Sync with rawhide

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -92,7 +92,6 @@ bind-9.7.2b1.tar.gz
 /bind-9.11.5-P4.tar.gz
 /bind-9.11.6.tar.gz
 /bind-9.11.6-P1.tar.gz
-/bind-9.14.4.tar.gz
 /bind-9.11.7.tar.gz
 /bind-9.11.8.tar.gz
 /bind-9.11.9.tar.gz
@@ -103,18 +102,91 @@ bind-9.7.2b1.tar.gz
 /bind-9.11.13.tar.gz.asc
 /bind-9.11.14.tar.gz
 /bind-9.11.14.tar.gz.asc
+/bind-9.11.17.tar.gz
+/bind-9.11.17.tar.gz.asc
+/bind-9.11.18.tar.gz
+/bind-9.11.18.tar.gz.asc
+/bind-9.11.19.tar.gz
+/bind-9.11.19.tar.gz.asc
+/bind-9.11.20.tar.gz
+/bind-9.11.20.tar.gz.asc
+/bind-9.11.21.tar.gz
+/bind-9.11.21.tar.gz.asc
+/bind-9.11.22.tar.gz
+/bind-9.11.22.tar.gz.asc
+/bind-9.11.23.tar.gz
+/bind-9.11.23.tar.gz.asc
+/bind-9.11.24.tar.gz
+/bind-9.11.24.tar.gz.asc
+/bind-9.11.25.tar.gz
+/bind-9.11.25.tar.gz.asc
+/bind-9.11.26.tar.gz
+/bind-9.11.26.tar.gz.asc
 /bind-9.16.1.tar.xz
 /bind-9.16.1.tar.xz.asc
-/bind-9.17.0.tar.xz
-/bind-9.17.0.tar.xz.asc
-/bind-9.17.4.tar.xz
-/bind-9.17.4.tar.xz.asc
-/bind-9.17.15.tar.xz
-/bind-9.17.15.tar.xz.asc
-/bind-9.17.20.tar.xz
-/bind-9.17.20.tar.xz.asc
-/isc-logo.pdf
-/bind-9.17.21.tar.xz
-/bind-9.17.21.tar.xz.asc
-/bind-9.17.22.tar.xz
-/bind-9.17.22.tar.xz.asc
+/bind-9.16.2.tar.xz
+/bind-9.16.2.tar.xz.asc
+/bind-9.16.4.tar.xz
+/bind-9.16.4.tar.xz.asc
+/bind-9.16.5.tar.xz
+/bind-9.16.5.tar.xz.asc
+/bind-9.16.6.tar.xz
+/bind-9.16.6.tar.xz.asc
+/bind-9.16.7.tar.xz
+/bind-9.16.7.tar.xz.asc
+/bind-9.16.8.tar.xz
+/bind-9.16.8.tar.xz.asc
+/bind-9.16.9.tar.xz
+/bind-9.16.9.tar.xz.asc
+/bind-9.16.10.tar.xz
+/bind-9.16.10.tar.xz.asc
+/bind-9.16.11.tar.xz
+/bind-9.16.11.tar.xz.asc
+/bind-9.16.13.tar.xz
+/bind-9.16.13.tar.xz.asc
+/bind-9.16.15.tar.xz
+/bind-9.16.15.tar.xz.asc
+/bind-9.16.16.tar.xz
+/bind-9.16.16.tar.xz.asc
+/bind-9.16.17.tar.xz
+/bind-9.16.17.tar.xz.asc
+/bind-9.16.18.tar.xz
+/bind-9.16.18.tar.xz.asc
+/bind-9.16.19.tar.xz
+/bind-9.16.19.tar.xz.asc
+/bind-9.16.20.tar.xz
+/bind-9.16.20.tar.xz.asc
+/bind-9.16.21.tar.xz
+/bind-9.16.21.tar.xz.asc
+/bind-9.16.22.tar.xz
+/bind-9.16.22.tar.xz.asc
+/bind-9.16.23.tar.xz
+/bind-9.16.23.tar.xz.asc
+/bind-9.16.24.tar.xz
+/bind-9.16.24.tar.xz.asc
+/bind-9.16.25.tar.xz
+/bind-9.16.25.tar.xz.asc
+/bind-9.16.26.tar.xz
+/bind-9.16.26.tar.xz.asc
+/bind-9.16.27.tar.xz
+/bind-9.16.27.tar.xz.asc
+/bind-9.16.28.tar.xz
+/bind-9.16.28.tar.xz.asc
+/bind-9.16.29.tar.xz
+/bind-9.16.29.tar.xz.asc
+/bind-9.16.30.tar.xz
+/bind-9.16.30.tar.xz.asc
+/bind-9.18.0.tar.xz
+/bind-9.18.0.tar.xz.asc
+/bind-9.18.1.tar.xz
+/bind-9.18.1.tar.xz.asc
+/bind-9.18.2.tar.xz
+/bind-9.18.2.tar.xz.asc
+/bind-9.18.3.tar.xz
+/bind-9.18.3.tar.xz.asc
+/bind-9.18.4.tar.xz
+/bind-9.18.4.tar.xz.asc
+/bind-9.18.5.tar.xz
+/bind-9.18.5.tar.xz.asc
+/bind-9.18.6.tar.xz
+/bind-9.18.6.tar.xz.asc

Changes.md

@@ -1,12 +1,43 @@
-= Changes in BIND9 package =
+# Significant Changes in BIND9 package
 
-== 9.14 ==
+## BIND 9.16
 
-- single thread support removed. Cannot provide bind-export-libs for DHCP
-- lwres support completely removed. Both daemon and library
-- common parts of daemon moved into libns shared library
+### New features
+
+- *libuv* is used for network subsystem as a mandatory dependency
+- *dnssec-policy* support in named.conf is introduced, providing a a key and signing policy
+  ([KASP](https://gitlab.isc.org/isc-projects/bind9/-/wikis/DNSSEC-Key-and-Signing-Policy-(KASP)))
+- *trusted-keys* and *managed-keys* are deprecated, replaced by *trust-anchors*
+- *trust-anchors* support also anchor in a *DS* format, in addition to *DNSKEY* format
+- **dig, mdig** and **delv** support **+yaml** parameter to print detailed machine parseable output
+
+### Feature changes
+
+- Static trust anchor and *dnssec-validation auto;* are incompatible and cause fatal error, when used together.
+- *DS* and *CDS* now generates only SHA-256 digest, SHA-1 is no longer generated by default
+- SipHash 2-4 DNS Cookie ([RFC 7873](https://www.rfc-editor.org/rfc/rfc7873.html) is now default).
+  Only AES alternative algorithm is kept, HMAC-SHA cookie support were removed.
+- **dnssec-signzone** and **dnssec-verify** commands print output to stdout, *-q* parameter can silence them
+
+### Features removed
+
+- *dnssec-enable* option is obsolete, DNSSEC support is always enabled
+- *dnssec-lookaside* option is deprecated and support for it removed from all tools
+- *cleaning-interval* option is removed
+
+### Upstream release notes
+
+- [9.16.10 notes](https://downloads.isc.org/isc/bind9/9.16.10/doc/arm/html/notes.html#notes-for-bind-9-16-10)
+- [9.16.0 notes](https://downloads.isc.org/isc/bind9/9.16.0/doc/arm/html/notes.html#notes-for-bind-9-16-0)
+
+## BIND 9.14
+
+- single thread support removed. Cannot provide *bind-export-libs* for DHCP
+- *lwres* support completely removed. Both daemon and library
+- common parts of daemon moved into *libns* shared library
 - introduced plugin for filtering aaaa responses
 - some SDB utilities no longer supported
 
-=== 9.14.7 ===
-[notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html)
+### Upstream release notes
+
+- [9.14.7 notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html)

bind-9.11-fips-tests.patch

@@ -1,4 +1,4 @@
-From 22a56b67a27b0ab63050ce6a287a15df6ac96f94 Mon Sep 17 00:00:00 2001
+From 09030b066846a9b7252b5cb4f483d4a55b4639fc Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Thu, 2 Aug 2018 23:46:45 +0200
 Subject: [PATCH] FIPS tests changes
@@ -81,21 +81,23 @@ Date:   Wed Mar 7 10:44:23 2018 +0100
  bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
  bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
  bin/tests/system/nsupdate/setup.sh            |  6 +-
- bin/tests/system/nsupdate/tests.sh            | 11 +++-
+ bin/tests/system/nsupdate/tests.sh            | 11 ++-
  bin/tests/system/rndc/setup.sh                |  2 +-
- bin/tests/system/rndc/tests.sh                | 22 ++++---
+ bin/tests/system/rndc/tests.sh                | 22 +++---
  bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
+ bin/tests/system/tsig/ns1/rndc5.conf.in       | 10 +++
  bin/tests/system/tsig/setup.sh                |  5 ++
- bin/tests/system/tsig/tests.sh                | 65 ++++++++++++-------
+ bin/tests/system/tsig/tests.sh                | 67 ++++++++++++-------
  bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
  bin/tests/system/upforwd/tests.sh             |  2 +-
- 31 files changed, 148 insertions(+), 105 deletions(-)
+ 32 files changed, 159 insertions(+), 106 deletions(-)
+ create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
 
 diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
-index 60f22e1..249f672 100644
+index 745048a..93cb411 100644
 --- a/bin/tests/system/acl/ns2/named1.conf.in
 +++ b/bin/tests/system/acl/ns2/named1.conf.in
-@@ -33,12 +33,12 @@ options {
+@@ -35,12 +35,12 @@ options {
  };
  
  key one {
@@ -111,10 +113,10 @@ index 60f22e1..249f672 100644
  };
  
 diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
-index ada97bc..f82d858 100644
+index 21aa991..78e71cc 100644
 --- a/bin/tests/system/acl/ns2/named2.conf.in
 +++ b/bin/tests/system/acl/ns2/named2.conf.in
-@@ -33,12 +33,12 @@ options {
+@@ -35,12 +35,12 @@ options {
  };
  
  key one {
@@ -130,10 +132,10 @@ index ada97bc..f82d858 100644
  };
  
 diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
-index 97684e4..de6a2e9 100644
+index 3208c92..bed6325 100644
 --- a/bin/tests/system/acl/ns2/named3.conf.in
 +++ b/bin/tests/system/acl/ns2/named3.conf.in
-@@ -33,17 +33,17 @@ options {
+@@ -35,17 +35,17 @@ options {
  };
  
  key one {
@@ -155,28 +157,9 @@ index 97684e4..de6a2e9 100644
  };
  
 diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
-index 462b3fa..994b35c 100644
+index 14e82ed..a22cafe 100644
 --- a/bin/tests/system/acl/ns2/named4.conf.in
 +++ b/bin/tests/system/acl/ns2/named4.conf.in
-@@ -33,12 +33,12 @@ options {
- };
- 
- key one {
--	algorithm hmac-md5;
-+	algorithm hmac-sha256;
- 	secret "1234abcd8765";
- };
- 
- key two {
--	algorithm hmac-md5;
-+	algorithm hmac-sha256;
- 	secret "1234abcd8765";
- };
- 
-diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
-index 728da58..8f00d09 100644
---- a/bin/tests/system/acl/ns2/named5.conf.in
-+++ b/bin/tests/system/acl/ns2/named5.conf.in
 @@ -35,12 +35,12 @@ options {
  };
  
@@ -192,11 +175,30 @@ index 728da58..8f00d09 100644
  	secret "1234abcd8765";
  };
  
+diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
+index f43f33c..f4a865a 100644
+--- a/bin/tests/system/acl/ns2/named5.conf.in
++++ b/bin/tests/system/acl/ns2/named5.conf.in
+@@ -37,12 +37,12 @@ options {
+ };
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
 diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
-index a48f868..fab277b 100644
+index ad98fa1..7a7ff4a 100644
 --- a/bin/tests/system/acl/tests.sh
 +++ b/bin/tests/system/acl/tests.sh
-@@ -21,14 +21,14 @@ echo_i "testing basic ACL processing"
+@@ -23,14 +23,14 @@ echo_i "testing basic ACL processing"
  # key "one" should fail
  t=`expr $t + 1`
  $DIG $DIGOPTS tsigzone. \
@@ -213,7 +215,7 @@ index a48f868..fab277b 100644
  grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
  
  copy_setports ns2/named2.conf.in ns2/named.conf
-@@ -38,18 +38,18 @@ sleep 5
+@@ -40,18 +40,18 @@ sleep 5
  # prefix 10/8 should fail
  t=`expr $t + 1`
  $DIG $DIGOPTS tsigzone. \
@@ -235,7 +237,7 @@ index a48f868..fab277b 100644
  grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
  
  echo_i "testing nested ACL processing"
-@@ -61,31 +61,31 @@ sleep 5
+@@ -63,31 +63,31 @@ sleep 5
  # should succeed
  t=`expr $t + 1`
  $DIG $DIGOPTS tsigzone. \
@@ -272,7 +274,7 @@ index a48f868..fab277b 100644
  grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
  
  t=`expr $t + 1`
-@@ -96,7 +96,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
+@@ -98,7 +98,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
  # and other values? right out
  t=`expr $t + 1`
  $DIG $DIGOPTS tsigzone. \
@@ -281,7 +283,7 @@ index a48f868..fab277b 100644
  grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
  
  # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
-@@ -107,31 +107,31 @@ sleep 5
+@@ -109,31 +109,31 @@ sleep 5
  # should succeed
  t=`expr $t + 1`
  $DIG $DIGOPTS tsigzone. \
@@ -319,10 +321,10 @@ index a48f868..fab277b 100644
  
  echo_i "testing allow-query-on ACL processing"
 diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
-index 7d43e36..f7b25f9 100644
+index b91d19a..7d777c2 100644
 --- a/bin/tests/system/allow-query/ns2/named10.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named10.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
   */
  
  key one {
@@ -332,10 +334,10 @@ index 7d43e36..f7b25f9 100644
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
-index 2952518..121557e 100644
+index 308c4ca..00f6f40 100644
 --- a/bin/tests/system/allow-query/ns2/named11.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named11.conf.in
-@@ -10,12 +10,12 @@
+@@ -12,12 +12,12 @@
   */
  
  key one {
@@ -351,10 +353,10 @@ index 2952518..121557e 100644
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
-index 0c01071..ceabbb5 100644
+index 6b0fe55..491e514 100644
 --- a/bin/tests/system/allow-query/ns2/named12.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named12.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
   */
  
  key one {
@@ -364,10 +366,10 @@ index 0c01071..ceabbb5 100644
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
-index 4c17292..9cd9d1f 100644
+index aefc474..7c06596 100644
 --- a/bin/tests/system/allow-query/ns2/named30.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named30.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
   */
  
  key one {
@@ -377,10 +379,10 @@ index 4c17292..9cd9d1f 100644
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
-index a2690a4..f488730 100644
+index 27eccc2..eecb990 100644
 --- a/bin/tests/system/allow-query/ns2/named31.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named31.conf.in
-@@ -10,12 +10,12 @@
+@@ -12,12 +12,12 @@
   */
  
  key one {
@@ -396,10 +398,10 @@ index a2690a4..f488730 100644
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
-index a0708c8..51fa457 100644
+index adbb203..744d122 100644
 --- a/bin/tests/system/allow-query/ns2/named32.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named32.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
   */
  
  key one {
@@ -409,10 +411,10 @@ index a0708c8..51fa457 100644
  };
  
 diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
-index 687768e..d24d6d2 100644
+index 364f94b..9518f82 100644
 --- a/bin/tests/system/allow-query/ns2/named40.conf.in
 +++ b/bin/tests/system/allow-query/ns2/named40.conf.in
-@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
+@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
  acl badaccept { 10.53.0.1; };
  
  key one {
@@ -428,10 +430,10 @@ index 687768e..d24d6d2 100644
  };
  
 diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
-index c0398fe..cc1962a 100644
+index bbffe07..80da0fe 100644
 --- a/bin/tests/system/allow-query/tests.sh
 +++ b/bin/tests/system/allow-query/tests.sh
-@@ -198,7 +198,7 @@ rndc_reload ns2 10.53.0.2
+@@ -200,7 +200,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key allowed - query allowed"
  ret=0
@@ -440,7 +442,7 @@ index c0398fe..cc1962a 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -211,7 +211,7 @@ rndc_reload ns2 10.53.0.2
+@@ -213,7 +213,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key not allowed - query refused"
  ret=0
@@ -449,7 +451,7 @@ index c0398fe..cc1962a 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -225,7 +225,7 @@ rndc_reload ns2 10.53.0.2
+@@ -227,7 +227,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: key disallowed - query refused"
  ret=0
@@ -458,7 +460,7 @@ index c0398fe..cc1962a 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -364,7 +364,7 @@ rndc_reload ns2 10.53.0.2
+@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key allowed - query allowed"
  ret=0
@@ -467,7 +469,7 @@ index c0398fe..cc1962a 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -377,7 +377,7 @@ rndc_reload ns2 10.53.0.2
+@@ -379,7 +379,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key not allowed - query refused"
  ret=0
@@ -476,7 +478,7 @@ index c0398fe..cc1962a 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -391,7 +391,7 @@ rndc_reload ns2 10.53.0.2
+@@ -393,7 +393,7 @@ rndc_reload ns2 10.53.0.2
  
