_assockaddr(obj));
@@ -1335,7 +1333,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setisself(zone, isself, named_g_server->interfacemgr);
- RETERR(configure_zone_acl(
+ CHECK(configure_zone_acl(
zconfig, vconfig, config, allow_transfer, ac, zone,
dns_zone_setxfracl, dns_zone_clearxfracl));
@@ -1373,7 +1371,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
"%" PRId64 "' "
"is too large",
value);
- RETERR(ISC_R_RANGE);
+ CHECK(ISC_R_RANGE);
}
journal_size = (uint32_t)value;
}
@@ -1515,7 +1513,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
"%" PRId64 "' "
"is too large",
value);
- RETERR(ISC_R_RANGE);
+ CHECK(ISC_R_RANGE);
}
journal_size = (uint32_t)value;
}
@@ -1545,9 +1543,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
if (ztype == dns_zone_primary) {
dns_acl_t *updateacl;
- RETERR(configure_zone_acl(
- zconfig, vconfig, config, allow_update, ac, mayberaw,
- dns_zone_setupdateacl, dns_zone_clearupdateacl));
+ CHECK(configure_zone_acl(zconfig, vconfig, config, allow_update,
+ ac, mayberaw, dns_zone_setupdateacl,
+ dns_zone_clearupdateacl));
updateacl = dns_zone_getupdateacl(mayberaw);
if (updateacl != NULL && dns_acl_isinsecure(updateacl)) {
@@ -1558,7 +1556,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
zname);
}
- RETERR(configure_zone_ssutable(zoptions, mayberaw, zname));
+ CHECK(configure_zone_ssutable(zoptions, mayberaw, zname));
}
if (ztype == dns_zone_primary || raw != NULL) {
@@ -1631,7 +1629,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
result = named_config_get(maps, "key-directory", &obj);
if (result == ISC_R_SUCCESS) {
filename = cfg_obj_asstring(obj);
- RETERR(dns_zone_setkeydirectory(zone, filename));
+ CHECK(dns_zone_setkeydirectory(zone, filename));
}
obj = NULL;
@@ -1673,8 +1671,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
result = named_config_get(maps, "dnssec-loadkeys-interval",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setrefreshkeyinterval(zone,
- cfg_obj_asuint32(obj)));
+ CHECK(dns_zone_setrefreshkeyinterval(zone,
+ cfg_obj_asuint32(obj)));
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
@@ -1703,10 +1701,10 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
}
if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) {
- RETERR(configure_zone_acl(zconfig, vconfig, config,
- allow_update_forwarding, ac, mayberaw,
- dns_zone_setforwardacl,
- dns_zone_clearforwardacl));
+ CHECK(configure_zone_acl(zconfig, vconfig, config,
+ allow_update_forwarding, ac, mayberaw,
+ dns_zone_setforwardacl,
+ dns_zone_clearforwardacl));
}
/*%
@@ -1718,7 +1716,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
if (obj != NULL) {
dns_ipkeylist_t ipkl;
dns_ipkeylist_init(&ipkl);
- RETERR(named_config_getipandkeylist(
+ CHECK(named_config_getipandkeylist(
config, "parental-agents", obj, mctx, &ipkl));
result = dns_zone_setparentals(zone, ipkl.addrs,
ipkl.keys, ipkl.count);
@@ -1901,7 +1899,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
(void)cfg_map_get(zoptions, "allow-transfer", &obj);
if (obj == NULL) {
dns_acl_t *none;
- RETERR(dns_acl_none(mctx, &none));
+ CHECK(dns_acl_none(mctx, &none));
dns_zone_setxfracl(zone, none);
dns_acl_detach(&none);
}
@@ -1926,14 +1924,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
result = named_config_getremotesdef(
named_g_config, "primaries",
