Import some data from bind branch bind9-dev

Imports commit  7e1db866748aef3c07657e0761b19aec6de9bf6f

.gitignore

@@ -0,0 +1,116 @@
+bind-9.7.1-P2.tar.gz
+config-8.tar.bz2
+bind-9.7.2b1.tar.gz
+/config-8.tar.bz2
+/bind-9.7.2rc1.tar.gz
+/bind-9.7.2.tar.gz
+/bind-9.7.2-P2.tar.gz
+/bind-9.7.2-P3.tar.gz
+/bind-9.7.3b1.tar.gz
+/bind-9.7.3rc1.tar.gz
+/bind-9.7.3.tar.gz
+/bind-9.8.0rc1.tar.gz
+/bind-9.8.0.tar.gz
+/bind-9.8.0-P1.tar.gz
+/bind-9.8.0-P2.tar.gz
+/bind-9.8.0-P4.tar.gz
+/bind-9.8.1rc1.tar.gz
+/bind-9.8.1.tar.gz
+/bind-9.9.0b1.tar.gz
+/bind-9.9.0b2.tar.gz
+/bind-9.9.0rc1.tar.gz
+/bind-9.9.0rc2.tar.gz
+/bind-9.9.0.tar.gz
+/bind-9.9.1.tar.gz
+/bind-9.9.1-P1.tar.gz
+/bind-9.9.1-P2.tar.gz
+/bind-9.9.1-P3.tar.gz
+/bind-9.9.2.tar.gz
+/bind-9.9.2-P1.tar.gz
+/config-9.tar.bz2
+/config-10.tar.bz2
+/bind-9.9.2-P2.tar.gz
+/bind-9.9.3rc1.tar.gz
+/config-11.tar.bz2
+/bind-9.9.3rc2.tar.gz
+/bind-9.9.3.tar.gz
+/bind-9.9.3-P1.tar.gz
+/bind-9.9.4b1.tar.gz
+/bind-9.9.4rc1.tar.gz
+/bind-9.9.4rc2.tar.gz
+/bind-9.9.4.tar.gz
+/config-12.tar.bz2
+/bind-9.9.5b1.tar.gz
+/bind-9.9.5rc2.tar.gz
+/bind-9.9.5.tar.gz
+/bind-9.9.5-P1.tar.gz
+/bind-9.9.6.tar.gz
+/bind-9.9.6-P1.tar.gz
+/bind-9.10.1b2.tar.gz
+/bind-9.10.1.tar.gz
+/bind-9.10.1-P1.tar.gz
+/bind-9.10.2rc1.tar.gz
+/bind-9.10.2rc2.tar.gz
+/bind-9.10.2.tar.gz
+/config-13.tar.bz2
+/config-14.tar.bz2
+/bind-9.10.2-P1.tar.gz
+/bind-9.10.2-P2.tar.gz
+/bind-9.10.2-P3.tar.gz
+/bind-9.10.3rc1.tar.gz
+/bind-9.10.3.tar.gz
+/bind-9.10.3-P2.tar.gz
+/config-15.tar.bz2
+/bind-9.10.3-P3.tar.gz
+/bind-9.10.3-P4.tar.gz
+/bind-9.10.4-P1.tar.gz
+/bind-9.10.4-P2.tar.gz
+/bind-9.10.4-P3.tar.gz
+/bind-9.10.4-P4.tar.gz
+/bind-9.11.0-P1.tar.gz
+/bind-9.11.0-P2.tar.gz
+/bind-9.11.0-P3.tar.gz
+/bind-9.11.0-P5.tar.gz
+/config-16.tar.bz2
+/bind-9.11.1-P1.tar.gz
+/bind-9.11.1-P2.tar.gz
+/bind-9.11.1-P3.tar.gz
+/bind-9.11.2b1.tar.gz
+/bind-9.11.2.tar.gz
+/config-17.tar.bz2
+/bind-9.11.2-P1.tar.gz
+/bind-9.11.3b1.tar.gz
+/bind-9.11.3.tar.gz
+/config-18.tar.bz2
+/bind-9.11.4rc1.tar.gz
+/bind-9.11.4.tar.gz
+/bind-9.11.4-P1.tar.gz
+/bind-9.11.4-P2.tar.gz
+/bind-9.11.5.tar.gz
+/bind-9.11.5-P1.tar.gz
+/config-19.tar.bz2
+/bind-9.11.5-P4.tar.gz
+/bind-9.11.6.tar.gz
+/bind-9.11.6-P1.tar.gz
+/bind-9.14.4.tar.gz
+/bind-9.11.7.tar.gz
+/bind-9.11.8.tar.gz
+/bind-9.11.9.tar.gz
+/bind-9.11.10.tar.gz
+/bind-9.11.11.tar.gz
+/bind-9.11.12.tar.gz
+/bind-9.11.13.tar.gz
+/bind-9.11.13.tar.gz.asc
+/bind-9.11.14.tar.gz
+/bind-9.11.14.tar.gz.asc
+/bind-9.16.1.tar.xz
+/bind-9.16.1.tar.xz.asc
+/bind-9.17.0.tar.xz
+/bind-9.17.0.tar.xz.asc
+/bind-9.17.4.tar.xz
+/bind-9.17.4.tar.xz.asc
+/bind-9.17.15.tar.xz
+/bind-9.17.15.tar.xz.asc
+/bind-9.17.20.tar.xz
+/bind-9.17.20.tar.xz.asc
+/isc-logo.pdf

Changes.md

@@ -0,0 +1,12 @@
+= Changes in BIND9 package =
+
+== 9.14 ==
+
+- single thread support removed. Cannot provide bind-export-libs for DHCP
+- lwres support completely removed. Both daemon and library
+- common parts of daemon moved into libns shared library
+- introduced plugin for filtering aaaa responses
+- some SDB utilities no longer supported
+
+=== 9.14.7 ===
+[notes](https://downloads.isc.org/isc/bind9/9.14.7/RELEASE-NOTES-bind-9.14.7.html)

README.md

@@ -1,3 +1,33 @@
-# bind9-next
+# BIND 9
 
-The bind9-next package
+[BIND (Berkeley Internet Name Domain)](https://www.isc.org/downloads/bind/doc/) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+Internet Systems Consortium
+([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
+corporation dedicated to providing software and services in support of the
+Internet infrastructure, developed BIND 9 and is responsible for its
+ongoing maintenance and improvement.
+
+More details about upstream project can be found on their
+[gitlab](https://gitlab.isc.org/isc-projects/bind9). This repository contains
+only upstream sources and packaging instructions for
+[Fedora Project](https://fedoraproject.org).
+
+## Subpackages
+
+The package contains several subpackages, some of them can be disabled on rebuild.
+
+* **bind** -- *named* daemon providing DNS server
+* **bind-utils** -- set of tools to analyse DNS responses or update entries (dig, host)
+* **bind-doc** -- documentation for current bind, *BIND 9 Administrator Reference Manual*.
+* **bind-license** -- Shared license for all packages but bind-export-libs.
+* **bind-libs** -- Shared libraries used by some others programs
+* **bind-devel** -- Development headers for libs. Can be disabled by `--without DEVEL`
+
+
+## Optional features
+
+* *GSSTSIG* -- Support for Kerberos authentication in BIND.
+* *LMDB* -- Support for dynamic database for managing runtime added zones. Provides faster removal of added zone with much less overhead. But requires lmdb linked to base libs.
+* *DLZ* -- Support for dynamic loaded modules providing support for features *bind-sdb* provides, but only small module is required.

bind-9.10-sdb-sqlite-bld.patch

@@ -0,0 +1,53 @@
+diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
+index 1894830..445182a 100644
+--- a/bin/named-sdb/Makefile.in
++++ b/bin/named-sdb/Makefile.in
+@@ -34,10 +34,10 @@ top_srcdir =	@top_srcdir@
+ #
+ # Add database drivers here.
+ #
+-DBDRIVER_OBJS =	ldapdb.@O@ pgsqldb.@O@ dirdb.@O@
+-DBDRIVER_SRCS =	ldapdb.c pgsqldb.c dirdb.c
++DBDRIVER_OBJS =	ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
++DBDRIVER_SRCS =	ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
+ DBDRIVER_INCLUDES =
+-DBDRIVER_LIBS =	-lldap -llber -lpq
++DBDRIVER_LIBS =	-lldap -llber -lsqlite3 -lpq
+ 
+ DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
+ 
+diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
+index 7f3c5e2..b1bca66 100644
+--- a/bin/sdb_tools/Makefile.in
++++ b/bin/sdb_tools/Makefile.in
+@@ -32,11 +32,11 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+ LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+ 		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
+ 
+-TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@
++TARGETS =	zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
+ 
+-OBJS	=	zone2ldap.@O@ zonetodb.@O@
++OBJS	=	zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
+ 
+-SRCS    =       zone2ldap.c zonetodb.c
++SRCS    =       zone2ldap.c zonetodb.c zone2sqlite.c
+ 
+ MANPAGES =      zone2ldap.1
+ 
+@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
+ zonetodb@EXEEXT@: zonetodb.@O@  ${DEPLIBS}
+ 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
+ 
++zone2sqlite@EXEEXT@: zone2sqlite.@O@  ${DEPLIBS}
++	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
++
+ clean distclean manclean maintainer-clean::
+ 	rm -f ${TARGETS} ${OBJS}
+ 
+@@ -60,4 +63,5 @@ installdirs:
+ install:: ${TARGETS} installdirs
+ 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
+ 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@  ${DESTDIR}${sbindir}
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
+ 	${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1

bind-9.10-use-of-strlcat.patch

@@ -0,0 +1,18 @@
+diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
+index d56bc56..99c3314 100644
+--- a/bin/sdb_tools/zone2ldap.c
++++ b/bin/sdb_tools/zone2ldap.c
+@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
+     }
+ 
+ 
+-      strlcat (dn, tmp, sizeof (dn));
++      strncat (dn, tmp, sizeof (dn) - strlen (dn));
+     }
+ 
+   sprintf (tmp, "dc=%s", dc_list[0]);
+-  strlcat (dn, tmp, sizeof (dn));
++  strncat (dn, tmp, sizeof (dn) - strlen (dn));
+ 
+ 	    fflush(NULL);
+   return dn;

bind-9.11-fips-disable.patch

@@ -0,0 +1,65 @@
+From 2b0dce163a119f5f62eb4428b485f7575f321d6f Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 5 Aug 2019 11:54:03 +0200
+Subject: [PATCH] Allow explicit disabling of autodisabled MD5
+
+Default security policy might include explicitly disabled RSAMD5
+algorithm. Current FIPS code automatically disables in FIPS mode. But if
+RSAMD5 is included in security policy, it fails to start, because that
+algorithm is not recognized. Allow it disabled, but fail on any
+other usage.
+---
+ bin/named/server.c | 4 ++--
+ lib/bind9/check.c  | 4 ++++
+ lib/dns/rcode.c    | 1 +
+ 3 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index ee23f10..22a5c01 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -1689,12 +1689,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
+ 		r.length = strlen(r.base);
+ 
+ 		result = dns_secalg_fromtext(&alg, &r);
+-		if (result != ISC_R_SUCCESS) {
++		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
+ 			uint8_t ui;
+ 			result = isc_parse_uint8(&ui, r.base, 10);
+ 			alg = ui;
+ 		}
+-		if (result != ISC_R_SUCCESS) {
++		if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
+ 			cfg_obj_log(cfg_listelt_value(element), named_g_lctx,
+ 				    ISC_LOG_ERROR, "invalid algorithm");
+ 			CHECK(result);
+diff --git a/lib/bind9/check.c b/lib/bind9/check.c
+index f49a346..dbf9ddb 100644
+--- a/lib/bind9/check.c
++++ b/lib/bind9/check.c
+@@ -317,6 +317,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
+ 		r.length = strlen(r.base);
+ 
+ 		tresult = dns_secalg_fromtext(&alg, &r);
++		if (tresult == ISC_R_DISABLED) {
++			// Recognize disabled algorithms, disable it explicitly
++			tresult = ISC_R_SUCCESS;
++		}
+ 		if (tresult != ISC_R_SUCCESS) {
+ 			cfg_obj_log(cfg_listelt_value(element), logctx,
+ 				    ISC_LOG_ERROR, "invalid algorithm '%s'",
+diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
+index 327248e..78adf63 100644
+--- a/lib/dns/rcode.c
++++ b/lib/dns/rcode.c
+@@ -152,6 +152,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
+ static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
+ static struct tbl certs[] = { CERTNAMES };
+ static struct tbl secalgs[] = { SECALGNAMES };
++static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
+ static struct tbl secprotos[] = { SECPROTONAMES };
+ static struct tbl hashalgs[] = { HASHALGNAMES };
+ static struct tbl dsdigests[] = { DSDIGESTNAMES };
+-- 
+2.21.1
+