  echo_i "test $n: views key disallowed - query refused"
  ret=0
@@ -485,7 +487,7 @@ index c0398fe..cc1962a 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -531,7 +531,7 @@ status=`expr $status + $ret`
+@@ -533,7 +533,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key allowed - query allowed"
  ret=0
@@ -494,7 +496,7 @@ index c0398fe..cc1962a 100644
  grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
  if [ $ret != 0 ]; then echo_i "failed"; fi
-@@ -541,7 +541,7 @@ status=`expr $status + $ret`
+@@ -543,7 +543,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key not allowed - query refused"
  ret=0
@@ -503,7 +505,7 @@ index c0398fe..cc1962a 100644
  grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
-@@ -552,7 +552,7 @@ status=`expr $status + $ret`
+@@ -554,7 +554,7 @@ status=`expr $status + $ret`
  n=`expr $n + 1`
  echo_i "test $n: zone key disallowed - query refused"
  ret=0
@@ -513,10 +515,10 @@ index c0398fe..cc1962a 100644
  grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
  grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
 diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
-index 1218669..e62715e 100644
+index 1421281..424afb8 100644
 --- a/bin/tests/system/catz/ns1/named.conf.in
 +++ b/bin/tests/system/catz/ns1/named.conf.in
-@@ -61,5 +61,5 @@ zone "catalog4.example" {
+@@ -122,5 +122,5 @@ view "ch" ch {
  
  key tsig_key. {
  	secret "LSAnCU+Z";
@@ -524,10 +526,10 @@ index 1218669..e62715e 100644
 +	algorithm hmac-sha256;
  };
 diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
-index 21be03e..e57c308 100644
+index 4af25b0..9f202d5 100644
 --- a/bin/tests/system/checkconf/bad-tsig.conf
 +++ b/bin/tests/system/checkconf/bad-tsig.conf
-@@ -11,7 +11,7 @@
+@@ -13,7 +13,7 @@
  
  /* Bad secret */
  key "badtsig" {
@@ -537,10 +539,10 @@ index 21be03e..e57c308 100644
  };
  
 diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
-index 2373425..7b87b04 100644
+index 897dc86..e4b6dc1 100644
 --- a/bin/tests/system/checkconf/good.conf
 +++ b/bin/tests/system/checkconf/good.conf
-@@ -268,6 +268,6 @@ dyndb "name" "library.so" {
+@@ -270,6 +270,6 @@ dyndb "name" "library.so" {
  	system;
  };
  key "mykey" {
@@ -549,10 +551,10 @@ index 2373425..7b87b04 100644
  	secret "qwertyuiopasdfgh";
  };
 diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
-index 72c09ae..4095d92 100644
+index 3435c91..aaaa264 100644
 --- a/bin/tests/system/feature-test.c
 +++ b/bin/tests/system/feature-test.c
-@@ -14,6 +14,7 @@
+@@ -17,6 +17,7 @@
  #include <string.h>
  #include <unistd.h>
  
@@ -560,7 +562,7 @@ index 72c09ae..4095d92 100644
  #include <isc/net.h>
  #include <isc/print.h>
  #include <isc/util.h>
-@@ -129,6 +130,19 @@ main(int argc, char **argv) {
+@@ -133,6 +134,19 @@ main(int argc, char **argv) {
  #endif
  	}
  
@@ -581,10 +583,10 @@ index 72c09ae..4095d92 100644
  #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
  		int s;
 diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
-index 1ee8df4..2b75d9a 100644
+index 5cab276..d4a7bf3 100644
 --- a/bin/tests/system/notify/ns5/named.conf.in
 +++ b/bin/tests/system/notify/ns5/named.conf.in
-@@ -10,17 +10,17 @@
+@@ -12,17 +12,17 @@
   */
  
  key "a" {
@@ -606,10 +608,10 @@ index 1ee8df4..2b75d9a 100644
  };
  
 diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
-index e8a00ea..978082c 100644
+index 04fd34b..e5476ea 100644
 --- a/bin/tests/system/notify/tests.sh
 +++ b/bin/tests/system/notify/tests.sh
-@@ -211,16 +211,16 @@ ret=0
+@@ -179,7 +179,7 @@ test_start "checking notify to multiple views using tsig"
  $NSUPDATE << EOF
  server 10.53.0.5 ${PORT}
  zone x21
@@ -618,22 +620,23 @@ index e8a00ea..978082c 100644
  update add added.x21 0 in txt "test string"
  send
  EOF
- 
+@@ -187,9 +187,9 @@ fnb="dig.out.b.ns5.test$n"
+ fnc="dig.out.c.ns5.test$n"
  for i in 1 2 3 4 5 6 7 8 9
  do
--	$DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
-+	$DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
- 		txt > dig.out.b.ns5.test$n || ret=1
--	$DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
-+	$DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
- 		txt > dig.out.c.ns5.test$n || ret=1
- 	grep "test string" dig.out.b.ns5.test$n > /dev/null &&
- 	grep "test string" dig.out.c.ns5.test$n > /dev/null &&
+-	dig_plus_opts added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
++	dig_plus_opts added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+ 		txt > "$fnb" || ret=1
+-	dig_plus_opts added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
++	dig_plus_opts added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
+ 		txt > "$fnc" || ret=1
+ 	grep "test string" "$fnb" > /dev/null &&
+ 	grep "test string" "$fnc" > /dev/null &&
 diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
-index b51e700..436c97d 100644
+index 81d0c99..effbe2e 100644
 --- a/bin/tests/system/nsupdate/ns1/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns1/named.conf.in
-@@ -37,7 +37,7 @@ controls {
+@@ -39,7 +39,7 @@ controls {
  };
  
  key altkey {
@@ -643,10 +646,10 @@ index b51e700..436c97d 100644
  };
  
 diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
-index da6b3b4..c547e47 100644
+index f1a1735..da2b3d1 100644
 --- a/bin/tests/system/nsupdate/ns2/named.conf.in
 +++ b/bin/tests/system/nsupdate/ns2/named.conf.in
-@@ -32,7 +32,7 @@ controls {
+@@ -34,7 +34,7 @@ controls {
  };
  
  key altkey {
@@ -656,10 +659,10 @@ index da6b3b4..c547e47 100644
  };
  
 diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index be8c7f8..e465216 100644
+index 50056dc..a4a1a3f 100644
 --- a/bin/tests/system/nsupdate/setup.sh
 +++ b/bin/tests/system/nsupdate/setup.sh
-@@ -70,7 +70,11 @@ EOF
+@@ -72,7 +72,11 @@ EOF
  
  $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
  
@@ -673,10 +676,10 @@ index be8c7f8..e465216 100644
  $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
  $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
 diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 7b9c0e6..26e6b01 100755
+index 0863d0a..559def7 100755
 --- a/bin/tests/system/nsupdate/tests.sh
 +++ b/bin/tests/system/nsupdate/tests.sh
-@@ -823,7 +823,14 @@ fi
+@@ -841,7 +841,14 @@ fi
  n=`expr $n + 1`
  ret=0
  echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
@@ -692,7 +695,7 @@ index 7b9c0e6..26e6b01 100755
      $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
  server 10.53.0.1 ${PORT}
  update add ${alg}.keytests.nil. 600 A 10.10.10.3
-@@ -831,7 +838,7 @@ send
+@@ -849,7 +856,7 @@ send
  END
  done
  sleep 2
@@ -702,10 +705,10 @@ index 7b9c0e6..26e6b01 100755
  done
  if [ $ret -ne 0 ]; then
 diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
-index b7721a3..0204e4d 100644
+index 4dd6fa7..1b79263 100644
 --- a/bin/tests/system/rndc/setup.sh
 +++ b/bin/tests/system/rndc/setup.sh
-@@ -45,7 +45,7 @@ make_key () {
+@@ -47,7 +47,7 @@ make_key () {
              sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
  }
  
@@ -715,10 +718,10 @@ index b7721a3..0204e4d 100644
  make_key 3 ${EXTRAPORT3} hmac-sha224
  make_key 4 ${EXTRAPORT4} hmac-sha256
 diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
-index df3ef3a..eaaffe6 100644
+index e678153..e7ec855 100644
 --- a/bin/tests/system/rndc/tests.sh
 +++ b/bin/tests/system/rndc/tests.sh
-@@ -348,15 +348,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -350,15 +350,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
  status=$((status+ret))
  
  n=$((n+1))
@@ -731,7 +734,7 @@ index df3ef3a..eaaffe6 100644
 -done
 -if [ $ret != 0 ]; then echo_i "failed"; fi
 -status=$((status+ret))
-+if $FEATURETEST --md5
++if $FEATURETEST --md5; then
 +	echo_i "testing rndc with hmac-md5 ($n)"
 +	ret=0
 +	$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
@@ -748,10 +751,10 @@ index df3ef3a..eaaffe6 100644
  n=$((n+1))
  echo_i "testing rndc with hmac-sha1 ($n)"
 diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
-index 3470c4f..cf539cd 100644
+index 76cf970..22637af 100644
 --- a/bin/tests/system/tsig/ns1/named.conf.in
 +++ b/bin/tests/system/tsig/ns1/named.conf.in
-@@ -21,10 +21,7 @@ options {
+@@ -23,10 +23,7 @@ options {
  	notify no;
  };
  
@@ -763,7 +766,7 @@ index 3470c4f..cf539cd 100644
  
  key "sha1" {
  	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
-@@ -51,10 +48,7 @@ key "sha512" {
+@@ -53,10 +50,7 @@ key "sha512" {
  	algorithm hmac-sha512;
  };
  