DEFAULT_IANA_ROOT_ZONE_PRIMARIES, &obj);
- RETERR(result);
+ CHECK(result);
}
if (obj != NULL) {
dns_ipkeylist_t ipkl;
dns_ipkeylist_init(&ipkl);
- RETERR(named_config_getipandkeylist(config, "primaries",
- obj, mctx, &ipkl));
+ CHECK(named_config_getipandkeylist(config, "primaries",
+ obj, mctx, &ipkl));
result = dns_zone_setprimarieswithkeys(
mayberaw, ipkl.addrs, ipkl.keys, ipkl.count);
count = ipkl.count;
@@ -1986,50 +1984,50 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = named_config_get(maps, "transfer-source", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setxfrsource4(mayberaw,
- cfg_obj_assockaddr(obj)));
+ CHECK(dns_zone_setxfrsource4(mayberaw,
+ cfg_obj_assockaddr(obj)));
dscp = cfg_obj_getdscp(obj);
if (dscp == -1) {
dscp = named_g_dscp;
}
- RETERR(dns_zone_setxfrsource4dscp(mayberaw, dscp));
+ CHECK(dns_zone_setxfrsource4dscp(mayberaw, dscp));
named_add_reserved_dispatch(named_g_server,
cfg_obj_assockaddr(obj));
obj = NULL;
result = named_config_get(maps, "transfer-source-v6", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setxfrsource6(mayberaw,
- cfg_obj_assockaddr(obj)));
+ CHECK(dns_zone_setxfrsource6(mayberaw,
+ cfg_obj_assockaddr(obj)));
dscp = cfg_obj_getdscp(obj);
if (dscp == -1) {
dscp = named_g_dscp;
}
- RETERR(dns_zone_setxfrsource6dscp(mayberaw, dscp));
+ CHECK(dns_zone_setxfrsource6dscp(mayberaw, dscp));
named_add_reserved_dispatch(named_g_server,
cfg_obj_assockaddr(obj));
obj = NULL;
result = named_config_get(maps, "alt-transfer-source", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setaltxfrsource4(mayberaw,
- cfg_obj_assockaddr(obj)));
+ CHECK(dns_zone_setaltxfrsource4(mayberaw,
+ cfg_obj_assockaddr(obj)));
dscp = cfg_obj_getdscp(obj);
if (dscp == -1) {
dscp = named_g_dscp;
}
- RETERR(dns_zone_setaltxfrsource4dscp(mayberaw, dscp));
+ CHECK(dns_zone_setaltxfrsource4dscp(mayberaw, dscp));
obj = NULL;
result = named_config_get(maps, "alt-transfer-source-v6", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
- RETERR(dns_zone_setaltxfrsource6(mayberaw,
- cfg_obj_assockaddr(obj)));
+ CHECK(dns_zone_setaltxfrsource6(mayberaw,
+ cfg_obj_assockaddr(obj)));
dscp = cfg_obj_getdscp(obj);
if (dscp == -1) {
dscp = named_g_dscp;
}
- RETERR(dns_zone_setaltxfrsource6dscp(mayberaw, dscp));
+ CHECK(dns_zone_setaltxfrsource6dscp(mayberaw, dscp));
obj = NULL;
(void)named_config_get(maps, "use-alt-transfer-source", &obj);
@@ -2057,15 +2055,21 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
break;
case dns_zone_staticstub:
- RETERR(configure_staticstub(zoptions, zone, zname,
- default_dbtype));
+ CHECK(configure_staticstub(zoptions, zone, zname,
+ default_dbtype));
break;
default:
break;
}
- return (ISC_R_SUCCESS);
+ result = ISC_R_SUCCESS;
+
+cleanup:
+ if (kasp != NULL) {
+ dns_kasp_detach(&kasp);
+ }
+ return (result);
}
/*
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 787a52c..6a62de0 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -5818,11 +5818,11 @@ dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
LOCK_ZONE(zone);
if (zone->kasp != NULL) {
- dns_kasp_t *oldkasp = zone->kasp;
- zone->kasp = NULL;
- dns_kasp_detach(&oldkasp);
+ dns_kasp_detach(&zone->kasp);
+ }
+ if (kasp != NULL) {
+ dns_kasp_attach(kasp, &zone->kasp);
}
- zone->kasp = kasp;
UNLOCK_ZONE(zone);
}
--
2.33.0