bind-9.11-fips-tests.patch

@@ -0,0 +1,922 @@
+From 0e06aaa5fdd3a537d9646801082c569dbeda4ac3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 2 Aug 2018 23:46:45 +0200
+Subject: [PATCH] FIPS tests changes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Squashed commit of the following:
+
+commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Wed Mar 7 20:35:13 2018 +0100
+
+    Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
+
+commit ab303db70082db76ecf36493d0b82ef3e8750cad
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Wed Mar 7 18:11:10 2018 +0100
+
+    Changed root key to be RSASHA256
+
+    Change bad trusted key to be the same algorithm.
+
+commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Wed Mar 7 16:56:17 2018 +0100
+
+    Change used key to not use hmac-md5
+
+    Fix upforwd test, do not use hmac-md5
+
+commit aec891571626f053acfb4d0a247240cbc21a84e9
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Wed Mar 7 15:54:11 2018 +0100
+
+    Increase bitsize of DSA key to pass FIPS 140-2 mode.
+
+commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Wed Mar 7 15:41:08 2018 +0100
+
+    Fix tsig and rndc tests for disabled md5
+
+    Use hmac-sha256 instead of hmac-md5.
+
+commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Wed Mar 7 13:21:00 2018 +0100
+
+    Add md5 availability detection to featuretest
+
+commit f389a918803e2853e4b55fed62765dc4a492e34f
+Author: Petr Menšík <pemensik@redhat.com>
+Date:   Wed Mar 7 10:44:23 2018 +0100
+
+    Change tests to not use hmac-md5 algorithms if not required
+
+    Use hmac-sha256 instead of default hmac-md5 for allow-query
+---
+ bin/tests/system/acl/ns2/named1.conf.in       |  4 +-
+ bin/tests/system/acl/ns2/named2.conf.in       |  4 +-
+ bin/tests/system/acl/ns2/named3.conf.in       |  6 +-
+ bin/tests/system/acl/ns2/named4.conf.in       |  4 +-
+ bin/tests/system/acl/ns2/named5.conf.in       |  4 +-
+ bin/tests/system/acl/tests.sh                 | 32 ++++-----
+ .../system/allow-query/ns2/named10.conf.in    |  2 +-
+ .../system/allow-query/ns2/named11.conf.in    |  4 +-
+ .../system/allow-query/ns2/named12.conf.in    |  2 +-
+ .../system/allow-query/ns2/named30.conf.in    |  2 +-
+ .../system/allow-query/ns2/named31.conf.in    |  4 +-
+ .../system/allow-query/ns2/named32.conf.in    |  2 +-
+ .../system/allow-query/ns2/named40.conf.in    |  4 +-
+ bin/tests/system/allow-query/tests.sh         | 18 ++---
+ bin/tests/system/catz/ns1/named.conf.in       |  2 +-
+ bin/tests/system/catz/ns2/named.conf.in       |  2 +-
+ bin/tests/system/checkconf/bad-tsig.conf      |  2 +-
+ bin/tests/system/checkconf/good.conf          |  2 +-
+ bin/tests/system/feature-test.c               | 14 ++++
+ bin/tests/system/notify/ns5/named.conf.in     |  6 +-
+ bin/tests/system/notify/tests.sh              |  6 +-
+ bin/tests/system/nsupdate/ns1/named.conf.in   |  2 +-
+ bin/tests/system/nsupdate/ns2/named.conf.in   |  2 +-
+ bin/tests/system/nsupdate/setup.sh            |  6 +-
+ bin/tests/system/nsupdate/tests.sh            | 11 +++-
+ bin/tests/system/rndc/setup.sh                |  2 +-
+ bin/tests/system/rndc/tests.sh                | 22 ++++---
+ bin/tests/system/tsig/ns1/named.conf.in       | 10 +--
+ bin/tests/system/tsig/setup.sh                |  5 ++
+ bin/tests/system/tsig/tests.sh                | 65 ++++++++++++-------
+ bin/tests/system/upforwd/ns1/named.conf.in    |  2 +-
+ bin/tests/system/upforwd/tests.sh             |  2 +-
+ 32 files changed, 149 insertions(+), 106 deletions(-)
+
+diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
+index 60f22e1..249f672 100644
+--- a/bin/tests/system/acl/ns2/named1.conf.in
++++ b/bin/tests/system/acl/ns2/named1.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
+index ada97bc..f82d858 100644
+--- a/bin/tests/system/acl/ns2/named2.conf.in
++++ b/bin/tests/system/acl/ns2/named2.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
+index 97684e4..de6a2e9 100644
+--- a/bin/tests/system/acl/ns2/named3.conf.in
++++ b/bin/tests/system/acl/ns2/named3.conf.in
+@@ -33,17 +33,17 @@ options {
+ };
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key three {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
+index 462b3fa..994b35c 100644
+--- a/bin/tests/system/acl/ns2/named4.conf.in
++++ b/bin/tests/system/acl/ns2/named4.conf.in
+@@ -33,12 +33,12 @@ options {
+ };
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
+index 728da58..8f00d09 100644
+--- a/bin/tests/system/acl/ns2/named5.conf.in
++++ b/bin/tests/system/acl/ns2/named5.conf.in
+@@ -35,12 +35,12 @@ options {
+ };
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
+index a48f868..fab277b 100644
+--- a/bin/tests/system/acl/tests.sh
++++ b/bin/tests/system/acl/tests.sh
+@@ -21,14 +21,14 @@ echo_i "testing basic ACL processing"
+ # key "one" should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+ 
+ 
+ # any other key should be fine
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+ 
+ copy_setports ns2/named2.conf.in ns2/named.conf
+@@ -38,18 +38,18 @@ sleep 5
+ # prefix 10/8 should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+ 
+ # any other address should work, as long as it sends key "one"
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+ 
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+ 
+ echo_i "testing nested ACL processing"
+@@ -61,31 +61,31 @@ sleep 5
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+ 
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+ 
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+ 
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+ 
+ # but only one or the other should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+ 
+ t=`expr $t + 1`
+@@ -96,7 +96,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
+ # and other values? right out
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+ 
+ # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
+@@ -107,31 +107,31 @@ sleep 5
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+ 
+ # should succeed
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
+ 
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+ 
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+ 
+ # should fail
+ t=`expr $t + 1`
+ $DIG $DIGOPTS tsigzone. \
+-	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
++	@10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
+ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
+ 
+ echo_i "testing allow-query-on ACL processing"
+diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
+index 7d43e36..f7b25f9 100644
+--- a/bin/tests/system/allow-query/ns2/named10.conf.in
++++ b/bin/tests/system/allow-query/ns2/named10.conf.in
+@@ -10,7 +10,7 @@
+  */
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
+index 2952518..121557e 100644
+--- a/bin/tests/system/allow-query/ns2/named11.conf.in
++++ b/bin/tests/system/allow-query/ns2/named11.conf.in
+@@ -10,12 +10,12 @@
+  */
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234efgh8765";
+ };
+ 
+diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
+index 0c01071..ceabbb5 100644
+--- a/bin/tests/system/allow-query/ns2/named12.conf.in
++++ b/bin/tests/system/allow-query/ns2/named12.conf.in
+@@ -10,7 +10,7 @@
+  */
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
+index 4c17292..9cd9d1f 100644
+--- a/bin/tests/system/allow-query/ns2/named30.conf.in
++++ b/bin/tests/system/allow-query/ns2/named30.conf.in
+@@ -10,7 +10,7 @@
+  */
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
+index a2690a4..f488730 100644
+--- a/bin/tests/system/allow-query/ns2/named31.conf.in
++++ b/bin/tests/system/allow-query/ns2/named31.conf.in
+@@ -10,12 +10,12 @@
+  */
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234efgh8765";
+ };
+ 
+diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
+index a0708c8..51fa457 100644
+--- a/bin/tests/system/allow-query/ns2/named32.conf.in
++++ b/bin/tests/system/allow-query/ns2/named32.conf.in
+@@ -10,7 +10,7 @@
+  */
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
+index 687768e..d24d6d2 100644
+--- a/bin/tests/system/allow-query/ns2/named40.conf.in
++++ b/bin/tests/system/allow-query/ns2/named40.conf.in
+@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
+ acl badaccept { 10.53.0.1; };
+ 
+ key one {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234abcd8765";
+ };
+ 
+ key two {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "1234efgh8765";
+ };
+ 
+diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
+index cdc970a..e06ede2 100644
+--- a/bin/tests/system/allow-query/tests.sh
++++ b/bin/tests/system/allow-query/tests.sh
+@@ -181,7 +181,7 @@ rndc_reload ns2 10.53.0.2
+ 
+ echo_i "test $n: key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -194,7 +194,7 @@ rndc_reload ns2 10.53.0.2
+ 
+ echo_i "test $n: key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -207,7 +207,7 @@ rndc_reload ns2 10.53.0.2
+ 
+ echo_i "test $n: key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -340,7 +340,7 @@ rndc_reload ns2 10.53.0.2
+ 
+ echo_i "test $n: views key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -353,7 +353,7 @@ rndc_reload ns2 10.53.0.2
+ 
+ echo_i "test $n: views key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -366,7 +366,7 @@ rndc_reload ns2 10.53.0.2
+ 
+ echo_i "test $n: views key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -499,7 +499,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key allowed - query allowed"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -509,7 +509,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key not allowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+@@ -519,7 +519,7 @@ status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo_i "test $n: zone key disallowed - query refused"
+ ret=0
+-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
+ grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
+ grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
+index 1218669..e62715e 100644
+--- a/bin/tests/system/catz/ns1/named.conf.in
++++ b/bin/tests/system/catz/ns1/named.conf.in
+@@ -61,5 +61,5 @@ zone "catalog4.example" {
+ 
+ key tsig_key. {
+ 	secret "LSAnCU+Z";
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ };
+diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
+index 3a017b1..5417463 100644
+--- a/bin/tests/system/catz/ns2/named.conf.in
++++ b/bin/tests/system/catz/ns2/named.conf.in
+@@ -70,5 +70,5 @@ zone "catalog4.example" {
+ 
+ key tsig_key. {
+ 	secret "LSAnCU+Z";
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ };
+diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
+index 21be03e..e57c308 100644
+--- a/bin/tests/system/checkconf/bad-tsig.conf
++++ b/bin/tests/system/checkconf/bad-tsig.conf
+@@ -11,7 +11,7 @@
+ 
+ /* Bad secret */
+ key "badtsig" {
+-	algorithm hmac-md5;
++	algorithm hmac-sha256;
+ 	secret "jEdD+BPKg==";
+ };
+ 
+diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
+index 2373425..7b87b04 100644
+--- a/bin/tests/system/checkconf/good.conf
++++ b/bin/tests/system/checkconf/good.conf
+@@ -268,6 +268,6 @@ dyndb "name" "library.so" {
+ 	system;
+ };
+ key "mykey" {
+-	algorithm "hmac-md5";
++	algorithm "hmac-sha256";
+ 	secret "qwertyuiopasdfgh";
+ };
+diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
+index 72c09ae..4095d92 100644
+--- a/bin/tests/system/feature-test.c
++++ b/bin/tests/system/feature-test.c
+@@ -14,6 +14,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ 
++#include <isc/md.h>
+ #include <isc/net.h>
+ #include <isc/print.h>
+ #include <isc/util.h>
+@@ -129,6 +130,19 @@ main(int argc, char **argv) {
+ #endif
+ 	}
+ 
++	if (strcmp(argv[1], "--md5") == 0) {
++		unsigned char digest[ISC_MAX_MD_SIZE];
++		const unsigned char test[] = "test";
++		unsigned int size = sizeof(digest);
++
++		if (isc_md(ISC_MD_MD5, test, sizeof(test),
++		           digest, &size) == ISC_R_SUCCESS) {
++			return (0);
++		} else {
++			return (1);
++		}
++	}
++
+ 	if (strcmp(argv[1], "--ipv6only=no") == 0) {
+ #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
+ 		int s;
+diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
+index 1ee8df4..2b75d9a 100644
+--- a/bin/tests/system/notify/ns5/named.conf.in
++++ b/bin/tests/system/notify/ns5/named.conf.in
+@@ -10,17 +10,17 @@
+  */
+ 
+ key "a" {
+-	algorithm "hmac-md5";
++	algorithm "hmac-sha256";
+ 	secret "aaaaaaaaaaaaaaaaaaaa";
+ };
+ 
+ key "b" {
+-	algorithm "hmac-md5";
++	algorithm "hmac-sha256";
+ 	secret "bbbbbbbbbbbbbbbbbbbb";
+ };
+ 
+ key "c" {
+-	algorithm "hmac-md5";
++	algorithm "hmac-sha256";
+ 	secret "cccccccccccccccccccc";
+ };
+ 
+diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
+index e8a00ea..978082c 100644
+--- a/bin/tests/system/notify/tests.sh
++++ b/bin/tests/system/notify/tests.sh
+@@ -211,16 +211,16 @@ ret=0
+ $NSUPDATE << EOF
+ server 10.53.0.5 ${PORT}
+ zone x21
+-key a aaaaaaaaaaaaaaaaaaaa
++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
+ update add added.x21 0 in txt "test string"
+ send
+ EOF
+ 
+ for i in 1 2 3 4 5 6 7 8 9
+ do
+-	$DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
++	$DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
+ 		txt > dig.out.b.ns5.test$n || ret=1
+-	$DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
++	$DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
+ 		txt > dig.out.c.ns5.test$n || ret=1
+ 	grep "test string" dig.out.b.ns5.test$n > /dev/null &&
+ 	grep "test string" dig.out.c.ns5.test$n > /dev/null &&
+diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
+index b51e700..436c97d 100644
+--- a/bin/tests/system/nsupdate/ns1/named.conf.in
++++ b/bin/tests/system/nsupdate/ns1/named.conf.in
+@@ -37,7 +37,7 @@ controls {
+ };
+ 
+ key altkey {
+-	algorithm hmac-md5;
++	algorithm hmac-sha512;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
+index da6b3b4..c547e47 100644
+--- a/bin/tests/system/nsupdate/ns2/named.conf.in
++++ b/bin/tests/system/nsupdate/ns2/named.conf.in
+@@ -32,7 +32,7 @@ controls {
+ };
+ 
+ key altkey {
+-	algorithm hmac-md5;
++	algorithm hmac-sha512;
+ 	secret "1234abcd8765";
+ };
+ 
+diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
+index be8c7f8..e465216 100644
+--- a/bin/tests/system/nsupdate/setup.sh
++++ b/bin/tests/system/nsupdate/setup.sh
+@@ -70,7 +70,11 @@ EOF
+ 
+ $TSIGKEYGEN ddns-key.example.nil > ns1/ddns.key
+ 
+-$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
++if $FEATURETEST --md5; then
++	$TSIGKEYGEN -a hmac-md5 md5-key > ns1/md5.key
++else
++	echo -n > ns1/md5.key
++fi
+ $TSIGKEYGEN -a hmac-sha1 sha1-key > ns1/sha1.key
+ $TSIGKEYGEN -a hmac-sha224 sha224-key > ns1/sha224.key
+ $TSIGKEYGEN -a hmac-sha256 sha256-key > ns1/sha256.key
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index 88910f9..56c57db 100755
+--- a/bin/tests/system/nsupdate/tests.sh
++++ b/bin/tests/system/nsupdate/tests.sh
+@@ -822,7 +822,14 @@ fi
+ n=`expr $n + 1`
+ ret=0
+ echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
+-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
++if $FEATURETEST --md5
++then
++	ALGS="md5 sha1 sha224 sha256 sha384 sha512"
++else
++	ALGS="sha1 sha224 sha256 sha384 sha512"
++	echo_i "skipping disabled md5 algorithm"
++fi
++for alg in $ALGS; do
+     $NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
+ server 10.53.0.1 ${PORT}
+ update add ${alg}.keytests.nil. 600 A 10.10.10.3
+@@ -830,7 +837,7 @@ send
+ END
+ done
+ sleep 2
+-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
++for alg in $ALGS; do
+     $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
+ done
+ if [ $ret -ne 0 ]; then
+diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
+index b7721a3..0204e4d 100644
+--- a/bin/tests/system/rndc/setup.sh
++++ b/bin/tests/system/rndc/setup.sh
+@@ -45,7 +45,7 @@ make_key () {
+             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
+ }
+ 
+-make_key 1 ${EXTRAPORT1} hmac-md5
++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
+ make_key 2 ${EXTRAPORT2} hmac-sha1
+ make_key 3 ${EXTRAPORT3} hmac-sha224
+ make_key 4 ${EXTRAPORT4} hmac-sha256
+diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
+index df3ef3a..eaaffe6 100644
+--- a/bin/tests/system/rndc/tests.sh
++++ b/bin/tests/system/rndc/tests.sh
+@@ -348,15 +348,19 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status+ret))
+ 
+ n=$((n+1))
+-echo_i "testing rndc with hmac-md5 ($n)"
+-ret=0
+-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
+-for i in 2 3 4 5 6
+-do
+-        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
+-done
+-if [ $ret != 0 ]; then echo_i "failed"; fi
+-status=$((status+ret))
++if $FEATURETEST --md5
++	echo_i "testing rndc with hmac-md5 ($n)"
++	ret=0
++	$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
++	for i in 2 3 4 5 6
++	do
++	        $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
++	done
++	if [ $ret != 0 ]; then echo_i "failed"; fi
++	status=$((status+ret))
++else
++	echo_i "skipping rndc with hmac-md5 ($n)"
++fi
+ 
+ n=$((n+1))
+ echo_i "testing rndc with hmac-sha1 ($n)"
+diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
+index 3470c4f..cf539cd 100644
+--- a/bin/tests/system/tsig/ns1/named.conf.in
++++ b/bin/tests/system/tsig/ns1/named.conf.in
+@@ -21,10 +21,7 @@ options {
+ 	notify no;
+ };
+ 
+-key "md5" {
+-	secret "97rnFx24Tfna4mHPfgnerA==";
+-	algorithm hmac-md5;
+-};
++# md5 key appended by setup.sh at the end
+ 
+ key "sha1" {
+ 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+@@ -51,10 +48,7 @@ key "sha512" {
+ 	algorithm hmac-sha512;
+ };
+ 
+-key "md5-trunc" {
+-	secret "97rnFx24Tfna4mHPfgnerA==";
+-	algorithm hmac-md5-80;
+-};
++# md5-trunc key appended by setup.sh at the end
+ 
+ key "sha1-trunc" {
+ 	secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
+diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
+index 3210f1b..5b5e992 100644
+--- a/bin/tests/system/tsig/setup.sh
++++ b/bin/tests/system/tsig/setup.sh
+@@ -14,3 +14,8 @@
+ $SHELL clean.sh
+ 
+ copy_setports ns1/named.conf.in ns1/named.conf
++
++if $FEATURETEST --md5
++then
++	cat ns1/rndc5.conf.in >> ns1/named.conf
++fi
+diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
+index a9bf42b..f95ee09 100644
+--- a/bin/tests/system/tsig/tests.sh
++++ b/bin/tests/system/tsig/tests.sh
+@@ -25,20 +25,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
+ 
+ status=0
+ 
+-echo_i "fetching using hmac-md5 (old form)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
+-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+-	echo_i "failed"; status=1
+-fi
++if $FEATURETEST --md5
++then
++	echo_i "fetching using hmac-md5 (old form)"
++	ret=0
++	$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
++	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
++	if [ $ret -eq 1 ] ; then
++		echo_i "failed"; status=1
++	fi
+ 
+-echo_i "fetching using hmac-md5 (new form)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
+-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+-	echo_i "failed"; status=1
++	echo_i "fetching using hmac-md5 (new form)"
++	ret=0
++	$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
++	grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
++	if [ $ret -eq 1 ] ; then
++		echo_i "failed"; status=1
++	fi
++else
++	echo_i "skipping using hmac-md5"
+ fi
+ 
+ echo_i "fetching using hmac-sha1"
+@@ -86,12 +91,17 @@ fi
+ #	Truncated TSIG
+ #
+ #
+-echo_i "fetching using hmac-md5 (trunc)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
+-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+-	echo_i "failed"; status=1
++if $FEATURETEST --md5
++then
++	echo_i "fetching using hmac-md5 (trunc)"
++	ret=0
++	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
++	grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
++	if [ $ret -eq 1 ] ; then
++		echo_i "failed"; status=1
++	fi
++else
++	echo_i "skipping using hmac-md5 (trunc)"
+ fi
+ 
+ echo_i "fetching using hmac-sha1 (trunc)"
+@@ -140,12 +150,17 @@ fi
+ #	Check for bad truncation.
+ #
+ #
+-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
+-ret=0
+-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
+-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
+-if [ $ret -eq 1 ] ; then
+-	echo_i "failed"; status=1
++if $FEATURETEST --md5
++then
++	echo_i "fetching using hmac-md5-80 (BADTRUNC)" 
++	ret=0
++	$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
++	grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
++	if [ $ret -eq 1 ] ; then
++		echo_i "failed"; status=1
++	fi
++else
++	echo_i "skipping using hmac-md5-80 (BADTRUNC)" 
+ fi
+ 
+ echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
+diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
+index 3873c7c..b359a5a 100644
+--- a/bin/tests/system/upforwd/ns1/named.conf.in
++++ b/bin/tests/system/upforwd/ns1/named.conf.in
+@@ -10,7 +10,7 @@
+  */
+ 
+ key "update.example." {
+-	algorithm "hmac-md5";
++	algorithm "hmac-sha256";
+ 	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+ };
+ 
+diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
+index 2011b7f..052170e 100644
+--- a/bin/tests/system/upforwd/tests.sh
++++ b/bin/tests/system/upforwd/tests.sh
+@@ -78,7 +78,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+ 
+ echo_i "updating zone (signed) ($n)"
+ ret=0
+-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
++$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+ server 10.53.0.3 ${PORT}
+ update add updated.example. 600 A 10.10.10.1
+ update add updated.example. 600 TXT Foo
+-- 
+2.31.1
+