@@ -775,11 +778,27 @@ index 3470c4f..cf539cd 100644
  
  key "sha1-trunc" {
  	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
+new file mode 100644
+index 0000000..0682194
+--- /dev/null
++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
+@@ -0,0 +1,10 @@
++# Conditionally included when support for MD5 is available
++key "md5" {
++	secret "97rnFx24Tfna4mHPfgnerA==";
++	algorithm hmac-md5;
++};
++
++key "md5-trunc" {
++	secret "97rnFx24Tfna4mHPfgnerA==";
++	algorithm hmac-md5-80;
++};
 diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
-index 3210f1b..5b5e992 100644
+index 34cc73b..d51ff21 100644
 --- a/bin/tests/system/tsig/setup.sh
 +++ b/bin/tests/system/tsig/setup.sh
-@@ -14,3 +14,8 @@
+@@ -16,3 +16,8 @@
  $SHELL clean.sh
  
  copy_setports ns1/named.conf.in ns1/named.conf
@@ -789,10 +808,10 @@ index 3210f1b..5b5e992 100644
 +	cat ns1/rndc5.conf.in >> ns1/named.conf
 +fi
 diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
-index a9bf42b..f95ee09 100644
+index 1067227..ee05e83 100644
 --- a/bin/tests/system/tsig/tests.sh
 +++ b/bin/tests/system/tsig/tests.sh
-@@ -25,20 +25,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
+@@ -27,20 +27,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
  
  status=0
  
@@ -803,6 +822,13 @@ index a9bf42b..f95ee09 100644
 -if [ $ret -eq 1 ] ; then
 -	echo_i "failed"; status=1
 -fi
+-
+-echo_i "fetching using hmac-md5 (new form)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+-	echo_i "failed"; status=1
 +if $FEATURETEST --md5
 +then
 +	echo_i "fetching using hmac-md5 (old form)"
@@ -812,13 +838,7 @@ index a9bf42b..f95ee09 100644
 +	if [ $ret -eq 1 ] ; then
 +		echo_i "failed"; status=1
 +	fi
- 
--echo_i "fetching using hmac-md5 (new form)"
--ret=0
--$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
--grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
--if [ $ret -eq 1 ] ; then
--	echo_i "failed"; status=1
++
 +	echo_i "fetching using hmac-md5 (new form)"
 +	ret=0
 +	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
@@ -831,7 +851,7 @@ index a9bf42b..f95ee09 100644
  fi
  
  echo_i "fetching using hmac-sha1"
-@@ -86,12 +91,17 @@ fi
+@@ -88,12 +93,17 @@ fi
  #	Truncated TSIG
  #
  #
@@ -855,7 +875,7 @@ index a9bf42b..f95ee09 100644
  fi
  
  echo_i "fetching using hmac-sha1 (trunc)"
-@@ -140,12 +150,17 @@ fi
+@@ -142,12 +152,17 @@ fi
  #	Check for bad truncation.
  #
  #
@@ -880,10 +900,10 @@ index a9bf42b..f95ee09 100644
  
  echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
 diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
-index 3873c7c..b359a5a 100644
+index c2b57dd..cb13aa1 100644
 --- a/bin/tests/system/upforwd/ns1/named.conf.in
 +++ b/bin/tests/system/upforwd/ns1/named.conf.in
-@@ -10,7 +10,7 @@
+@@ -12,7 +12,7 @@
   */
  
  key "update.example." {
@@ -893,10 +913,10 @@ index 3873c7c..b359a5a 100644
  };
  
 diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
-index 2011b7f..052170e 100644
+index a6de312..ebcadb1 100644
 --- a/bin/tests/system/upforwd/tests.sh
 +++ b/bin/tests/system/upforwd/tests.sh
-@@ -78,7 +78,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+@@ -80,7 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
  
  echo_i "updating zone (signed) ($n)"
  ret=0
@@ -906,5 +926,5 @@ index 2011b7f..052170e 100644
  update add updated.example. 600 A 10.10.10.1
  update add updated.example. 600 TXT Foo
 -- 
-2.31.1
+2.37.3
 

bind-9.16-redhat_doc.patch

@@ -1,4 +1,4 @@
-From baec1c0c1822d3ba89cc7e5e530888c865a899f7 Mon Sep 17 00:00:00 2001
+From 402403b4bbb4f603693378e86b6c97997ccb0401 Mon Sep 17 00:00:00 2001
 From: Petr Mensik <pemensik@redhat.com>
 Date: Wed, 17 Jun 2020 23:17:13 +0200
 Subject: [PATCH] Update man named with Red Hat specifics
@@ -6,15 +6,15 @@ Subject: [PATCH] Update man named with Red Hat specifics
 This is almost unmodified text and requires revalidation. Some of those
 statements are no longer correct.
 ---
- bin/named/named.rst | 40 ++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 40 insertions(+)
+ bin/named/named.rst | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
 
 diff --git a/bin/named/named.rst b/bin/named/named.rst
-index 3fa96e0..4390e73 100644
+index ea440b2..fa51984 100644
 --- a/bin/named/named.rst
 +++ b/bin/named/named.rst
-@@ -236,6 +236,46 @@ Files
- ``/var/run/named/named.pid``
+@@ -212,6 +212,47 @@ Files
+ |named_pid|
     The default process-id file.
  