90
backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch Normal file
View File

@ -0,0 +1,90 @@
From 2fba2822067cd54ce8f30bf5b7c07076fc99368c Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 1 Mar 2023 12:30:46 +0000
Subject: [PATCH] Fix view's zones reverting bug during reconfiguration
During reconfiguration, the configure_view() function reverts the
configured zones to the previous view in case if there is an error.
It uses the 'zones_configured' boolean variable to decide whether
it is required to revert the zones, i.e. the error happened after
all the zones were successfully configured.
The problem is that it does not account for the case when an error
happens during the configuration of one of the zones (not the first),
in which case there are zones that are already configured for the
new view (and they need to be reverted), and there are zones that
are not (starting from the failed one).
Since 'zones_configured' remains 'false', the configured zones are
not reverted.
Replace the 'zones_configured' variable with a pointer to the latest
successfully configured zone configuration element, and when reverting,
revert up to and including that zone.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2fba2822067cd54ce8f30bf5b7c07076fc99368c
(cherry picked from commit 84c235a4b0477a34c0ac2054af98b39efc5b0df5)
---
bin/named/server.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 4ab75044f6..6695fb6286 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -3979,7 +3979,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
const cfg_obj_t *dyndb_list, *plugin_list;
const cfg_obj_t *disabled;
const cfg_obj_t *obj, *obj2;
- const cfg_listelt_t *element;
+ const cfg_listelt_t *element = NULL;
+ const cfg_listelt_t *zone_element_latest = NULL;
in_port_t port;
dns_cache_t *cache = NULL;
isc_result_t result;
@@ -3996,7 +3997,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
dns_dispatch_t *dispatch6 = NULL;
bool rpz_configured = false;
bool catz_configured = false;
- bool zones_configured = false;
bool reused_cache = false;
bool shared_cache = false;
int i = 0, j = 0, k = 0;
@@ -4100,8 +4100,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
viewlist, kasplist, actx, false,
old_rpz_ok, false));
+ zone_element_latest = element;
}
- zones_configured = true;
/*
* Check that a master or slave zone was found for each
@@ -5907,7 +5907,7 @@ cleanup:
dns_view_detach(&pview);
}
- if (zones_configured) {
+ if (zone_element_latest != NULL) {
for (element = cfg_list_first(zonelist);
element != NULL; element = cfg_list_next(element))
{
@@ -5915,6 +5915,13 @@ cleanup:
cfg_listelt_value(element);
configure_zone_setviewcommit(result, zconfig,
view);
+ if (element == zone_element_latest) {
+ /*
+ * This was the latest element that was
+ * successfully configured earlier.
+ */
+ break;
+ }
}
}
}
--
2.23.0

27
backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch Normal file
View File

@ -0,0 +1,27 @@
From d0c92a31a997d8c2fa48dd3a2ed90b11e54cfabf Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 17 Feb 2023 11:44:45 +1100
Subject: [PATCH] In hmac_createctx free ctx on isc_hmac_init failure
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/d0c92a31a997d8c2fa48dd3a2ed90b11e54cfabf
(cherry picked from commit d22257a370c69060e17a466db7698c96e23526b5)
---
lib/dns/hmac_link.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index d839f1123b..2872ff2c89 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -170,6 +170,7 @@ hmac_createctx(const isc_md_type_t *type, const dst_key_t *key,
result = isc_hmac_init(ctx, hkey->key, isc_md_type_get_block_size(type),
type);
if (result != ISC_R_SUCCESS) {
+ isc_hmac_free(ctx);
return (DST_R_UNSUPPORTEDALG);
}
--
2.23.0

33
backport-Searching-catzs-zones-requires-a-read-lock.patch Normal file
View File

@ -0,0 +1,33 @@
From 79ee7353ad5eda781c4f9d2297ddff32682731d6 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Fri, 27 Jan 2023 18:04:41 +0000
Subject: [PATCH] Searching catzs->zones requires a read lock
Lock the catzs->lock mutex before searching in the catzs->zones
hash table.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/79ee7353ad5eda781c4f9d2297ddff32682731d6
(cherry picked from commit 0ef0c86632c838c3f342fe1c6d8cdef1b327cde6)
---
lib/dns/catz.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 9a9ecd0dc9..eef688a1d0 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -752,8 +752,10 @@ dns_catz_get_zone(dns_catz_zones_t *catzs, const dns_name_t *name) {
REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
+ LOCK(&catzs->lock);
result = isc_ht_find(catzs->zones, name->ndata, name->length,
(void **)&found);
+ UNLOCK(&catzs->lock);
if (result != ISC_R_SUCCESS) {
return (NULL);
}
--
2.23.0

103
backport-delay-trust-anchor-management-until-zones-are-loaded.patch Normal file
View File