bind-9.11-rh1647829-2.patch

@@ -0,0 +1,86 @@
+From fdfc8ad6a1069eea6b012972c972798003d58312 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 29 Jan 2019 18:07:44 +0100
+Subject: [PATCH] Fallback to ASCII on output IDN conversion error
+
+It is possible dig used ACE encoded name in locale, which does not
+support converting it to unicode. Instead of fatal error, fallback to
+ACE name on output.
+
+(cherry picked from commit 7f4cb8f9584597fea16de6557124ac8b1bd47440)
+
+Modify idna test to fallback to ACE
+
+Test valid A-label on input would be displayed as A-label on output if
+locale does not allow U-label.
+
+(cherry picked from commit 4ce232f8605bdbe0594ebe5a71383c9d4e6f263b)
+
+Emit warning on IDN output failure
+
+Warning is emitted before any dig headers.
+
+(cherry picked from commit 4b410038c531fbb902cd5fb83174eed1f06cb7d7)
+---
+ bin/dig/dighost.c              | 15 +++++++++++++--
+ bin/tests/system/idna/tests.sh | 17 +++++++++++++++++
+ 2 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index 73aaab8..375f99f 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -4877,9 +4877,20 @@ idn_ace_to_locale(const char *from, char *to, size_t tolen) {
+ 	 */
+ 	res = idn2_to_unicode_8zlz(utf8_src, &tmp_str, 0);
+ 	if (res != IDN2_OK) {
+-		fatal("Cannot represent '%s' in the current locale (%s), "
+-		      "use +noidnout or a different locale",
++		static bool warned = false;
++
++		res = idn2_to_ascii_8z(utf8_src, &tmp_str, 0);
++		if (res != IDN2_OK) {
++			fatal("Cannot represent '%s' "
++			      "in the current locale nor ascii (%s), "
++			      "use +noidnout or a different locale",
+ 		      from, idn2_strerror(res));
++		} else if (!warned) {
++			fprintf(stderr, ";; Warning: cannot represent '%s' "
++			      "in the current locale",
++			      tmp_str);
++			warned = true;
++		}
+ 	}
+ 
+ 	/*
+diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh
+index 7acb0fa..0269bcd 100644
+--- a/bin/tests/system/idna/tests.sh
++++ b/bin/tests/system/idna/tests.sh
+@@ -244,6 +244,23 @@ idna_enabled_test() {
+     idna_test "$text" "+idnin +noidnout"   "xn--nxasmq6b.com" "xn--nxasmq6b.com."
+     idna_test "$text" "+idnin +idnout"     "xn--nxasmq6b.com" "βόλοσ.com."
+ 
++    # Test of valid A-label in locale that cannot display it
++    #
++    # +noidnout: The string is sent as-is to the server and the returned qname
++    #            is displayed in the same form.
++    # +idnout:   The string is sent as-is to the server and the returned qname
++    #            is displayed as the corresponding A-label.
++    #
++    # The "+[no]idnout" flag has no effect in these cases.
++    text="Checking valid A-label in C locale"
++    label="xn--nxasmq6b.com"
++    LC_ALL=C idna_test "$text" ""                   "$label" "$label."
++    LC_ALL=C idna_test "$text" "+noidnin +noidnout" "$label" "$label."
++    LC_ALL=C idna_test "$text" "+noidnin +idnout"   "$label" "$label."
++    LC_ALL=C idna_test "$text" "+idnin +noidnout"   "$label" "$label."
++    LC_ALL=C idna_test "$text" "+idnin +idnout"     "$label" "$label."
++    LC_ALL=C idna_test "$text" "+noidnin +idnout"   "$label" "$label."
++
+ 
+ 
+     # Tests of invalid A-labels
+-- 
+2.20.1
+