 +Notes
@@ -56,10 +56,11 @@ index 3fa96e0..4390e73 100644
 +these directories, named will work normally and no further operator action is
 +required. Files in these directories are automatically assigned the '*named_cache_t*'
 +file context, which SELinux allows named to write.
++
 +
  See Also
  ~~~~~~~~
  
 -- 
-2.31.1
+2.34.1
 

bind-9.18-pkcs11-engine-init.patch

@@ -0,0 +1,48 @@
+From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 7 Sep 2022 13:46:31 +0200
+Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls
+
+According to manual page of ENGINE_init, it should be called explicitly
+before any key operations happens. Make it active whole lifetime.
+---
+ lib/dns/openssl_link.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
+index 333f34cb37..a3f63885fa 100644
+--- a/lib/dns/openssl_link.c
++++ b/lib/dns/openssl_link.c
+@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) {
+ 			result = DST_R_NOENGINE;
+ 			goto cleanup_rm;
+ 		}
++		if (!ENGINE_init(e)) {
++			result = DST_R_NOENGINE;
++			goto cleanup_rm;
++		}
+ 		/* This will init the engine. */
+ 		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+ 			result = DST_R_NOENGINE;
+-			goto cleanup_rm;
++			goto cleanup_init;
+ 		}
+ 	}
+ 
+ 	return (ISC_R_SUCCESS);
++cleanup_init:
++	ENGINE_finish(e);
+ cleanup_rm:
+ 	if (e != NULL) {
+ 		ENGINE_free(e);
+@@ -108,6 +114,7 @@ void
+ dst__openssl_destroy(void) {
+ #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+ 	if (e != NULL) {
++		ENGINE_finish(e);
+ 		ENGINE_free(e);
+ 	}
+ 	e = NULL;
+-- 
+2.37.2
+

bind-9.18-pkcs11-engine-remove-deadcode.patch

@@ -0,0 +1,245 @@
+From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 8 Sep 2022 16:33:38 +0200
+Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0
+
+OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
+builders. But it can be built in legacy mode, where deprecated but still
+working API would be used.
+
+It can work under OpenSSL 3.0, but only if using legacy code paths
+matching OpenSSL 1.1 calls and functions.
+
+Remove fromlabel processing by OpenSSL 3.0 only functions. They can
+return later with a proper provider support for pkcs11.
+---
+ lib/dns/opensslecdsa_link.c | 55 -------------------------------------
+ lib/dns/opensslrsa_link.c   | 32 ---------------------
+ 2 files changed, 87 deletions(-)
+
+diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
+index 04f0d80b5e..f04f076e42 100644
+--- a/lib/dns/opensslecdsa_link.c
++++ b/lib/dns/opensslecdsa_link.c
+@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+ 	isc_result_t ret = ISC_R_SUCCESS;
+ 	ENGINE *e;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	EC_KEY *eckey = NULL;
+ 	EC_KEY *pubeckey = NULL;
+ 	int group_nid;
+-#else
+-	size_t len;
+-	const char *curve_name, *nist_curve_name;
+-	char buf[128]; /* Sufficient for all of the supported curves' names. */
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 	EVP_PKEY *pkey = NULL;
+ 	EVP_PKEY *pubpkey = NULL;
+ 
+@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 		DST_RET(DST_R_NOENGINE);
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	if (key->key_alg == DST_ALG_ECDSA256) {
+ 		group_nid = NID_X9_62_prime256v1;
+ 	} else {
+ 		group_nid = NID_secp384r1;
+ 	}
+-#else
+-	/* Get the expected curve names */
+-	if (key->key_alg == DST_ALG_ECDSA256) {
+-		curve_name = "prime256v1";
+-		nist_curve_name = "P-256";
+-	} else {
+-		curve_name = "secp384r1";
+-		nist_curve_name = "P-384";
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	/* Load private key. */
+ 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
+ 		DST_RET(DST_R_INVALIDPRIVATEKEY);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+ 	if (eckey == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
+ 		DST_RET(DST_R_INVALIDPRIVATEKEY);
+ 	}
+-#else
+-	len = 0;
+-	if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
+-					   buf, sizeof buf, &len) != 1 ||
+-	    len == 0 || len >= sizeof buf)
+-	{
+-		DST_RET(DST_R_INVALIDPRIVATEKEY);
+-	}
+-	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
+-	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
+-	{
+-		DST_RET(DST_R_INVALIDPRIVATEKEY);
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	/* Load public key. */
+ 	pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
+@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
+ 		DST_RET(DST_R_INVALIDPUBLICKEY);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
+ 	if (pubeckey == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
+ 		DST_RET(DST_R_INVALIDPUBLICKEY);
+ 	}
+-#else
+-	len = 0;
+-	if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
+-					   buf, sizeof buf, &len) != 1 ||
+-	    len == 0 || len >= sizeof buf)
+-	{
+-		DST_RET(DST_R_INVALIDPUBLICKEY);
+-	}
+-	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
+-	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
+-	{
+-		DST_RET(DST_R_INVALIDPUBLICKEY);
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
+ 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+ 	}
+-#else
+-	if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
+-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	key->label = isc_mem_strdup(key->mctx, label);
+ 	key->engine = isc_mem_strdup(key->mctx, engine);
+@@ -1442,14 +1389,12 @@ err:
+ 	if (pkey != NULL) {
+ 		EVP_PKEY_free(pkey);
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	if (pubeckey != NULL) {
+ 		EC_KEY_free(pubeckey);
+ 	}
+ 	if (eckey != NULL) {
+ 		EC_KEY_free(eckey);
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	return (ret);
+ #else
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index 867b486a2f..cf350610ba 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 		key->engine = isc_mem_strdup(key->mctx, engine);
+ 		key->label = isc_mem_strdup(key->mctx, label);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 		rsa = EVP_PKEY_get1_RSA(pkey);
+ 		if (rsa == NULL) {
+ 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+ 		}
+ 		RSA_get0_key(rsa, NULL, &ex, NULL);
+-#else
+-		if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
+-		    ISC_R_SUCCESS) {
+-			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-		}
+-		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
+-		    1) {
+-			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-		}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 		if (ex == NULL) {
+ 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	ENGINE *e = NULL;
+ 	isc_result_t ret = ISC_R_SUCCESS;
+ 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	RSA *rsa = NULL, *pubrsa = NULL;
+ 	const BIGNUM *ex = NULL;
+-#else
+-	BIGNUM *ex = NULL;
+-#endif
+ 
+ 	UNUSED(pin);
+ 
+@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 		DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
+ 					       DST_R_OPENSSLFAILURE));
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	pubrsa = EVP_PKEY_get1_RSA(pubpkey);
+ 	if (pubrsa == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+ 	if (pkey == NULL) {
+@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	key->engine = isc_mem_strdup(key->mctx, engine);
+ 	key->label = isc_mem_strdup(key->mctx, label);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	rsa = EVP_PKEY_get1_RSA(pkey);
+ 	if (rsa == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+ 	}
+ 	RSA_get0_key(rsa, NULL, &ex, NULL);
+-#else
+-	if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
+-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-	}
+-	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
+-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+ 	if (ex == NULL) {
+ 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
+@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	pkey = NULL;
+ 
+ err:
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	if (rsa != NULL) {
+ 		RSA_free(rsa);
+ 	}
+ 	if (pubrsa != NULL) {
+ 		RSA_free(pubrsa);
+ 	}
+-#else
+-	if (ex != NULL) {
+-		BN_free(ex);
+-	}
+-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 	if (pkey != NULL) {
+ 		EVP_PKEY_free(pkey);
+ 	}
+-- 
+2.37.2
+

bind-9.18-unittest-netmgr-unstable.patch

@@ -0,0 +1,75 @@
+From 0f3a398fe813189c5dd56b0367a72c7b3f19504b Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 14 Sep 2022 13:06:24 +0200
+Subject: [PATCH] Disable some often failing tests
+
+Make those tests skipped in default build, when CI=true environment is
+set. It is not clear why they fail mostly on COPR, but they do fail
+often.
+---
+ tests/isc/netmgr_test.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tests/isc/netmgr_test.c b/tests/isc/netmgr_test.c
+index 94e4bf7..7f9629c 100644
+--- a/tests/isc/netmgr_test.c
++++ b/tests/isc/netmgr_test.c
+@@ -1567,13 +1567,13 @@ stream_half_recv_half_send(void **state __attribute__((unused))) {
+ /* TCP */
+ ISC_RUN_TEST_IMPL(tcp_noop) { stream_noop(state); }
+ 
+-ISC_RUN_TEST_IMPL(tcp_noresponse) { stream_noresponse(state); }
++ISC_RUN_TEST_IMPL(tcp_noresponse) { SKIP_IN_CI; stream_noresponse(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_timeout_recovery) { stream_timeout_recovery(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_one) { stream_recv_one(state); }
+ 
+-ISC_RUN_TEST_IMPL(tcp_recv_two) { stream_recv_two(state); }