@ -0,0 +1,103 @@
From aca10608b64b161bc9e4b03f0f70b9a5f07ed08f Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 27 Jan 2023 14:43:11 -0800
Subject: [PATCH] delay trust anchor management until zones are loaded
it was possible for a managed trust anchor needing to send a key
refresh query to be unable to do so because an authoritative zone
was not yet loaded. this has been corrected by delaying the
synchronization of managed-keys zones until after all zones are
loaded.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/aca10608b64b161bc9e4b03f0f70b9a5f07ed08f
(cherry picked from commit bafbbd24653dc80a29ebd4e0569f77166123c3d1)
---
bin/named/server.c | 23 +++++++++++++++++++++++
lib/dns/zone.c | 15 ++-------------
2 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index ed0ee59552..a23c4ed107 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9658,6 +9658,7 @@ view_loaded(void *arg) {
if (isc_refcount_decrement(&zl->refs) == 1) {
named_server_t *server = zl->server;
bool reconfig = zl->reconfig;
+ dns_view_t *view = NULL;
isc_refcount_destroy(&zl->refs);
isc_mem_put(server->mctx, zl, sizeof(*zl));
@@ -9678,6 +9679,28 @@ view_loaded(void *arg) {
"all zones loaded");
}
+ for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+ view = ISC_LIST_NEXT(view, link))
+ {
+ if (view->managed_keys != NULL) {
+ result = dns_zone_synckeyzone(
+ view->managed_keys);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(
+ named_g_lctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ DNS_LOGMODULE_DNSSEC,
+ ISC_LOG_ERROR,
+ "failed to initialize "
+ "managed-keys for view %s "
+ "(%s): DNSSEC validation is "
+ "at risk",
+ view->name,
+ isc_result_totext(result));
+ }
+ }
+ }
+
CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr),
"forcing zone maintenance");
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index c418be5da4..a2fe9f6d24 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -4730,8 +4730,7 @@ sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
}
failure:
- if (result != ISC_R_SUCCESS && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
- {
+ if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR,
"unable to synchronize managed keys: %s",
dns_result_totext(result));
@@ -5196,10 +5195,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
break;
case dns_zone_key:
- result = sync_keyzone(zone, db);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ /* Nothing needs to be done now */
break;
default:
@@ -5357,13 +5353,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
goto done;
cleanup:
- if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) {
- dnssec_log(zone, ISC_LOG_ERROR,
- "failed to initialize managed-keys (%s): "
- "DNSSEC validation is at risk",
- isc_result_totext(result));
- }
-
if (result != ISC_R_SUCCESS) {
dns_zone_rpz_disable_db(zone, db);
dns_zone_catz_disable_db(zone, db);
--
2.23.0

65
bind-9.11-fips-disable.patch
View File

@ -1,65 +0,0 @@
From 2b0dce163a119f5f62eb4428b485f7575f321d6f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 5 Aug 2019 11:54:03 +0200
Subject: [PATCH] Allow explicit disabling of autodisabled MD5
Default security policy might include explicitly disabled RSAMD5
algorithm. Current FIPS code automatically disables in FIPS mode. But if
RSAMD5 is included in security policy, it fails to start, because that
algorithm is not recognized. Allow it disabled, but fail on any
other usage.
---
bin/named/server.c | 4 ++--
lib/bind9/check.c | 4 ++++
lib/dns/rcode.c | 1 +
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index ee23f10..22a5c01 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1689,12 +1689,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
r.length = strlen(r.base);
result = dns_secalg_fromtext(&alg, &r);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
uint8_t ui;
result = isc_parse_uint8(&ui, r.base, 10);
alg = ui;
}
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
cfg_obj_log(cfg_listelt_value(element), named_g_lctx,
ISC_LOG_ERROR, "invalid algorithm");
CHECK(result);
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index f49a346..dbf9ddb 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -317,6 +317,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
r.length = strlen(r.base);
tresult = dns_secalg_fromtext(&alg, &r);
+ if (tresult == ISC_R_DISABLED) {
+ // Recognize disabled algorithms, disable it explicitly
+ tresult = ISC_R_SUCCESS;
+ }
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(cfg_listelt_value(element), logctx,
ISC_LOG_ERROR, "invalid algorithm '%s'",
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index 327248e..78adf63 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -152,6 +152,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
static struct tbl certs[] = { CERTNAMES };
static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
static struct tbl secprotos[] = { SECPROTONAMES };
static struct tbl hashalgs[] = { HASHALGNAMES };
static struct tbl dsdigests[] = { DSDIGESTNAMES };
--
2.21.1