bind-9.11-rh1768258.patch

@@ -0,0 +1,28 @@
+From 3466dfd7d44940821f195a36fceb0f1100f77c4e Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Tue, 5 Nov 2019 12:56:18 +1100
+Subject: [PATCH] The default geoip-directory should be
+ <MAXMINDDB_PREFIX>/share/GeoIP
+
+(cherry picked from commit fcd765a59db9b9a2b187448a90f3dbe6aa72fb84)
+(cherry picked from commit 7e79ebeebada6bcca81e8368eef72efbaae3c8c7)
+---
+ bin/named/config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/named/config.c b/bin/named/config.c
+index 833c1dc9d3..63da4b03f6 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -72,7 +72,7 @@ options {\n\
+ "	files unlimited;\n"
+ #endif
+ #if defined(HAVE_GEOIP2) && !defined(WIN32)
+-"	geoip-directory \"" MAXMINDDB_PREFIX "/share/GeoIP2\";\n"
++"	geoip-directory \"" MAXMINDDB_PREFIX "/share/GeoIP\";\n"
+ #elif defined(HAVE_GEOIP2)
+ "	geoip-directory \".\";\n"
+ #endif
+-- 
+2.20.1
+

bind-9.11.12.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMooACgkQdLtrmky7
+PThv2RAAnXNLYTzXtH6ls29tRm5Hc+D6UaeqcWDNQ4BpkRVhrFxtukalGCi9mmB6
+NPJzFyXmaOW654pypCIuEgqJNFUpDtLzLzT7SUF+mhm+5plsaRSBnh4mq87l5KSp
+twODAPnfCJV+HBk5RmToLEstAbGQ7xEBTyQtZoFkY+V7zEFwENKiCvWsoSWOkYR3
+zXo3sKjc83HV9ShbW/mCtbZf5L0qlbrKOAzqJfAFMhNNJi8kMbmr/Zi2sIfN+Rhv
+g8HQo89Epv6r51yAdeED8idIX4rKjjcEtHrZeDmLdCcdHgSEj2sIlH92Joce6vL0
+S59A0rItIXm6fW8sz6WNpcj4tVtWYbIYjXZ4SPFNkaUrHv8cUekq+5vbI+v07Gh3
+2bhtDsDyTY5I1/AsY/EFmwkCAjUS00jZryBnuJpLB3v5JtUog4ek32yLBzPrqRBo
+1876j4nlXAia8mG0OgJNWZ0gHyUPe/TgfR8fQDLmHxHHlKrJNTEwY6bLW8jzFTX1
+zk510fI1K7J9tiQgf5wcBQ2h3EBlqzDNIJDovoATzLYIf0HKyVegh/vnQdtdEhUR
+1DzJAt3bsBfAP1AFfWPD/ACu5Zdm7SxY1wE/pjkwttDU3sRZqOfuwNBGeolu3cVN
+O9/h1zsyVeVS0ui2vu4+V4EvNitmXsVbG2doDq9L5yBiIKGO2Ew=
+=GCy6
+-----END PGP SIGNATURE-----

bind-9.14-json-c.patch

@@ -0,0 +1,95 @@
+From 0698eb93f6e618d2882ae2c8758c5fa87524bea6 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 23 Jul 2019 12:10:39 +0200
+Subject: [PATCH] Allow explicitly using json-c but not libjson
+
+Separate detection of json support. Allows explicit use of json-c when
+jsoncpp package is found. Have to use --without-libjson --with-json-c.
+---
+ configure.ac | 52 +++++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 41 insertions(+), 11 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index f7978e4..40b4f9f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1331,7 +1331,6 @@ AC_ARG_WITH(libjson,
+ 	    use_libjson="$withval", use_libjson="auto")
+ 
+ have_libjson=""
+-have_libjson_c=""
+ case "$use_libjson" in
+ 	no)
+ 		libjson_libs=""
+@@ -1347,7 +1346,43 @@ case "$use_libjson" in
+ 					LIBS="$LIBS -L${d}/lib"
+ 				fi
+ 				have_libjson="yes"
+-			elif test -f "${d}/include/json-c/json.h"
++			fi
++		done
++		;;
++	*)
++		if test -f "${use_libjson}/include/json/json.h"
++		then
++			libjson_cflags="-I${use_libjson}/include"
++			LIBS="$LIBS -L${use_libjson}/lib"
++			have_libjson="yes"
++		else
++			AC_MSG_ERROR([$use_libjson/include/json/json.h not found.])
++		fi
++		;;
++esac
++
++#
++# was --with-json-c specified?
++#
++AC_ARG_WITH(json-c,
++	    AS_HELP_STRING([--with-json-c[=PATH]],
++			   [build with json-c library [yes|no|path]]),
++	    use_json_c="$withval", use_json_c="$use_libjson")
++
++if test "X${have_libjson}" != "X"
++then
++	# Do not use if libjson were found
++	use_json_c=no
++fi
++
++have_libjson_c=""
++case "$use_json_c" in
++	no)
++		;;
++	auto|yes)
++		for d in /usr /usr/local /opt/local
++		do
++			if test -f "${d}/include/json-c/json.h"
+ 			then
+ 				if test ${d} != /usr
+ 				then
+@@ -1360,19 +1395,14 @@ case "$use_libjson" in
+ 		done
+ 		;;
+ 	*)
+-		if test -f "${use_libjson}/include/json/json.h"
+-		then
+-			libjson_cflags="-I${use_libjson}/include"
+-			LIBS="$LIBS -L${use_libjson}/lib"
+-			have_libjson="yes"
+-		elif test -f "${use_libjson}/include/json-c/json.h"
++		if test -f "${use_json_c}/include/json-c/json.h"
+ 		then
+-			libjson_cflags="-I${use_libjson}/include"
+-			LIBS="$LIBS -L${use_libjson}/lib"
++			libjson_cflags="-I${use_json_c}/include"
++			LIBS="$LIBS -L${use_json_c}/lib"
+ 			have_libjson="yes"
+ 			have_libjson_c="yes"
+ 		else
+-			AC_MSG_ERROR([$use_libjson/include/json{,-c}/json.h not found.])
++			AC_MSG_ERROR([$use_json_c/include/json-c/json.h not found.])
+ 		fi
+ 		;;
+ esac
+-- 
+2.20.1
+

bind-9.14.7.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABAgAdFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAl2WMpEACgkQdLtrmky7
+PTh/sg//QbNRAQvADQfwF1PPo+JxB+3WzQ9oJAWeHbOoiubwkUwO9xE+BEnTNd5o
+oM1lSLqFxNykOTaoeJlqPftPod1cxo7lSzkwflugGyB/59wliCpqCg053YV4x9mO
+QggvA/E50+0FI/Om/7v4GHGADu/JE83FovOueWAB0LgqfDSD6QFcNFF9sUJJ4P7r
+FcEXSWj8QbrHMWBKncZUOpD2ECotvtrYmi0DTHl1XfigESDQpWtsnTFuabCCsvkh
+ch9wQRplAes2Mf/aS5tl1y0QKKBFuEjtGiTdgrDl6o9GLnx6CueX5saZehu2EVkr
+fq2vEYUC2lRQSjuxSMMJ3L0TGUcl7+ixlAIISS2K9L5Xx7MhBXt/EH5KiKPfsEet
+3EH+DhxV5uXjDU7MgvREnxT+ssV23e0HWTz4tVVQ9LpvYmWPIgLcSOhHCc57yoQF
+c46V0f69dMWbMAlQ93EZSG274ZvpIszpK8+3hGI3/TuDFFgiQJeJJBFVtYJMle69
+3mEEclfzO7fBiXZFec6nVx2309bL64bafN7zszPKXl4XgoefOfD0v0eWqQT4fxfm
+dnGC0qMqSZs5F+d0fISV5JUUNYzt9PZjvnzqLLGOeTF6l3/n9G1mmNsXcxJ1OEIF
+6qh1oO7JTPjt0MFhKac4QjNQi/Bnp25O3I/PRyWZCbiwXkyvyQU=
+=ZT7s
+-----END PGP SIGNATURE-----