++ISC_RUN_TEST_IMPL(tcp_recv_two) { SKIP_IN_CI; stream_recv_two(state); }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_send) {
+ 	SKIP_IN_CI;
+@@ -1623,6 +1623,7 @@ ISC_RUN_TEST_IMPL(tcp_recv_one_quota) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tcp_recv_two_quota) {
++	SKIP_IN_CI;
+ 	atomic_store(&check_listener_quota, true);
+ 	stream_recv_two(state);
+ }
+@@ -1836,6 +1837,7 @@ ISC_RUN_TEST_IMPL(tcpdns_recv_two) {
+ 	isc_result_t result = ISC_R_SUCCESS;
+ 	isc_nmsocket_t *listen_sock = NULL;
+ 
++	SKIP_IN_CI;
+ 	atomic_store(&nsends, 2);
+ 
+ 	result = isc_nm_listentcpdns(listen_nm, &tcp_listen_addr,
+@@ -2095,6 +2097,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tls_recv_two) {
++	SKIP_IN_CI;
+ 	stream_use_TLS = true;
+ 	stream_recv_two(state);
+ }
+@@ -2160,6 +2163,7 @@ ISC_RUN_TEST_IMPL(tls_recv_one_quota) {
+ }
+ 
+ ISC_RUN_TEST_IMPL(tls_recv_two_quota) {
++	SKIP_IN_CI;
+ 	stream_use_TLS = true;
+ 	atomic_store(&check_listener_quota, true);
+ 	stream_recv_two(state);
+@@ -2395,6 +2399,7 @@ ISC_RUN_TEST_IMPL(tlsdns_recv_two) {
+ 	isc_result_t result = ISC_R_SUCCESS;
+ 	isc_nmsocket_t *listen_sock = NULL;
+ 
++	SKIP_IN_CI;
+ 	atomic_store(&nsends, 2);
+ 
+ 	result = isc_nm_listentlsdns(listen_nm, &tcp_listen_addr,
+-- 
+2.37.2
+

bind-9.5-PIE.patch

@@ -1,8 +1,8 @@
 diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
-index 7065a90..e2e485b 100644
+index 57a023b..085f2f7 100644
 --- a/bin/named/Makefile.am
 +++ b/bin/named/Makefile.am
-@@ -32,6 +32,7 @@ AM_CPPFLAGS +=				\
+@@ -32,9 +32,12 @@ AM_CPPFLAGS +=				\
  endif HAVE_LIBXML2
  
  AM_CPPFLAGS +=						\
@@ -10,11 +10,8 @@ index 7065a90..e2e485b 100644
  	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
  	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
  
-@@ -122,5 +123,7 @@ named_LDADD +=					\
- 	$(LIBNGHTTP2_LIBS)
- endif HAVE_LIBNGHTTP2
- 
 +AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
 +
- MAINTAINERCLEANFILES =				\
- 	named.conf.rst
+ sbin_PROGRAMS = named
+ 
+ nodist_named_SOURCES = xsl.c

bind9-next.spec

@@ -1,5 +1,5 @@
 #
-# Red Hat BIND package .spec file
+# Red Hat BIND9 package .spec file
 #
 # vim:expandtab ts=2:
 
@@ -7,16 +7,15 @@
 # bcond_with is built only when --with X is passed to build
 %bcond_with    SYSTEMTEST
 %bcond_without GSSTSIG
-# it is not possible to build the package without PKCS11 sub-package
-# due to extensive changes to Makefiles
-%bcond_with PKCS11 # TODO: Remove
 %bcond_without JSON
 # FIXME: Not ready. Should it be worked on?
-%bcond_with DLZ
+%bcond_without DLZ
 # New MaxMind GeoLite support
 %bcond_without GEOIP2
 # Disabled temporarily until kyua is fixed on rawhide, bug #1926779
 %bcond_without UNITTEST
+# Do not set CI environment, include more unit tests, even less stable
+%bcond_with    UNITTEST_ALL
 %bcond_without DNSTAP
 %bcond_without LMDB
 %bcond_without DOC
@@ -55,16 +54,17 @@
 %global upname bind
 %define upname_compat() \
 %if "%{name}" != "%{upname}" \
-Provides: %1 = %{version}-%{release} \
+Provides: %1 = %{epoch}:%{version}-%{release} \
 Obsoletes: %1 < 32:9.17.0 \
 Conflicts: %1 \
 %endif
 
 Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
-Name:     bind9-next
+Name:     bind
 License:  MPLv2.0
-Version:  9.17.22
-Release:  2%{?dist}
+Version:  9.18.6
+Release:  4%{?dist}
+Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
 Source0:  https://downloads.isc.org/isc/bind9/%{version}/%{upname}-%{version}.tar.xz
@@ -91,16 +91,21 @@ Source42: generate-rndc-key.sh
 Source43: named.rwtab
 Source44: named-chroot-setup.service
 Source46: named-setup-rndc.service
-Source47: named-pkcs11.service
 Source48: setup-named-softhsm.sh
 Source49: named-chroot.files
-# https://gitlab.isc.org/isc-projects/bind9/-/issues/3032
-Source50: https://gitlab.isc.org/isc-projects/bind9/-/raw/main/doc/arm/isc-logo.pdf
 
 # Common patches
-Patch18: bind-9.5-PIE.patch
-Patch19: bind-9.16-redhat_doc.patch
+# FIXME: Is this still required?
+Patch10: bind-9.5-PIE.patch
+Patch16: bind-9.16-redhat_doc.patch
 Patch22: bind-9.11-fips-tests.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385
+# https://bugzilla.redhat.com/show_bug.cgi?id=2122841
+Patch23: bind-9.18-pkcs11-engine-init.patch
+Patch24: bind-9.18-pkcs11-engine-compat-api.patch
+Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2122010
+Patch26: bind-9.18-unittest-netmgr-unstable.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -108,13 +113,10 @@ Requires(pre):  shadow-utils
 Requires(post): shadow-utils
 Requires(post): glibc-common
 Requires(post): grep
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
-# This wild require should satisfy %%selinux_set_boolean macro only
-# in case it needs to be used
-Requires(post): ((policycoreutils-python-utils and libselinux-utils) if (selinux-policy-targeted or selinux-policy-mls))
-Requires(post): ((selinux-policy and selinux-policy-base) if (selinux-policy-targeted or selinux-policy-mls))
+Requires:       %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Recommends:     %{name}-utils %{name}-dnssec-utils
 %upname_compat %{upname}
+Obsoletes:      %{name}-pkcs11 < 32:9.18.4-2
 
 BuildRequires:  gcc, make
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
@@ -123,8 +125,8 @@ BuildRequires:  systemd-rpm-macros
 BuildRequires:  selinux-policy
 BuildRequires:  findutils sed
 BuildRequires:  libnghttp2-devel
-BuildRequires:  jemalloc-devel
 %if 0%{?fedora}
+BuildRequires:  jemalloc-devel
 BuildRequires:  gnupg2
 %endif
 BuildRequires:  libuv-devel
@@ -135,7 +137,7 @@ BuildRequires:  openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d
 # make unit dependencies
 BuildRequires:  libcmocka-devel
 %endif
-%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
+%if %{with UNITTEST} || %{with SYSTEMTEST}
 BuildRequires:  softhsm
 %endif
 %if %{with SYSTEMTEST}
@@ -179,60 +181,12 @@ which resolves host names to IP addresses; a resolver library
 (routines for applications to use when interfacing with DNS); and
 tools for verifying that the DNS server is operating properly.
 
-%if %{with PKCS11}
-%package pkcs11
-Summary: Bind with native PKCS#11 functionality for crypto
-Requires: %{name}%{?_isa} = %{version}-%{release}
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: %{name}-pkcs11-libs%{?_isa} = %{version}-%{release}
-Recommends: softhsm
-
-%description pkcs11
-This is a version of BIND server built with native PKCS#11 functionality.
-It is important to have SoftHSM v2+ installed and some token initialized.
-For other supported HSM modules please check the BIND documentation.
-
-# TODO: Those utils can be used also without pkcs11 variant, but are not?
-%package pkcs11-utils
-Summary: Bind tools with native PKCS#11 for using DNSSEC
-Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2
-Requires: %{name}-dnssec-doc = %{version}-%{release}
-%if %{with PKCS11}
-Requires: %{name}-pkcs11-libs%{?_isa} = %{version}-%{release}
-%endif
-
-%description pkcs11-utils
-This is a set of PKCS#11 utilities that when used together create rsa
-keys in a PKCS11 keystore.
-%if %{with PKCS11}
-Also utilities for working with DNSSEC
-compiled with native PKCS#11 functionality are included.
-%endif
-
-%package pkcs11-libs
-Summary: Bind libraries compiled with native PKCS#11
-Requires: %{name}-license = %{version}-%{release}
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-
-%description pkcs11-libs
-This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
-functionality.
-
-%package pkcs11-devel
-Summary: Development files for Bind libraries compiled with native PKCS#11
-Requires: %{name}-pkcs11-libs%{?_isa} = %{version}-%{release}
-Requires: %{name}-devel%{?_isa} = %{version}-%{release}
-
-%description pkcs11-devel
-This a set of development files for BIND libraries (dns, isc) compiled
-with native PKCS#11 functionality.
-%endif
-
 %package libs
 Summary: Libraries used by the BIND DNS packages
-Requires: %{name}-license = %{version}-%{release}
-Provides: %{name}-libs-lite = %{version}-%{release}
+Requires: %{name}-license = %{epoch}:%{version}-%{release}
+Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release}
 Obsoletes: %{name}-libs-lite < 32:9.16.13
+Obsoletes: %{name}-pkcs11-libs < 32:9.18.4-2
 
 %description libs
 Contains heavyweight version of BIND suite libraries used by both named DNS
@@ -247,9 +201,10 @@ Contains license of the BIND DNS suite.
 
 %package utils
 Summary: Utilities for querying DNS name servers
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 # For compatibility with Debian package
-Provides: dnsutils = %{version}-%{release}
+Provides: dnsutils = %{epoch}:%{version}-%{release}
+Obsoletes: %{name}-pkcs11-utils < 32:9.18.4-2
 %upname_compat %{upname}-utils
 
 %description utils
@@ -264,9 +219,10 @@ servers.
 
 %package dnssec-utils
 Summary: DNSSEC keys and zones management utilities
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Recommends: %{name}-utils
-Requires: %{name}-dnssec-doc = %{version}-%{release}
+Obsoletes: python3-%{name} < 32:9.18.0
+Obsoletes: %{name}-dnssec-doc < 32:9.18.4-2
 %upname_compat %{upname}-dnssec-utils
 
 %description dnssec-utils
@@ -277,19 +233,11 @@ revocation and verification of keys and DNSSEC signatures in zone files.
 You should install %{name}-dnssec-utils if you need to sign a DNS zone
 or maintain keys for it.
 
-%package dnssec-doc