95
bind-9.14-json-c.patch
View File

@ -1,95 +0,0 @@
From 0698eb93f6e618d2882ae2c8758c5fa87524bea6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 23 Jul 2019 12:10:39 +0200
Subject: [PATCH] Allow explicitly using json-c but not libjson
Separate detection of json support. Allows explicit use of json-c when
jsoncpp package is found. Have to use --without-libjson --with-json-c.
---
configure.ac | 52 +++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 41 insertions(+), 11 deletions(-)
diff --git a/configure.ac b/configure.ac
index f7978e4..40b4f9f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1331,7 +1331,6 @@ AC_ARG_WITH(libjson,
use_libjson="$withval", use_libjson="auto")
have_libjson=""
-have_libjson_c=""
case "$use_libjson" in
no)
libjson_libs=""
@@ -1347,7 +1346,43 @@ case "$use_libjson" in
LIBS="$LIBS -L${d}/lib"
fi
have_libjson="yes"
- elif test -f "${d}/include/json-c/json.h"
+ fi
+ done
+ ;;
+ *)
+ if test -f "${use_libjson}/include/json/json.h"
+ then
+ libjson_cflags="-I${use_libjson}/include"
+ LIBS="$LIBS -L${use_libjson}/lib"
+ have_libjson="yes"
+ else
+ AC_MSG_ERROR([$use_libjson/include/json/json.h not found.])
+ fi
+ ;;
+esac
+
+#
+# was --with-json-c specified?
+#
+AC_ARG_WITH(json-c,
+ AS_HELP_STRING([--with-json-c[=PATH]],
+ [build with json-c library [yes|no|path]]),
+ use_json_c="$withval", use_json_c="$use_libjson")
+
+if test "X${have_libjson}" != "X"
+then
+ # Do not use if libjson were found
+ use_json_c=no
+fi
+
+have_libjson_c=""
+case "$use_json_c" in
+ no)
+ ;;
+ auto|yes)
+ for d in /usr /usr/local /opt/local
+ do
+ if test -f "${d}/include/json-c/json.h"
then
if test ${d} != /usr
then
@@ -1360,19 +1395,14 @@ case "$use_libjson" in
done
;;
*)
- if test -f "${use_libjson}/include/json/json.h"
- then
- libjson_cflags="-I${use_libjson}/include"
- LIBS="$LIBS -L${use_libjson}/lib"
- have_libjson="yes"
- elif test -f "${use_libjson}/include/json-c/json.h"
+ if test -f "${use_json_c}/include/json-c/json.h"
then
- libjson_cflags="-I${use_libjson}/include"
- LIBS="$LIBS -L${use_libjson}/lib"
+ libjson_cflags="-I${use_json_c}/include"
+ LIBS="$LIBS -L${use_json_c}/lib"
have_libjson="yes"
have_libjson_c="yes"
else
- AC_MSG_ERROR([$use_libjson/include/json{,-c}/json.h not found.])
+ AC_MSG_ERROR([$use_json_c/include/json-c/json.h not found.])
fi
;;
esac
--
2.20.1

34
bind.spec
View File

@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 16
Release: 17
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -191,6 +191,20 @@ Patch6109:backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.pat
Patch6110:backport-Release-unused-key-file-IO-lock-objects.patch
Patch6111:backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch
Patch6112:backport-Don-t-perform-arithmetic-on-NULL-pointers.patch
Patch6113:backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch
Patch6114:backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch
Patch6115:backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch
Patch6116:backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch
Patch6117:backport-Detach-the-zone-views-outside-of-the-zone-lock.patch
Patch6118:backport-delay-trust-anchor-management-until-zones-are-loaded.patch
Patch6119:backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch
Patch6120:backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch
Patch6121:backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch
Patch6122:backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch
Patch6123:backport-Searching-catzs-zones-requires-a-read-lock.patch
Patch6124:backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch
Patch9000:bugfix-limit-numbers-of-test-threads.patch
%{?systemd_ordering}
@ -1199,6 +1213,24 @@ fi;
%endif
%changelog
* Tue Apr 11 2023 zhanghao <zhanghao383@huawei.com> - 32:9.16.23-17
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: Don't perform arithmetic on NULL pointers
Accept 'in=NULL' with 'inlen=0' in isc_{half}siphash24
Fix a use-after-free bug in dns_zonemgr_releasezone()
Fix dns_fwdtable_addfwd() error path cleanup bug
Detach the views in zone_shutdown(), not in zone_free()
Detach the zone views outside of the zone lock
delay trust anchor management until zones are loaded
In hmac_createctx free ctx on isc_hmac_init failure
Fix dns_kasp_attach / dns_kasp_detach usage
Fix backport error in 84929d1c
Fix a cleanup bug when isc_task_create() fails in dns_catz_new_zones()
Searching catzs->zones requires a read lock
Fix view's zones reverting bug during reconfiguration
* Sat Feb 25 2023 zhanghao <zhanghao383@huawei.com> - 32:9.16.23-16
- Type:bugfix
- CVE:NA