bind-9.16-redhat_doc.patch

@@ -0,0 +1,65 @@
+From baec1c0c1822d3ba89cc7e5e530888c865a899f7 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 17 Jun 2020 23:17:13 +0200
+Subject: [PATCH] Update man named with Red Hat specifics
+
+This is almost unmodified text and requires revalidation. Some of those
+statements are no longer correct.
+---
+ bin/named/named.rst | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/bin/named/named.rst b/bin/named/named.rst
+index 3fa96e0..4390e73 100644
+--- a/bin/named/named.rst
++++ b/bin/named/named.rst
+@@ -236,6 +236,46 @@ Files
+ ``/var/run/named/named.pid``
+    The default process-id file.
+ 
++Notes
++~~~~~
++
++**Red Hat SELinux BIND Security Profile:**
++
++By default, Red Hat ships BIND with the most secure SELinux policy
++that will not prevent normal BIND operation and will prevent exploitation
++of all known BIND security vulnerabilities . See the selinux(8) man page
++for information about SElinux.
++
++It is not necessary to run named in a chroot environment if the Red Hat
++SELinux policy for named is enabled. When enabled, this policy is far
++more secure than a chroot environment. Users are recommended to enable
++SELinux and remove the bind-chroot package.
++
++*With this extra security comes some restrictions:*
++
++By default, the SELinux policy does not allow named to write any master
++zone database files. Only the root user may create files in the $ROOTDIR/var/named
++zone database file directory (the options { "directory" } option), where
++$ROOTDIR is set in /etc/sysconfig/named.
++
++The "named" group must be granted read privelege to
++these files in order for named to be enabled to read them.
++
++Any file created in the zone database file directory is automatically assigned
++the SELinux file context *named_zone_t* .
++
++By default, SELinux prevents any role from modifying *named_zone_t* files; this
++means that files in the zone database directory cannot be modified by dynamic
++DNS (DDNS) updates or zone transfers.
++
++The Red Hat BIND distribution and SELinux policy creates three directories where
++named is allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
++*/var/named/data*. By placing files you want named to modify, such as
++slave or DDNS updateable zone files and database / statistics dump files in
++these directories, named will work normally and no further operator action is
++required. Files in these directories are automatically assigned the '*named_cache_t*'
++file context, which SELinux allows named to write.
++
+ See Also
+ ~~~~~~~~
+ 
+-- 
+2.31.1
+

bind-9.17-dist-native-pkcs11.patch

@@ -0,0 +1,508 @@
+From f11331c0b021196f18a51cfde203d8d221beb865 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Sun, 23 Aug 2020 00:54:23 +0200
+Subject: [PATCH] Modify build to create also pkcs11 version
+
+---
+ Makefile.top                     | 19 ++++++++++
+ bin/Makefile.am                  |  2 ++
+ bin/dnssec-pkcs11/Makefile.am    | 56 ++++++++++++++++++++++-------
+ bin/named-pkcs11/Makefile.am     | 18 +++++-----
+ configure.ac                     |  7 ++++
+ lib/Makefile.am                  |  1 +
+ lib/dns-pkcs11/Makefile.am       | 62 ++++++++++++++++----------------
+ lib/dns-pkcs11/tests/Makefile.am |  4 +--
+ lib/ns-pkcs11/Makefile.am        | 22 ++++++------
+ lib/ns-pkcs11/tests/Makefile.am  |  8 ++---
+ 10 files changed, 129 insertions(+), 70 deletions(-)
+
+diff --git a/Makefile.top b/Makefile.top
+index 140ab44..a2410b2 100644
+--- a/Makefile.top
++++ b/Makefile.top
+@@ -42,14 +42,26 @@ LIBDNS_CFLAGS = \
+ LIBDNS_LIBS = \
+ 	$(top_builddir)/lib/dns/libdns.la
+ 
++LIBDNS_PKCS11_CFLAGS = \
++	-DUSE_PKCS11					\
++	-I$(top_srcdir)/lib/dns-pkcs11/include		\
++	-I$(top_builddir)/lib/dns-pkcs11/include
++
++LIBDNS_PKCS11_LIBS = \
++	$(top_builddir)/lib/dns-pkcs11/libdns-pkcs11.la
++
+ if HAVE_DNSTAP
+ LIBDNS_CFLAGS +=					\
+ 	$(DNSTAP_CFLAGS)
++LIBDNS_PKCS11_CFLAGS +=					\
++	$(DNSTAP_CFLAGS)
+ endif HAVE_DNSTAP
+ 
+ if HAVE_LMDB
+ LIBDNS_CFLAGS +=					\
+ 	$(LMDB_CFLAGS)
++LIBDNS_PKCS11_CFLAGS +=					\
++	$(LMDB_CFLAGS)
+ endif HAVE_LMDB
+ 
+ LIBNS_CFLAGS = \
+@@ -58,6 +70,13 @@ LIBNS_CFLAGS = \
+ LIBNS_LIBS = \
+ 	$(top_builddir)/lib/ns/libns.la
+ 
++LIBNS_PKCS11_CFLAGS = \
++	-I$(top_srcdir)/lib/ns-pkcs11/include		\
++	-DUSE_PKCS11
++
++LIBNS_PKCS11_LIBS = \
++	$(top_builddir)/lib/ns-pkcs11/libns-pkcs11.la
++
+ LIBIRS_CFLAGS = \
+ 	-I$(top_srcdir)/lib/irs/include
+ 
+diff --git a/bin/Makefile.am b/bin/Makefile.am
+index 296a022..bf0a68c 100644
+--- a/bin/Makefile.am
++++ b/bin/Makefile.am
+@@ -3,3 +3,5 @@ SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins
+ if HAVE_PKCS11
+ SUBDIRS += pkcs11
+ endif
++
++SUBDIRS += named-pkcs11 dnssec-pkcs11
+diff --git a/bin/dnssec-pkcs11/Makefile.am b/bin/dnssec-pkcs11/Makefile.am
+index 7aeaccc..efcc90b 100644
+--- a/bin/dnssec-pkcs11/Makefile.am
++++ b/bin/dnssec-pkcs11/Makefile.am
+@@ -2,37 +2,67 @@ include $(top_srcdir)/Makefile.top
+ 
+ AM_CPPFLAGS +=			\
+ 	$(LIBISC_CFLAGS)	\
+-	$(LIBDNS_CFLAGS)
++	$(LIBDNS_PKCS11_CFLAGS)
+ 
+ AM_CPPFLAGS +=						\
+-	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
++	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"	\
++	-DUSE_PKCS11=1
++
++EXEEXT = -pkcs11
+ 
+ noinst_LTLIBRARIES = libdnssectool.la
+ 
+ LDADD =				\
+ 	libdnssectool.la	\
+ 	$(LIBISC_LIBS)		\
+-	$(LIBDNS_LIBS)
++	$(LIBDNS_PKCS11_LIBS)
+ 
+ bin_PROGRAMS = \
+ 	dnssec-cds		\
+-	dnssec-dsfromkey	\
+-	dnssec-importkey	\
+-	dnssec-keyfromlabel	\
+-	dnssec-keygen		\
+-	dnssec-revoke		\
+-	dnssec-settime		\
+-	dnssec-signzone		\
+-	dnssec-verify
++	dnssec-dsfromkey-pkcs11	\
++	dnssec-importkey-pkcs11	\
++	dnssec-keyfromlabel-pkcs11	\
++	dnssec-keygen-pkcs11		\
++	dnssec-revoke-pkcs11		\
++	dnssec-settime-pkcs11		\
++	dnssec-signzone-pkcs11		\
++	dnssec-verify-pkcs11
+ 
+ libdnssectool_la_SOURCES =	\
+ 	dnssectool.h		\
+ 	dnssectool.c
+ 
+-dnssec_keygen_CPPFLAGS =	\
++dnssec_keygen_pkcs11_CPPFLAGS =	\
+ 	$(AM_CPPFLAGS)		\
+ 	$(LIBISCCFG_CFLAGS)
+ 
+-dnssec_keygen_LDADD =		\
++dnssec_keygen_pkcs11_LDADD =		\
+ 	$(LDADD)		\
+ 	$(LIBISCCFG_LIBS)
++
++dnssec_cds_pkcs11_SOURCES = \
++	dnssec-cds.c
++
++dnssec_keygen_pkcs11_SOURCES = \
++	dnssec-keygen.c
++
++dnssec_dsfromkey_pkcs11_SOURCES = \
++	dnssec-dsfromkey.c
++
++dnssec_importkey_pkcs11_SOURCES = \
++	dnssec-importkey.c
++
++dnssec_keyfromlabel_pkcs11_SOURCES = \
++	dnssec-keyfromlabel.c
++
++dnssec_revoke_pkcs11_SOURCES =		\
++	dnssec-revoke.c
++
++dnssec_settime_pkcs11_SOURCES = \
++	dnssec-settime.c
++
++dnssec_signzone_pkcs11_SOURCES = \
++	dnssec-signzone.c
++
++dnssec_verify_pkcs11_SOURCES = \
++	dnssec-verify.c
+diff --git a/bin/named-pkcs11/Makefile.am b/bin/named-pkcs11/Makefile.am
+index 90ebc3a..c6b992c 100644
+--- a/bin/named-pkcs11/Makefile.am
++++ b/bin/named-pkcs11/Makefile.am
+@@ -4,8 +4,8 @@ AM_CPPFLAGS +=				\
+ 	-I$(srcdir)/unix/include	\
+ 	-I$(top_builddir)/include	\
+ 	$(LIBISC_CFLAGS)		\
+-	$(LIBDNS_CFLAGS)		\
+-	$(LIBNS_CFLAGS)			\
++	$(LIBDNS_PKCS11_CFLAGS)		\
++	$(LIBNS_PKCS11_CFLAGS)			\
+ 	$(LIBISCCC_CFLAGS)		\
+ 	$(LIBISCCFG_CFLAGS)		\
+ 	$(LIBBIND9_CFLAGS)		\
+@@ -32,7 +32,7 @@ AM_CPPFLAGS +=						\
+ 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
+ 	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
+ 
+-sbin_PROGRAMS = named
++sbin_PROGRAMS = named-pkcs11
+ 
+ bin_PROGRAMS =		\
+ 	feature-test		\
+@@ -58,7 +58,7 @@ xsl.c: bind9.xsl Makefile
+ 	 echo ";")				\
+ 	< "${srcdir}/bind9.xsl" > $@
+ 
+-named_SOURCES =				\
++named_pkcs11_SOURCES =				\
+ 	builtin.c			\
+ 	config.c			\
+ 	control.c			\
+@@ -97,14 +97,14 @@ named_SOURCES =				\
+ if HAVE_GEOIP2
+ AM_CPPFLAGS +=					\
+ 	-DMAXMINDDB_PREFIX=\"@MAXMINDDB_PREFIX@\"
+-named_SOURCES +=	\
++named_pkcs11_SOURCES +=	\
+ 	geoip.c
+ endif
+ 
+-named_LDADD =					\
++named_pkcs11_LDADD =					\
+ 	$(LIBISC_LIBS)				\
+-	$(LIBDNS_LIBS)				\
+-	$(LIBNS_LIBS)				\
++	$(LIBDNS_PKCS11_LIBS)			\
++	$(LIBNS_PKCS11_LIBS)			\
+ 	$(LIBISCCC_LIBS)			\
+ 	$(LIBISCCFG_LIBS)			\
+ 	$(LIBBIND9_LIBS)			\
+@@ -118,7 +118,7 @@ named_LDADD =					\
+ 	$(ZLIB_LIBS)
+ 
+ if HAVE_JSON_C
+-named_LDADD +=					\
++named_pkcs11_LDADD +=					\
+ 	$(JSON_C_LIBS)
+ endif HAVE_JSON_C
+ 
+diff --git a/configure.ac b/configure.ac
+index fcb7cfd..36040f5 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1672,6 +1672,13 @@ AC_CONFIG_FILES([bin/tests/Makefile
+ 		 bin/tests/system/dyndb/driver/Makefile
+ 		 bin/tests/system/dlzexternal/driver/Makefile])
+ 
++# PKCS11 binaries
++AC_CONFIG_FILES([bin/dnssec-pkcs11/Makefile
++		 bin/named-pkcs11/Makefile
++		 lib/dns-pkcs11/Makefile
++		 lib/ns-pkcs11/Makefile
++		 lib/ns-pkcs11/tests/Makefile])
++
+ AC_CONFIG_FILES([bin/tests/system/ifconfig.sh],
+ 		[chmod +x bin/tests/system/ifconfig.sh])