-Summary: Manual pages of DNSSEC utilities
-Requires: %{name}-license = %{version}-%{release}
-BuildArch:noarch
-
-%description dnssec-doc
-%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils.
-
 %package devel
 Summary:  Header files and libraries needed for bind-dyndb-ldap
-Provides: %{name}-lite-devel = %{version}-%{release}
+Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release}
 Obsoletes: %{name}-lite-devel < 32:9.16.6-3
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
 Requires: libcap-devel%{?_isa}
 %if %{with GSSTSIG}
@@ -318,7 +266,7 @@ Summary:        A chroot runtime environment for the ISC BIND DNS server, named(
 Prefix:         %{chroot_prefix}
 # grep is required due to setup-named-chroot.sh script
 Requires:       grep
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description chroot
 This package contains a tree of files which can be used as a
@@ -329,22 +277,22 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
 %if %{with DLZ}
 %package dlz-filesystem
 Summary: BIND server filesystem DLZ module
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description dlz-filesystem
 Dynamic Loadable Zones filesystem module for BIND server.
 
 %package dlz-ldap
 Summary: BIND server ldap DLZ module
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description dlz-ldap
 Dynamic Loadable Zones LDAP module for BIND server.
 
 %package dlz-mysql
 Summary: BIND server mysql and mysqldyn DLZ modules
-Requires: %{name}%{?_isa} = %{version}-%{release}
-Provides: %{name}-dlz-mysqldyn = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Provides: %{name}-dlz-mysqldyn = %{epoch}:%{version}-%{release}
 Obsoletes: %{name}-dlz-mysqldyn < 32:9.16.6-3
 
 %description dlz-mysql
@@ -353,7 +301,7 @@ Contains also mysqldyn module with dynamic DNS updates (DDNS) support.
 
 %package dlz-sqlite3
 Summary: BIND server sqlite3 DLZ module
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
 
 %description dlz-sqlite3
 Dynamic Loadable Zones sqlite3 module for BIND server.
@@ -362,7 +310,7 @@ Dynamic Loadable Zones sqlite3 module for BIND server.
 %if %{with DOC}
 %package doc
 Summary:   BIND 9 Administrator Reference Manual
-Requires:  %{name}-license = %{version}-%{release}
+Requires:  %{name}-license = %{epoch}:%{version}-%{release}
 Requires:  python3-sphinx_rtd_theme
 BuildArch: noarch
 
@@ -384,8 +332,7 @@ in HTML and PDF format.
 # RHEL does not yet support this verification
 %{gpgverify} --keyring='%{SOURCE4}' --signature='%{SOURCE2}' --data='%{SOURCE0}'
 %endif
-%autosetup -n %{upname}-%{version} -p1 -N
-%autopatch -p1 -m 18
+%autosetup -n %{upname}-%{version} -p1
 
 # Sparc and s390 arches need to use -fPIE
 %ifarch sparcv9 sparc64 s390 s390x
@@ -394,9 +341,6 @@ for i in bin/named/Makefile.am; do
 done
 %endif
 
-%if %{with DOCPDF}
-install -pD %{SOURCE50} doc/arm/isc-logo.pdf
-%endif
 :;
 
 
@@ -414,10 +358,11 @@ install -pD %{SOURCE50} doc/arm/isc-logo.pdf
   cp -Tuav bin/tests "%{1}/bin/tests/" \
 
 CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
+CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100"
 %if %{with TSAN}
   CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
 %endif
-export CFLAGS
+export CFLAGS CPPFLAGS
 export STD_CDEFINES="$CPPFLAGS"
 
 
@@ -448,10 +393,6 @@ export LIBDIR_SUFFIX
 %if %{with GEOIP2}
   --with-maxminddb \
 %endif
-%if %{with PKCS11}
-  --enable-native-pkcs11 \
-  --with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
-%endif
 %if %{with GSSTSIG}
   --with-gssapi=yes \
 %endif
@@ -471,6 +412,7 @@ export LIBDIR_SUFFIX
 %endif
   --enable-fixed-rrset \
   --enable-full-report \
+  CPPFLAGS="$CPPFLAGS" \
 ;
 %if %{with DNSTAP}
   pushd lib
@@ -495,13 +437,8 @@ fmtutil-user --missing || :
 
 %if %{with DLZ}
   pushd contrib/dlz/modules
-  for DIR in mysql mysqldyn; do
-    sed -e 's/@DLZ_DRIVER_MYSQL_INCLUDES@/$(shell mysql_config --cflags)/' \
-        -e 's/@DLZ_DRIVER_MYSQL_LIBS@/$(shell mysql_config --libs)/' \
-        $DIR/Makefile.in > $DIR/Makefile
-  done
   for DIR in filesystem ldap mysql mysqldyn sqlite3; do
-    make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
+    make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS -DPTHREADS=1" LDFLAGS="$LDFLAGS"
   done
   popd
 %endif
@@ -511,7 +448,7 @@ popd # build
 %systemtest_prepare_build build
 
 %check
-%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
+%if %{with UNITTEST} || %{with SYSTEMTEST}
   # Tests require initialization of pkcs11 token
   eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
 %endif
@@ -523,12 +460,19 @@ export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
 %if %{with UNITTEST}
   pushd build
   CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l)
+  THREADS="$CPUS"
+%if %{without UNITTEST_ALL}
+  export CI=true
+%endif
   if [ "$CPUS" -gt 16 ]; then
     ORIGFILES=$(ulimit -n)
-    ulimit -n 4096 || : # Requires on some machines with many cores
+    THREADS=16
+    ulimit -n 8092 || : # Requires on some machines with many cores
   fi
-  make unit
-  e=$?
+  e=0
+  make unit -j${THREADS} || e=$?
+  # Display details of failure
+  cat tests/*/test-suite.log
   if [ "$e" -ne 0 ]; then
     echo "ERROR: this build of BIND failed 'make unit'. Aborting."
     exit $e;
@@ -606,17 +550,11 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
 install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
 install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
 
-%if %{with PKCS11}
-install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
-%endif
-
 mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
 install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
 install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh
 
-%if %{with PKCS11}
 install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
-%endif
 
 install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
@@ -651,22 +589,6 @@ popd
 # Remove libtool .la files:
 find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
 
-# PKCS11 versions manpages
-%if %{with PKCS11}
-pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
-ln -s named.8.gz named-pkcs11.8.gz
-ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
-ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
-ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
-ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
-ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
-ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
-ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz
-ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz
-ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
-popd
-%endif
-
 # 9.16.4 installs even manual pages for tools not generated
 %if %{without DNSTAP}
 rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true
@@ -686,6 +608,8 @@ popd
 mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir}
 cp -a build/doc/arm/_build/html ${RPM_BUILD_ROOT}%{_pkgdocdir}
 rm -rf ${RPM_BUILD_ROOT}%{_pkgdocdir}/html/.{buildinfo,doctrees}
+# Backward compatible link to 9.11 documentation
+(cd ${RPM_BUILD_ROOT}%{_pkgdocdir} && ln -s html/index.html Bv9ARM.html)
 # Share static data from original sphinx package
 for DIR in %{python3_sitelib}/sphinx_rtd_theme/static/*
 do
@@ -748,10 +672,6 @@ fi;
 
 %post
 %?ldconfig
-if [ -e "%{_sysconfdir}/selinux/config" ]; then
-  %selinux_set_booleans -s targeted %{selinuxbooleans}
-  %selinux_set_booleans -s mls %{selinuxbooleans}
-fi
 if [ "$1" -eq 1 ]; then
   # Initial installation
   [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
@@ -785,24 +705,6 @@ fi
 %?ldconfig
 # Package upgrade, not uninstall
 %systemd_postun_with_restart named.service
-if [ -e "%{_sysconfdir}/selinux/config" ]; then
-  %selinux_unset_booleans -s targeted %{selinuxbooleans}
-  %selinux_unset_booleans -s mls %{selinuxbooleans}
-fi
-
-%if %{with PKCS11}
-%post pkcs11
-# Initial installation
-%systemd_post named-pkcs11.service
-
-%preun pkcs11
-# Package removal, not upgrade
-%systemd_preun named-pkcs11.service
-
-%postun pkcs11
-# Package upgrade, not uninstall
-%systemd_postun_with_restart named-pkcs11.service
-%endif
 
 # Fix permissions on existing device files on upgrade
 %define chroot_fix_devices() \
@@ -820,11 +722,18 @@ fi
 /sbin/chkconfig --del named >/dev/null 2>&1 || :
 /bin/systemctl try-restart named.service >/dev/null 2>&1 || :
 
-%ldconfig_scriptlets libs
+%triggerpostun -- bind < 32:9.18.4-2, selinux-policy, policycoreutils
+if [ -x %{_sbindir}/selinuxenabled ] && [ -x %{_sbindir}/getsebool ] && [ -x %{_sbindir}/setsebool ] \
+   && %{_sbindir}/selinuxenabled && [ -x %{_sbindir}/named ]; then
+  # Return master zones after upgrade from selinux_booleans version
+  WRITEBOOL="$(LC_ALL=C %{_sbindir}/getsebool named_write_master_zones)"
+  if [ "echo ${WRITEBOOL#named_write_master_zones --> }" = "off" ]; then
+    echo "Restoring new sebool default of named_write_master_zones..."
+    %{_sbindir}/setsebool -P named_write_master_zones=1 || :
+  fi
+fi
 
-%if %{with PKCS11}
-%ldconfig_scriptlets pkcs11-libs
-%endif
+%ldconfig_scriptlets libs
 
 %post chroot
 %systemd_post named-chroot.service
@@ -868,6 +777,7 @@ fi;
 %{_sbindir}/rndc*
 %{_sbindir}/named-checkconf
 %{_libexecdir}/generate-rndc-key.sh
+%{_libexecdir}/setup-named-softhsm.sh