226
bind97-exportlib.patch
View File

@ -1,226 +0,0 @@
diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in
diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in
--- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/dns/Makefile.in 2013-05-13 10:45:22.574089729 +0200
@@ -35,9 +35,9 @@ CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_
CWARNINGS =
-ISCLIBS = ../isc/libisc.@A@
+ISCLIBS = ../isc/libisc-export.@A@
-ISCDEPLIBS = ../isc/libisc.@A@
+ISCDEPLIBS = ../isc/libisc-export.@A@
LIBS = @LIBS@
@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
-timestamp: libdns.@A@
+timestamp: libdns-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-export.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in
--- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/irs/Makefile.in 2013-05-13 10:45:22.575089729 +0200
@@ -43,9 +43,9 @@ SRCS = context.c \
gai_sterror.c getaddrinfo.c getnameinfo.c \
resconf.c
-ISCLIBS = ../isc/libisc.@A@
-DNSLIBS = ../dns/libdns.@A@
-ISCCFGLIBS = ../isccfg/libisccfg.@A@
+ISCLIBS = ../isc/libisc-export.@A@
+DNSLIBS = ../dns/libdns-export.@A@
+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@
LIBS = @LIBS@
@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libirs.@SA@: ${OBJS} version.@O@
+libirs-export.@SA@: ${OBJS} version.@O@
${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
${RANLIB} $@
-libirs.la: ${OBJS} version.@O@
+libirs-export.la: ${OBJS} version.@O@
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
-timestamp: libirs.@A@
+timestamp: libirs-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libirs.@A@ libirs.la timestamp
+ rm -f libirs-export.@A@ libirs-export.la timestamp
diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in
--- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in 2013-05-13 10:45:22.576089729 +0200
@@ -30,11 +30,11 @@ CINCLUDES = -I. ${DNS_INCLUDES} -I${expo
CDEFINES =
CWARNINGS =
-ISCLIBS = ../isc/libisc.@A@
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../isc/libisc-export.@A@
+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS = libisccfg.@A@
+ISCCFGDEPLIBS = libisccfg-export.@A@
LIBS = @LIBS@
@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisccfg.@SA@: ${OBJS}
+libisccfg-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisccfg.la: ${OBJS}
+libisccfg-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
-timestamp: libisccfg.@A@
+timestamp: libisccfg-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libisccfg.@A@ timestamp
+ rm -f libisccfg-export.@A@ timestamp
diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in
--- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/isc/Makefile.in 2013-05-13 10:45:22.576089729 +0200
@@ -100,6 +100,10 @@ SRCS = @ISC_EXTRA_SRCS@ \
LIBS = @LIBS@
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
SUBDIRS = include unix nls @ISC_THREAD_DIR@
TARGETS = timestamp
@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisc.@SA@: ${OBJS}
+libisc-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc.la: ${OBJS}
+libisc-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc.@A@
+timestamp: libisc-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \
${DESTDIR}${export_libdir}
clean distclean::
- rm -f libisc.@A@ libisc.la timestamp
+ rm -f libisc-export.@A@ libisc-export.la timestamp
diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in
--- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/samples/Makefile.in 2013-05-13 10:45:22.577089729 +0200
@@ -31,15 +31,15 @@ CINCLUDES = -I${srcdir}/include -I../dns
CDEFINES =
CWARNINGS =
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../isc/libisc.@A@
-ISCCFGLIBS = ../isccfg/libisccfg.@A@
-IRSLIBS = ../irs/libirs.@A@
+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../isc/libisc-export.@A@
+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@
+IRSLIBS = ../irs/libirs-export.@A@
-DNSDEPLIBS = ../dns/libdns.@A@
-ISCDEPLIBS = ../isc/libisc.@A@
-ISCCFGDEPLIBS = ../isccfg/libisccfg.@A@
-IRSDEPLIBS = ../irs/libirs.@A@
+DNSDEPLIBS = ../dns/libdns-export.@A@
+ISCDEPLIBS = ../isc/libisc-export.@A@
+ISCCFGDEPLIBS = ../isccfg/libisccfg-export.@A@
+IRSDEPLIBS = ../irs/libirs-export.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}