+ AC_CONFIG_FILES([bin/tests/system/run.sh],
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index 5cbaf3c..43ea73c 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -1,3 +1,4 @@
+ include $(top_srcdir)/Makefile.top
+ 
+ SUBDIRS = isc dns isccc ns isccfg bind9 irs samples
++SUBDIRS += dns-pkcs11 ns-pkcs11
+diff --git a/lib/dns-pkcs11/Makefile.am b/lib/dns-pkcs11/Makefile.am
+index 78a2752..0503763 100644
+--- a/lib/dns-pkcs11/Makefile.am
++++ b/lib/dns-pkcs11/Makefile.am
+@@ -1,12 +1,12 @@
+ include $(top_srcdir)/Makefile.top
+ 
+-lib_LTLIBRARIES = libdns.la
++lib_LTLIBRARIES = libdns-pkcs11.la
+ 
+-nodist_libdns_ladir = $(includedir)/dns
++nodist_libdns_ladir = $(includedir)/dns-pkcs11
+ nodist_libdns_la_HEADERS =		\
+-	include/dns/enumclass.h		\
+-	include/dns/enumtype.h		\
+-	include/dns/rdatastruct.h
++	include/dns-pkcs11/enumclass.h		\
++	include/dns-pkcs11/enumtype.h		\
++	include/dns-pkcs11/rdatastruct.h
+ 
+ nodist_libdns_la_SOURCES =		\
+ 	$(nodist_libdns_la_HEADERS)	\
+@@ -48,8 +48,8 @@ include/dns/rdatastruct.h: gen rdata/rdatastructpre.h rdata/rdatastructsuf.h Mak
+ code.h: gen Makefile
+ 	$(builddir)/gen -s $(srcdir) > $@
+ 
+-libdns_ladir = $(includedir)/dns
+-libdns_la_HEADERS =			\
++libdns_pkcs11_ladir = $(includedir)/dns-pkcs11
++libdns_pkcs11_la_HEADERS =			\
+ 	include/dns/acl.h		\
+ 	include/dns/adb.h		\
+ 	include/dns/badcache.h		\
+@@ -154,8 +154,8 @@ dst_HEADERS =				\
+ 	include/dst/gssapi.h		\
+ 	include/dst/result.h
+ 
+-libdns_la_SOURCES =			\
+-	$(libdns_la_HEADERS)		\
++libdns_pkcs11_la_SOURCES =			\
++	$(libdns_pkcs11_la_HEADERS)		\
+ 	$(dst_HEADERS)			\
+ 	acl.c				\
+ 	adb.c				\
+@@ -257,92 +257,92 @@ libdns_la_SOURCES =			\
+ 	zone_p.h
+ 
+ if HAVE_GSSAPI
+-libdns_la_SOURCES +=			\
++libdns_pkcs11_la_SOURCES +=			\
+ 	gssapi_link.c
+ endif
+ 
+ if HAVE_PKCS11
+-libdns_la_SOURCES +=		\
++libdns_pkcs11_la_SOURCES +=		\
+ 	pkcs11.c		\
+ 	pkcs11ecdsa_link.c	\
+ 	pkcs11eddsa_link.c	\
+ 	pkcs11rsa_link.c
+ else !HAVE_PKCS11
+-libdns_la_SOURCES +=		\
++libdns_pkcs11_la_SOURCES +=		\
+ 	opensslecdsa_link.c	\
+ 	openssleddsa_link.c	\
+ 	opensslrsa_link.c
+ endif
+ 
+ if HAVE_GEOIP2
+-libdns_la_SOURCES += \
++libdns_pkcs11_la_SOURCES += \
+ 	geoip2.c
+ endif
+ 
+-libdns_la_CPPFLAGS =		\
++libdns_pkcs11_la_CPPFLAGS =		\
+ 	$(AM_CPPFLAGS)		\
+ 	$(LIBISC_CFLAGS)	\
+-	$(LIBDNS_CFLAGS)	\
++	$(LIBDNS_PKCS11_CFLAGS)	\
+ 	$(OPENSSL_CFLAGS)	\
+ 	$(LIBLTDL_CFLAGS)
+ 
+-libdns_la_LDFLAGS =		\
++libdns_pkcs11_la_LDFLAGS =		\
+ 	$(libdns_VERSION_INFO)
+ 
+-libdns_la_LIBADD =		\
++libdns_pkcs11_la_LIBADD =		\
+ 	$(LIBISC_LIBS)		\
+ 	$(OPENSSL_LIBS)
+ 
+ if HAVE_JSON_C
+-libdns_la_CPPFLAGS +=		\
++libdns_pkcs11_la_CPPFLAGS +=		\
+ 	$(JSON_C_CFLAGS)
+ 
+-libdns_la_LIBADD +=		\
++libdns_pkcs11_la_LIBADD +=		\
+ 	$(JSON_C_LIBS)
+ endif HAVE_JSON_C
+ 
+ if HAVE_LIBXML2
+-libdns_la_CPPFLAGS +=		\
++libdns_pkcs11_la_CPPFLAGS +=		\
+ 	$(LIBXML2_CFLAGS)
+ 
+-libdns_la_LIBADD +=		\
++libdns_pkcs11_la_LIBADD +=		\
+ 	$(LIBXML2_LIBS)
+ endif HAVE_LIBXML2
+ 
+ if HAVE_GSSAPI
+-libdns_la_CPPFLAGS +=		\
++libdns_pkcs11_la_CPPFLAGS +=		\
+ 	$(GSSAPI_CFLAGS)	\
+ 	$(KRB5_CFLAGS)
+-libdns_la_LIBADD +=		\
++libdns_pkcs11_la_LIBADD +=		\
+ 	$(GSSAPI_LIBS)		\
+ 	$(KRB5_LIBS)
+ endif
+ 
+ if HAVE_GEOIP2
+-libdns_la_CPPFLAGS +=		\
++libdns_pkcs11_la_CPPFLAGS +=		\
+ 	$(MAXMINDDB_CFLAGS)
+-libdns_la_LDFLAGS +=		\
++libdns_pkcs11_la_LDFLAGS +=		\
+ 	$(MAXMINDDB_LIBS)
+ endif
+ 
+ if HAVE_DNSTAP
+-nodist_libdns_la_SOURCES +=	\
++nodist_libdns_pkcs11_la_SOURCES +=	\
+ 	dnstap.pb-c.h		\
+ 	dnstap.pb-c.c
+ 
+-libdns_la_SOURCES +=		\
++libdns_pkcs11_la_SOURCES +=		\
+ 	dnstap.c
+ 
+ dnstap.pb-c.h dnstap.pb-c.c: dnstap.proto
+ 	$(PROTOC_C) --proto_path=$(srcdir) --c_out=. dnstap.proto
+ 
+-libdns_la_CPPFLAGS += $(DNSTAP_CFLAGS)
+-libdns_la_LIBADD += $(DNSTAP_LIBS)
++libdns_pkcs11_la_CPPFLAGS += $(DNSTAP_CFLAGS)
++libdns_pkcs11_la_LIBADD += $(DNSTAP_LIBS)
+ endif
+ 
+ if HAVE_LMDB
+-libdns_la_CPPFLAGS += $(LMDB_CFLAGS)
+-libdns_la_LIBADD += $(LMDB_LIBS)
++libdns_pkcs11_la_CPPFLAGS += $(LMDB_CFLAGS)
++libdns_pkcs11_la_LIBADD += $(LMDB_LIBS)
+ endif
+ 
+ if HAVE_CMOCKA
+diff --git a/lib/dns-pkcs11/tests/Makefile.am b/lib/dns-pkcs11/tests/Makefile.am
+index 04ef09c..35b2eac 100644
+--- a/lib/dns-pkcs11/tests/Makefile.am
++++ b/lib/dns-pkcs11/tests/Makefile.am
+@@ -3,7 +3,7 @@ include $(top_srcdir)/Makefile.tests
+ 
+ AM_CPPFLAGS +=				\
+ 	$(LIBISC_CFLAGS)		\
+-	$(LIBDNS_CFLAGS)		\
++	$(LIBDNS_PKCS11_CFLAGS)		\
+ 	$(KRB5_CFLAGS)			\
+ 	-DSRCDIR=\"$(abs_srcdir)\"	\
+ 	-DBUILDDIR=\"$(abs_builddir)\"
+@@ -11,7 +11,7 @@ AM_CPPFLAGS +=				\
+ LDADD +=			\
+ 	libdnstest.la		\
+ 	$(LIBISC_LIBS)		\
+-	$(LIBDNS_LIBS)
++	$(LIBDNS_PKCS11_LIBS)
+ 
+ check_LTLIBRARIES = libdnstest.la
+ libdnstest_la_SOURCES = dnstest.c dnstest.h
+diff --git a/lib/ns-pkcs11/Makefile.am b/lib/ns-pkcs11/Makefile.am
+index b2f81cc..b77b1ee 100644
+--- a/lib/ns-pkcs11/Makefile.am
++++ b/lib/ns-pkcs11/Makefile.am
+@@ -3,11 +3,11 @@ include $(top_srcdir)/Makefile.top
+ AM_CPPFLAGS +=				\
+ 	-DNAMED_PLUGINDIR=\"$(libdir)/named\"
+ 
+-lib_LTLIBRARIES = libns.la
++lib_LTLIBRARIES = libns-pkcs11.la
+ 
+-libns_ladir = $(includedir)/ns
++libns_pkcs11_ladir = $(includedir)/ns
+ 
+-libns_la_HEADERS =			\
++libns_pkcs11_la_HEADERS =			\
+ 	include/ns/client.h		\
+ 	include/ns/hooks.h		\
+ 	include/ns/interfacemgr.h	\
+@@ -23,8 +23,8 @@ libns_la_HEADERS =			\
+ 	include/ns/update.h		\
+ 	include/ns/xfrout.h
+ 
+-libns_la_SOURCES =		\
+-	$(libns_la_HEADERS)	\
++libns_pkcs11_la_SOURCES =		\
++	$(libns_pkcs11_la_HEADERS)	\
+ 	client.c		\
+ 	hooks.c			\
+ 	interfacemgr.c		\
+@@ -39,18 +39,18 @@ libns_la_SOURCES =		\
+ 	update.c		\
+ 	xfrout.c
+ 
+-libns_la_CPPFLAGS =				\
++libns_pkcs11_la_CPPFLAGS =				\
+ 	$(AM_CPPFLAGS)				\
+ 	$(LIBISC_CFLAGS)			\
+-	$(LIBDNS_CFLAGS)			\
+-	$(LIBNS_CFLAGS)				\
++	$(LIBDNS_PKCS11_CFLAGS)			\
++	$(LIBNS_PKCS11_CFLAGS)				\
+ 	$(LIBLTDL_CFLAGS)
+ 
+-libns_la_LIBADD =	\
++libns_pkcs11_la_LIBADD =	\
+ 	$(LIBISC_LIBS)	\
+-	$(LIBDNS_LIBS)
++	$(LIBDNS_PKCS11_LIBS)
+ 
+-libns_la_LDFLAGS =		\
++libns_pkcs11_la_LDFLAGS =		\
+ 	$(libns_VERSION_INFO)
+ 
+ if HAVE_CMOCKA
+diff --git a/lib/ns-pkcs11/tests/Makefile.am b/lib/ns-pkcs11/tests/Makefile.am
+index 092360c..b07c9f7 100644
+--- a/lib/ns-pkcs11/tests/Makefile.am
++++ b/lib/ns-pkcs11/tests/Makefile.am
+@@ -3,14 +3,14 @@ include $(top_srcdir)/Makefile.tests
+ 
+ AM_CPPFLAGS +=			\
+ 	$(LIBISC_CFLAGS)	\
+-	$(LIBDNS_CFLAGS)	\
+-	$(LIBNS_CFLAGS)
++	$(LIBDNS_PKCS11_CFLAGS)	\
++	$(LIBNS_PKCS11_CFLAGS)
+ 
+ LDADD +=			\
+ 	libnstest.la		\
+ 	$(LIBISC_LIBS)		\
+-	$(LIBDNS_LIBS)		\
+-	$(LIBNS_LIBS)
++	$(LIBDNS_PKCS11_LIBS)		\
++	$(LIBNS_PKCS11_LIBS)
+ 
+ check_LTLIBRARIES = libnstest.la
+ libnstest_la_SOURCES = nstest.c nstest.h
+-- 
+2.26.2
+

bind-9.5-PIE.patch

@@ -0,0 +1,20 @@
+diff --git a/bin/named/Makefile.am b/bin/named/Makefile.am
+index 7065a90..e2e485b 100644
+--- a/bin/named/Makefile.am
++++ b/bin/named/Makefile.am
+@@ -32,6 +32,7 @@ AM_CPPFLAGS +=				\
+ endif HAVE_LIBXML2
+ 
+ AM_CPPFLAGS +=						\
++	-fpie                                           \
+ 	-DNAMED_LOCALSTATEDIR=\"${localstatedir}\"	\
+ 	-DNAMED_SYSCONFDIR=\"${sysconfdir}\"
+ 
+@@ -122,5 +123,7 @@ named_LDADD +=					\
+ 	$(LIBNGHTTP2_LIBS)
+ endif HAVE_LIBNGHTTP2
+ 
++AM_LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
++
+ MAINTAINERCLEANFILES =				\
+ 	named.conf.rst

bind.tmpfiles.d

@@ -0,0 +1 @@
+d /run/named 0755 named named -

bind93-rh490837.patch

@@ -0,0 +1,34 @@
+diff --git a/lib/isc/errno2result.c b/lib/isc/errno2result.c
+index 623ac6d..7f34e45 100644
+--- a/lib/isc/errno2result.c
++++ b/lib/isc/errno2result.c
+@@ -36,6 +36,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
+ 	case EINVAL: /* XXX sometimes this is not for files */
+ 	case ENAMETOOLONG:
+ 	case EBADF:
++	case EISDIR:
+ 		return (ISC_R_INVALIDFILE);
+ 	case ENOENT:
+ 		return (ISC_R_FILENOTFOUND);
+diff --git a/lib/isc/lex.c b/lib/isc/lex.c
+index 8ab3682..b198000 100644
+--- a/lib/isc/lex.c
++++ b/lib/isc/lex.c
+@@ -27,6 +27,8 @@
+ #include <isc/string.h>
+ #include <isc/util.h>
+ 
++#include "errno2result.h"
++
+ typedef struct inputsource {
+ 	isc_result_t result;
+ 	bool is_file;
+@@ -425,7 +427,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
+ #endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
+ 				if (c == EOF) {
+ 					if (ferror(stream)) {
+-						source->result = ISC_R_IOERROR;
++						source->result = isc__errno2result(errno);
+ 						result = source->result;
+ 						goto done;
+ 					}

bind97-exportlib.patch

@@ -0,0 +1,226 @@
+diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in
+diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in