 %{_mandir}/man1/mdig.1*
 %{_mandir}/man1/named-rrchecker.1*
 %{_mandir}/man5/named.conf.5*
@@ -956,15 +866,7 @@ fi;
 
 %files dnssec-utils
 %{_bindir}/dnssec*
-%if %{with PKCS11}
-%exclude %{_sbindir}/dnssec*pkcs11
-%endif
-
-%files dnssec-doc
 %{_mandir}/man1/dnssec*.1*
-%if %{with PKCS11}
-%exclude %{_mandir}/man1/dnssec*-pkcs11.1*
-%endif
 
 %files devel
 %{_libdir}/libbind9.so
@@ -1021,33 +923,6 @@ fi;
 %dir %{chroot_prefix}/run/named
 %{chroot_prefix}%{_localstatedir}/run
 
-%if %{with PKCS11}
-%files pkcs11
-%{_sbindir}/named-pkcs11
-%{_unitdir}/named-pkcs11.service
-%{_mandir}/man8/named-pkcs11.8*
-%{_libexecdir}/setup-named-softhsm.sh
-
-%files pkcs11-utils
-%{_bindir}/pkcs11-destroy
-%{_bindir}/pkcs11-keygen
-%{_bindir}/pkcs11-list
-%{_bindir}/pkcs11-tokens
-%{_mandir}/man1/pkcs11-*.1*
-%if %{with PKCS11}
-%{_bindir}/dnssec*pkcs11
-%{_mandir}/man1/dnssec*-pkcs11.1*
-%endif
-
-%files pkcs11-libs
-%{_libdir}/libdns-pkcs11-%{version}*.so
-%{_libdir}/libns-pkcs11-%{version}*.so
-
-%files pkcs11-devel
-%{_libdir}/libdns-pkcs11.so
-%{_libdir}/libns-pkcs11.so
-%endif
-
 %if %{with DLZ}
 %files dlz-filesystem
 %{_libdir}/{named,bind}/dlz_filesystem_dynamic.so
@@ -1072,32 +947,146 @@ fi;
 %files doc
 %dir %{_pkgdocdir}
 %doc %{_pkgdocdir}/html
+%doc %{_pkgdocdir}/Bv9ARM.html
 %endif
 %if %{with DOCPDF}
 %doc %{_pkgdocdir}/Bv9ARM.pdf
 %endif
 
 %changelog
-* Tue Jan 25 2022 Petr Menšík <pemensik@redhat.com> - 9.17.22-2
+* Wed Sep 14 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-4
+- Disable yet another test (##2122010)
+
+* Tue Sep 06 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-3
+- Return OpenSSL engine implementation for pkcs11 interface (#2122841)
+- Skip problematic netmgr unit tests (#2122010)
+- Properly obsolete bind-dnssec-doc
+
+* Thu Sep 01 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-2
+- Always show error details for failed unittests (#2122010)
+
+* Tue Aug 30 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-1
+- Update to 9.18.6 (#2119132)
+- Report unit tests detailed results
+
+* Thu Aug 04 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.5-2
+- Use multiple threads on unit tests, but 16 at most
+
+* Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.5-1
+- Update to 9.18.5 (#2109170)
+- Return doc symlink to main page
+
+* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-2
+- Stop enabling selinux booleans on every upgrade
+- Deprecate python3-bind for smooth upgrade
+- Remove PKCS1111 native utilities, libs and daemon
+
+* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1
+- Update to 9.18.4 (#2057493)
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.30-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon Jun 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.30-1
+- Update to 9.16.30 (#2097312)
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 32:9.16.29-2
+- Rebuilt for Python 3.11
+
+* Thu May 26 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.29-1
+- Update to 9.16.29 (#2087920)
+- Fix netmgr_test fails on s390x (#2088125)
+
+* Tue May 17 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.28-2
+- Parse again timeout and attempts from resolv.conf (#2087156)
+- Reenable unit tests during build
+
+* Wed Apr 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.28-1
+- Update to 9.16.28 (#2076941)
+
+* Thu Mar 17 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.27-1
+- Upgrade to 9.16.27 (#2055120)
+
+* Tue Mar 01 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.26-2
+- Switch to locked queue (#2048235)
+
+* Thu Feb 17 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.26-1
+- Update to 9.16.26 (#2055120)
+
+* Fri Feb 11 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.25-3
+- Allow reservation of extra hp threads (#2048235)
+
+* Tue Jan 25 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.25-2
 - Replace master with primary in configuration
 
-* Fri Jan 21 2022 Petr Menšík <pemensik@redhat.com> - 9.17.22-1
-- Update to 9.17.22
+* Fri Jan 21 2022 Petr Menšík <pemensik@redhat.com> - 32:9.16.25-1
+- Update to 9.16.25 (#2042504)
 
-* Mon Dec 20 2021 Petr Menšík <pemensik@redhat.com> - 9.17.21-1
-- Update to 9.17.21, enable jemalloc support
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.24-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 
-* Mon Nov 29 2021 Petr Menšík <pemensik@redhat.com> - 32:9.17.20-1
-- Update to 9.17.20
-- Propagate ephemeral port ranges to chroot (#2013597)
+* Wed Dec 22 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.24-2
+- Build with OpenLDAP 2.6 (#2032704)
+
+* Wed Dec 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.24-1
+- Update to 9.16.24 (#2032934)
+
+* Fri Nov 26 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-2
 - Correct with GEOIP2 condition (#2026823)
-- Import changes for simple rename (#1873486)
-- Do not depend on systemd package
-- Move backward compatibility to shared define
 
-* Fri Jun 25 2021 Petr Menšík <pemensik@redhat.com> - 32:9.17.15-1
-- Update to 9.17.15
-- Moved some utilities from /usr/sbin to /usr/bin
+* Fri Nov 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-1
+- Update to 9.16.23 (#2024210)
+
+* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 32:9.16.22-2
+- Rebuilt for protobuf 3.19.0
+
+* Wed Oct 27 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.22-1
+- Update to 9.16.22
+
+* Sun Oct 24 2021 Adrian Reber <adrian@lisas.de> - 32:9.16.21-3
+- Rebuilt for protobuf 3.18.1
+
+* Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.21-2
+- Propagate ephemeral port ranges to chroot (#2013597)
+
+* Wed Sep 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.21-1
+- Update to 9.16.21
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 32:9.16.20-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Wed Aug 25 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-3
+- Increase map format version, lower memory consuption a bit (#1997504)
+- Remove unneeded test variants changes
+- Include documentation of dig return codes
+
+* Thu Aug 19 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-2
+- Fix map file format regression
+
+* Tue Aug 17 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.20-1
+- Update to 9.16.20
+
+* Thu Aug 05 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-4
+- Do not depend on systemd package
+
+* Tue Aug 03 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-3
+- Reenable PDF building again (#1984687)
+
+* Fri Jul 23 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-2
+- Include backward compatible html symlink in doc subpackage
+
+* Wed Jul 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.19-1
+- Update to 9.16.19 (#1984627)
+- Disable PDF rebuild on Rawhide (#1984687)
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.18-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Sat Jul 10 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.18-4
+- Disable PDF building on ELN
+
+* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 32:9.16.18-3
+- Rebuild for versioned symbols in json-c
 
 * Tue Jun 22 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.18-2
 - Re-enable building of PDF ARM documentation

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_testing]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}
+
+#gating rawhide
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_stable]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tier1-public.functional}

generate-rndc-key.sh

@@ -1,10 +1,21 @@
 #!/bin/bash
 
-. /etc/rc.d/init.d/functions
+if [ -r /etc/rc.d/init.d/functions ]; then
+	. /etc/rc.d/init.d/functions
+else
+success() {
+	echo $" OK "
+}
+
+failure() {
+	echo -n " "
+	echo $"FAILED"
+}
+fi
 
 # This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
 
-if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
+if [ ! -s /etc/rndc.key ] && [ ! -s /etc/rndc.conf ]; then
   echo -n $"Generating /etc/rndc.key:"
   if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
   then
@@ -14,8 +25,9 @@ if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
     success $"/etc/rndc.key generation"
     echo
   else
+    rc=$?
     failure $"/etc/rndc.key generation"
     echo
-    exit 1
+    exit $rc
   fi
 fi

plans/all.fmf

@@ -0,0 +1,6 @@
+summary: Test plan with all beakerlib tests
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/bind.git
+execute:
+    how: tmt

plans/tier1-public.fmf

@@ -0,0 +1,7 @@
+summary: Public (Fedora) Tier1 beakerlib tests
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/bind.git
+    filter: 'tier: 1'
+execute:
+    how: tmt

sources

@@ -1,2 +1,2 @@
-SHA512 (bind-9.17.22.tar.xz) = 61dafd317cf10a73961c885b6d0bf75dc0c06df6163708c4fd2a60d6bf72bd2628bb0d1c111ceb725bc4ac9d5229f39f63a36ef7c05dc20a1b9b25acabfe8b92
-SHA512 (bind-9.17.22.tar.xz.asc) = f75a2361a5ffea8f85ae3053841a0c618217c7bbe3428d3ffaba900c9692f5f315f572b4c48f8d219e2293a3dc0df0085d425da0bc4a9598fced4b712efa8fd2
+SHA512 (bind-9.18.6.tar.xz) = 6b31eb56cf25b2cb1d8af0f76f9cac0e0985c78cbe3ba80164d773cb0bf77116dd98b5c4b84e3c74fd35b5da501ee6ba2dc0fae12267104edde2cb2daa1e1ba7
+SHA512 (bind-9.18.6.tar.xz.asc) = 13629b56acb02ca1fe861e6a17e949fee276de83624d972174893e48cc5de650a2a0081262e5e0d6913360861e2c91fed6b808ed8ae702e5cb2e2380eacf163b