+--- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/dns/Makefile.in	2013-05-13 10:45:22.574089729 +0200
+@@ -35,9 +35,9 @@ CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_
+ 
+ CWARNINGS =
+ 
+-ISCLIBS =	../isc/libisc.@A@
++ISCLIBS =	../isc/libisc-export.@A@
+ 
+-ISCDEPLIBS =	../isc/libisc.@A@
++ISCDEPLIBS =	../isc/libisc-export.@A@
+ 
+ LIBS =		@LIBS@
+ 
+@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libdns.@SA@: ${OBJS}
++libdns-export.@SA@: ${OBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS}
+ 	${RANLIB} $@
+ 
+-libdns.la: ${OBJS}
++libdns-export.la: ${OBJS}
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \
+ 		-rpath ${export_libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ 
+-timestamp: libdns.@A@
++timestamp: libdns-export.@A@
+ 	touch timestamp
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \
+ 	${DESTDIR}${export_libdir}/
+ 
+ clean distclean::
+-	rm -f libdns.@A@ timestamp
++	rm -f libdns-export.@A@ timestamp
+ 	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+ 	rm -f include/dns/rdatastruct.h
+ 
+diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in
+--- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/irs/Makefile.in	2013-05-13 10:45:22.575089729 +0200
+@@ -43,9 +43,9 @@ SRCS =		context.c \
+ 		gai_sterror.c getaddrinfo.c getnameinfo.c \
+ 		resconf.c
+ 
+-ISCLIBS =	../isc/libisc.@A@
+-DNSLIBS =	../dns/libdns.@A@
+-ISCCFGLIBS =	../isccfg/libisccfg.@A@
++ISCLIBS =	../isc/libisc-export.@A@
++DNSLIBS =	../dns/libdns-export.@A@
++ISCCFGLIBS =	../isccfg/libisccfg-export.@A@
+ 
+ LIBS =		@LIBS@
+ 
+@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libirs.@SA@: ${OBJS} version.@O@
++libirs-export.@SA@: ${OBJS} version.@O@
+ 	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+ 	${RANLIB} $@
+ 
+-libirs.la: ${OBJS} version.@O@
++libirs-export.la: ${OBJS} version.@O@
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \
+ 		-rpath ${export_libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
+ 
+-timestamp: libirs.@A@
++timestamp: libirs-export.@A@
+ 	touch timestamp
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \
+ 	${DESTDIR}${export_libdir}/
+ 
+ clean distclean::
+-	rm -f libirs.@A@ libirs.la timestamp
++	rm -f libirs-export.@A@ libirs-export.la timestamp
+diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in
+--- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in	2013-05-13 10:45:22.576089729 +0200
+@@ -30,11 +30,11 @@ CINCLUDES =	-I. ${DNS_INCLUDES} -I${expo
+ CDEFINES =
+ CWARNINGS =
+ 
+-ISCLIBS =	../isc/libisc.@A@
+-DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
++ISCLIBS =	../isc/libisc-export.@A@
++DNSLIBS =	../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
+ 
+ ISCDEPLIBS =	../../lib/isc/libisc.@A@
+-ISCCFGDEPLIBS =	libisccfg.@A@
++ISCCFGDEPLIBS =	libisccfg-export.@A@
+ 
+ LIBS =		@LIBS@
+ 
+@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libisccfg.@SA@: ${OBJS}
++libisccfg-export.@SA@: ${OBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS}
+ 	${RANLIB} $@
+ 
+-libisccfg.la: ${OBJS}
++libisccfg-export.la: ${OBJS}
+ 	 ${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \
+ 		-rpath ${export_libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
+ 
+-timestamp: libisccfg.@A@
++timestamp: libisccfg-export.@A@
+ 	touch timestamp
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \
+ 	${DESTDIR}${export_libdir}/
+ 
+ clean distclean::
+-	rm -f libisccfg.@A@ timestamp
++	rm -f libisccfg-export.@A@ timestamp
+diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in
+--- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/isc/Makefile.in	2013-05-13 10:45:22.576089729 +0200
+@@ -100,6 +100,10 @@ SRCS =		@ISC_EXTRA_SRCS@ \
+ 
+ LIBS =		@LIBS@
+ 
++# Note: the order of SUBDIRS is important.
++# Attempt to disable parallel processing.
++.NOTPARALLEL:
++.NO_PARALLEL:
+ SUBDIRS =	include unix nls @ISC_THREAD_DIR@
+ TARGETS =	timestamp
+ 
+@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c
+ 		-DLIBAGE=${LIBAGE} \
+ 		-c ${srcdir}/version.c
+ 
+-libisc.@SA@: ${OBJS}
++libisc-export.@SA@: ${OBJS}
+ 	${AR} ${ARFLAGS} $@ ${OBJS}
+ 	${RANLIB} $@
+ 
+-libisc.la: ${OBJS}
++libisc-export.la: ${OBJS}
+ 	${LIBTOOL_MODE_LINK} \
+-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
++		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \
+ 		-rpath ${export_libdir} \
+ 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ 		${OBJS} ${LIBS}
+ 
+-timestamp: libisc.@A@
++timestamp: libisc-export.@A@
+ 	touch timestamp
+ 
+ installdirs:
+ 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
+ 
+ install:: timestamp installdirs
+-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
++	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \
+ 	${DESTDIR}${export_libdir}
+ 
+ clean distclean::
+-	rm -f libisc.@A@ libisc.la timestamp
++	rm -f libisc-export.@A@ libisc-export.la timestamp
+diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in
+--- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib	2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/samples/Makefile.in	2013-05-13 10:45:22.577089729 +0200
+@@ -31,15 +31,15 @@ CINCLUDES =	-I${srcdir}/include -I../dns
+ CDEFINES =
+ CWARNINGS =
+ 
+-DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+-ISCLIBS =	../isc/libisc.@A@
+-ISCCFGLIBS =	../isccfg/libisccfg.@A@
+-IRSLIBS =	../irs/libirs.@A@
++DNSLIBS =	../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
++ISCLIBS =	../isc/libisc-export.@A@
++ISCCFGLIBS =	../isccfg/libisccfg-export.@A@
++IRSLIBS =	../irs/libirs-export.@A@
+ 
+-DNSDEPLIBS =	../dns/libdns.@A@
+-ISCDEPLIBS =	../isc/libisc.@A@
+-ISCCFGDEPLIBS =	../isccfg/libisccfg.@A@
+-IRSDEPLIBS =	../irs/libirs.@A@
++DNSDEPLIBS =	../dns/libdns-export.@A@
++ISCDEPLIBS =	../isc/libisc-export.@A@
++ISCCFGDEPLIBS =	../isccfg/libisccfg-export.@A@
++IRSDEPLIBS =	../irs/libirs-export.@A@
+ 
+ DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+ 

bind97-rh645544.patch

@@ -0,0 +1,31 @@
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index edbe344..a7a2c53 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -1719,7 +1719,7 @@ fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
+ 	if (result == ISC_R_SUCCESS) {
+ 		if (fctx->qmin_warning != ISC_R_SUCCESS) {
+ 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
++				      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
+ 				      "success resolving '%s' "
+ 				      "after disabling qname minimization due "
+ 				      "to '%s'",
+@@ -4929,7 +4929,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
+ 	dns_name_format(fctx->domain, domainbuf, sizeof(domainbuf));
+ 	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
+ 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
++		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
+ 		      "lame server resolving '%s' (in '%s'?): %s", namebuf,
+ 		      domainbuf, addrbuf);
+ }
+@@ -4947,7 +4947,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
+ 	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
+ 
+ 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
++		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
+ 		      "DNS format error from %s resolving %s for %s: %s", nsbuf,
+ 		      fctx->info, fctx->clientstr, msgbuf);
+ }

bind99-rh640538.patch

@@ -0,0 +1,44 @@
+diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
+index 1079421..f11abd1 100644
+--- a/bin/dig/dig.docbook
++++ b/bin/dig/dig.docbook
+@@ -1177,6 +1177,39 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+     </para>
+   </refsection>
+ 
++  <refsection><info><title>RETURN CODES</title></info>
++    <para>
++      <command>Dig</command> return codes are:
++      <variablelist>
++        <varlistentry>
++          <listitem>
++            <para>0: Everything went well, including things like NXDOMAIN</para>
++          </listitem>
++        </varlistentry>
++        <varlistentry>
++          <listitem>
++            <para>1: Usage error</para>
++          </listitem>
++        </varlistentry>
++        <varlistentry>
++          <listitem>
++            <para>8: Couldn't open batch file</para>
++          </listitem>
++        </varlistentry>
++        <varlistentry>
++          <listitem>
++            <para>9: No reply from server</para>
++          </listitem>
++        </varlistentry>
++        <varlistentry>
++          <listitem>
++            <para>10: Internal error</para>
++          </listitem>
++        </varlistentry>
++      </variablelist>
++    </para>
++  </refsection>
++
+   <refsection><info><title>FILES</title></info>
+ 
+     <para><filename>/etc/resolv.conf</filename>

codesign2019.txt

@@ -0,0 +1,252 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: GPGTools - http://gpgtools.org
+
+mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
+r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
+pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
+yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
+ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
+/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
+qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
+UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
+SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
+o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
+LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
+tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
+LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
+EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
+1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
+tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
+5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
+Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
+JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
+hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
+xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
+gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
+pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
+vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
+6f2op3tMiQEzBBABCAAdFiEEFcm6uMUTPAcGawLtlumWUDlMmawFAlwuSqAACgkQ
+lumWUDlMmaz+igf/ZW8OY5aWjRk7QiXp93jkWRIbMi8kB9jW5u6tfYXFjMADpqiQ
+yYdzEHFayRF92PQwj81UzIWzOWjErFWLDE2xol9sP5LdzeqoyED+XTqKggpVsIs+
+Lq672qnumQoZKp1YGb8MDocU2DNg/VsMdi7kCnEnPbcSuBxksmxGYomusXNrAF94
+1OJ2sqd9BuFamLIyn8XUCGGYlsvMoe4kTCg6Cc1sQvx0lDG8urKN57jBKWbP4alV
++JBV5KQcf74gzPmE3ypgY1tMEwxyH/WyS9ekDbai0qauX6eUAsM1bduH8fIcknLS
+Zl5hrJTrzWFF9/DKOth8QOwhJ9zoIF1fcAsx9okBMwQQAQgAHRYhBHpqR7X54SM6
+0lUrXL2X3GOe6MR7BQJcLktcAAoJEL2X3GOe6MR7jwEH/iaolMeno1oeWAgzN6Mg
+bx3maweh/9Vqty1fwk7Crq1G78X5i1OCkknEL2p0Bfle4ApwcC4HZVcqCgoYpRV3
+/EEXtwkMNy3plWdBbLCQSev/E1D39GzgAHiMnv7NUJnkoJbvMrvrAiUTXPTtARMM
+gjEpvgEs60wuJxS8ESomRhe/KW4myxDoBxF+K+e5bOkOvvWVcAYJHWZ1BIZs4n6b
++C2vO8q5aKTkQ/XvNT7utbTOqj1SGhItRaAQKXHBdzkQ1Et3wTA4+uRg4gK12624
+9LperYs26w9X9UzApl+qVxQhtWUw3tnUXMastDfQrRcvJgq1xpv++OqX5Uc93RTf
+SNWJAjMEEAEIAB0WIQS+DpdItxglOii7if/xsRvwXPAuVwUCXC5LlQAKCRDxsRvw
+XPAuV29KEACEwlTVVKe4gnBYHnlAD7csoQ0+gJ6C+Ofzlw+UItRIcFeVCAknSGBs
+NPxr9JStIvKpmsbSKpCNUEAYnRP2immh94y/C6BuTe1uUUmqBGr1f4OAUwZpmI29
+ixYeY/uUs9FZO3bS0/WtG46tdcJK41qtM0DYAGT3oeZhJMTW15dfvMGlFukauSOU
++BbR+6sZhqdbWl/AOTE/6x5otnAaW0GObY/BW240Xq/KTgBrzVdK5qNoYsMVsiTd
+0im0JKvFG08ED+ZfcILhlO6G9jRhoTkhtYuf8CKN1dPf2IoB5FrRFf0xqRr9hNlk
+X7ViNMP9OPb8i3BubWvRi5rNSquCwrFATSiAgaA9Yi1BNzQsmQxOql9lsh7eCH7m
++8zzUg9umWI6PkSv8vHBo2kPX73wmtEsF6vxJlk0yDBuQw7y0uuKh406tEEk4cP2
+8U4baq+ihpioupDhNuEII1h1Eh/RBE408RAOpcr+2F0m/fKOoJyz7u+AxyV81Ia6
+fyBnUfZnlfKo16w87c1HJRs9dKkRa5yGziBf9TcED3sru58Pftes2Nr80/iOh26i
+P2pRihcIyrmeAqDWnneErVCmPMDTe6zkMrm/0iZ25/Jfq+M8IHEzFEw3Y1FBOeFg
+9TyMDwYG2biJPTNTDO0BQ+Rrvs4SjFWEYSxgJSvG1jMfSPt5AR6MJrkCDQRcKvQU
+ARAAufZX5WzJr0lZAhxaGpHY6JMBr4jVOCP4TrDZhwC2K4CXNM/PLLNisWzquiWa
+FvUDhB89kCxrEhipwVFYhBr16CDQxrr8yhah3RIxrBMYhRTxgIAkANgkhGWfDJSE
+zXauA7krYtS3rYwhfXe4cNsTkLPbnMUlyLJcqj2wnZcZIt97aL+NFRPyfIw1KfUb
+9u3tB9seDYbvTEULeL07aTnHpWM5f3bTwJrJ2OFPzXseCCzPiVNh3Bv+YtJ1pMTr
+c/UHO5DoJuHLsF0wicPSrpD0twspFdR/0rT6eNycsaCtV4GQzBcMPvY7qai5XrZm
+Cqgluo1W6l6+F5YrKvRMtyyFkUNGcPywdjSlP44JyRrS2uzvFUViSsJArcmFG2TJ
+LCohnse8wqjw0dIUVbmDbE4zjaG56zkvu0k+04Wwp3XPgOZrbl6cbhX3yLhu/Gt0
+dzd9EReoNfKXk32hBzKas/vdeB5DZejbOOOWYftqyZC1LvDvvrYFhFK6VGozfZ6L
+Fml1hzn+xPahp5tRv93/T9zXeVPm9zilGMqm/gjRgh8ojWxNQoNzJyqTPWIvWmbu
+EIP3T3cTFq6lJpJsg3+sfzofGWZCGnBZQGqm8rEOoUWiaKe1BvQCX1x8p4/x8/tX
+TaVDpQCGoqxXt09plkDuGMuiDICxBlaHWUR2jLoHc2cLrB8AEQEAAYkCPAQYAQgA
+JhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcKvQUAhsMBQkD7JcAAAoJEHS7a5pM
+uz04pB8P/Amfg54IFeALiPOrKbjC3bVAQzrsf09IL8sUln/LCZIx9HgGAJj/f35S
+Q35sK2ucjWiDX6qCxVrWmC6caQXFgXOFSKIlqladmmgj4sIdLM5wj4nbomHChpB5
+rqV/GgkFwWBQ3kPCatXvc8Bg+zKJ+wXgTuPFXefyE9R+SLuas2grQ9hAjvTGHYbq
+iYxSlNDFc1aHLAQ3bS76351MHuMHOpLzoB0OkZDCVNW4GNEqrLbINdr50RAK+Loo
+Z2UBIobEZjXYor9A2FWkSvdjyz6X1QKMdQMath6R91k/O0abBa7ly4/805eAGXM3
+w1Xf2eMlpiUs69BeYoJBklK8aNMntpDREunJjhiPU4JoDzSxl5Qv7LuXylyo0YJA
+9YmydKhTTcRdwsKc//nGr/ckg4BRl+VbtJBYvd3xGB7IQ+pT/TOakv9qCospAhr3
+EQjVP/XpnWJRd+x+dq8UXqwWmTenWDE42cNr7BDFJdOqS5ZWy4sIz4sdjpSxXMB9
+8iiRtKSpKRCJgXScB7SYebh835EgG2YyQGdhJMO7C6ok9POYQBqL8sBqRzImJKoT
+VDvOH42WArKwJWTHa4mPdiDHEIZlkONerec3JXtl4Mfv8cwZ5Lb8fSiB/x8AWvqs
+puc/7hQtkus4TcgutS1fwhAwpnFItpVF6+73CMQrJsblBdTjW0T+uQINBFxbVHwB
+EADebZOJbhPdhHeBPdlZYE3rRjB8scDpWdjrCupfmeTC9MM6JgCE4DEMBtBXk+h1
++7wfpblYYNFwGVFvytG5nvGRDtHWxwd1Z9O8Fx4Zqu0Fx/wAn7ZL3ryE+tdHR7JK
+7SLxOa2X49T/8LY0U8Q65I4ZRo/b4VMcXApCmncw3QSRqHT/mYdNnf+HHPvi3jza
+md3iVptCS4Iaisc079DFda+htWXspBc13lmPi2vGQkWjjS3B4yO8JackyQPVhpsg
+KYbRBzOH0Kii8bXmyA6O5uIJYEddp5Veged4FE/ej3CrgGP1D0Yk1epx8lLbi9RB
+kwFS7DA5rQ23UnbSy1WyV1ZgPrWqQAWuGpjMTVTWN0ElI3AGxAnE8lZlSXyE+XyV
+uHjjIVrayBjLKVqDuSLdKZeCvI4QsyHH6F0NKJQkngvXxLZYxO6s0c2EFFLzdVWT
+1V9GMP8UsDrrb+JsZjUVmPR1tTP4xqEQG6KjfFoQm5XWpGtFwh91OK1lwf/Bx2/C
+j+PquLLFcj7hEP79VDTUZPQAduTTxIeTzHXH+x1PCHFB10xxH3e82VSdJeBUrJxn
+riXzK50SKTTmF+uYpHqE8Jg1N2Y1n5ksuxeYUy8PFjhAeBCqZ6ZcldUDf4999e/z
+PT8bwfCDr8jRdqJHrq7RxTJiP5RsMudWpKeohzJGwQ5uZwARAQABiQRyBBgBCAAm
+FiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVHwCGwIFCQO9IQACQAkQdLtrmky7
+PTjBdCAEGQEIAB0WIQSVztolaxygoV8wL7WVIaftXazpGAUCXFtUfAAKCRCVIaft
+XazpGPeMEACm9nxA/VKf8RxDo2ZuTgyuSwlR8tCjAE4k3+UoiYUbamkW4pjx9Vgd
+1zC5bNxSWZ5vlJ4CH8ArKFqNK5LBVDZqhYureAo/1Af2b9vRJw0/QQHhuXz/jqeT
+wwrLuKpy796Gpt+aFfcmS0ZC4QXfxJERhAP6tu1p6YmAsSb+bjziQVkKrt9mhOrL
+dtz6WP0Fg1joRj33FgnnLtayHvtgQrNFI3ztCjk/B2FjYZxqbBGfk5gyo0cTE2Fi
+oLhG/XrxIoZepFMJkGYETnYQXrOt2KuJLvawV70YQmG8EqHYY8drKA0XDZs8TVdT
+5cvGvtm8ERz5znsssRBxQMI5Ml6O2ahrXp8Eq4htCzlvO8t2MOtzvqAJRiyAd6bA
+Uo+MGVRpnvePOR1SAgBXCd416rF0iCXc1utZxnqwdq9kJAZ+8mCLx4N4jk6AdGpX
+zcNkLg7QmUzXn75RxZ6GrIUYZJNMlswXq5XhSW4o8ePlaxWjh9+QTtU964AZhpA1
+uoHsKGTBxHJs0w6McZm14kb2PuaO2/rpf8s8IZyc93+Y5O/gHZ6/agBjA9qN6wkQ
+R1d5UhJC4QS/m35rBGBKK9X3fqQxaBCio6Qz+m4A3GchrztJpq+2P+ma5ylsTq5j
+V4njky26WNtrV7+N0C4Moj3I4Qn6YU/eSManTXzHzoiPZCEH/IOxgXIiD/9Zm3Zz
+I+h4NCfSGyP11/w1gEzlTHQ4at/FXIIDh0Y2ZNpWPffuFQLtcER2vyKPwhDYpGMy
+NNHXks4azfrXVCv0wmSNBbeS8pJrYtopZpCEBrAbg/YLv9m5lpDSRHaR3gv/qMZ7
+QxY+NwqciqTwGq68PuF4mDSvtfuFmbEES9Iybiie+eL/6DU2knfBjgshUe6vElR+
+LYoPQ45GY2IxRTJ1pMXaZw1+evwH3UvseRGkRygiaBgoU/qR4prynvjMQcacCa+C
+aRnXZJYp/usVBeY0xut9toc9/OcLGoBr5h9l5YjruO2vu8VHou8N0tarVQn3YbQR
+Fi+YtNtclWJa8Pq1AsKRTCFwDwP6eODv6mNOrEFydNRcpiQmzp47VWF/YHRfHzCq
+A1wHLxLUrpQTaVw6J4FqedAQ31aAO4faA7MS+ZMNBqZCZ7lTGC6TvojqqBAN2yX7
+AnnYpZHM+lGpi2/ukVzLqSkGmdNOgbu+UZvoej3YnHYig4yWP+z2xrlJl8bkhU/d
+r9IQE5aRCEPB/JWhHJ2/GqYl9qjshlB52+6X2KDarwptOtzT9ooArYhpMwKIYh34
+c7X8tlAKYk7V5j7txIRFDKKAftC7dM82PntXJxSkWyR70GYnYjiXyrqqerqT7xIC
+mDEQgFOPpy09zFW62paO9uiZw6qwybwqgGpoX7kCDQRcW1TbARAA3ERo2mPv2VVg
+ZUFr4MtPDm4UG00YJW/LYa3D3k0e9tdSScACXprk1sAoxUlQx/CSdErPKwXG4rax
+iN4t5nICUUNYSC0dh09G25jC7nwsWc0AYyZu+h/FzfvpOm3fBwmBlzILlGh0URwH
+Ffj9fHt6hos4C+3PFZZ/X24aMJF/cov1oYi9rqFwt/l0mgtPE88Iyj2/Vp3Lergg
+QMzKfEuyluj9fL2cgU0Qa7oAPXmaxhHtua4cvbM5SXGo3FXjIgzH9OfM+2orebeN
+wH1M3ec6w+nPmRmCJLvPKGOeS7GVXL5/aOyPlDWzSXYnpCKS2ntw4K4nt0IA8n8z
+1db109l/C2noDrDSJEqOo843ShNGTYOMVUrj3a+Y7o2ATc9pNZalf0PwnKas7NDb
+IJ152PEQw665iYXcv2awjLF6W0yuSq8kfiaAxIrsie2Dto0zgqOs0Ot9Y74u11Hh
+wBSHUO3mEZJScAAcI/yDF2PvjvCQSzu4mdXb77t6X2O6YHULz4A7bVQCMazcTDI9
+/S0W2+ixPnnJVnE3xgjK9zuizji8JDJw1hJCQM+yTLVqq9pfvcRfQ6uwpMRzz/O3
+S0zDRiA69/GyfNwkpgz5QaGpY02IK5WrQU1doRjIz4BHAYzoIOkMkRqTtjdElQZw
+/D3wSO2uwsEMNwRzibR/Lz1JF2aGn6EAEQEAAYkEcgQYAQgAJhYhBK4/rHlnEexZ
+/AB6pHS7a5pMuz04BQJcW1TbAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkBCAAd
+FiEE1wyE5ktVjlvM7AchMuIXXx11eioFAlxbVNsACgkQMuIXXx11eiqCfQ//SFDf
+rOIEoslp6n6vlCuavOg02wvjskKQGP1P1Q4v40Fw1Gl87n9uXAoMpeF4H+pzUxOi
+BHYCQi+EemwocSThzaWfPzd3JG/0OcRymf+ZOcBb+58VJL7p88QdMFIAi5J+KMuA
+fEG0zLkc9anEnXoVMmQJX5K+6PyeVDvBbYGjLjQAsWTZTiVuQI0w3WxFtDGWqQII
+8e/qE0DA7c/auGn7j2hid308+FcdfpmLefW9YesWjE1yYvHoCRdFOJ/7Sft4MQCI
+Re7UET3TRMBvtisP2DcqyzGPp22s4ZYFCCJJNiB92bXdEl5zXe4Ff7JTfNE/QrR7
+Wg5R9hZHgHdbp8p8bA3f0y29YCx3puYg7BbmQWiMh3rXWE5b090pSpw0K9BQU3vO
+irr+5/2TaFOJXHl4VF03GrWsSncShCbdsdRIv4TB0lY2mN4q+e7bjlAzJJeoaS97
+GIqu3DBlAJyx/ZwWW23DXXwoQ4jNuJhpl2jaCE7rVQB0uLjbp0i9Zdd4SdYZxmO/
+Y+JfgoJz8eyx8wZi4eDz1ijN0WKsIGjxJH5VUK9STjijDMeG6ZZRLc6b1QCGhe97
+ZbDkEUTdQGoeu4L5Fiqoma13NEsf8ofBDv+myJm/O67Va9JI3gxhIrhmF7LMzQQp
+lYx2peZC1CmhEnn83dtt83mhXvX6Dth657BW/Qd+GQ//SVuTPuNkBXfrTi4dbnv+
+cU6IsoIBodTF/WsQ6h4kbtsPhO5DbrsLNuNumrqVEN8jw+HUsEeNvFNeMrTPdG2V
+87ShQ4BQGkCf+GFRBj0myxxXOFZYQx6RpY5fCe7yOcTzpkbnPWmm7V8HdOuZ0NnL
+JNQ5YogOI6UvXVKv35R9qBo+G9jkhhb0eaAu6BERzKVANKfsGN7545ElZ1qlffMh
+AQhXGb6TsvCeSg2cWGb2cnVL2d58uVukD4PDiq4qqwgClkF3bOO70SIgGrCteHbi
+4Hseopex5m6GqqjoUYXr7QQBwSaQdc+gKtEjMHCsHbUyHRk0qEHdEe+2RmL0d0ra
+QMJfKyYQjcCR7tnrgN4WD1h4NKRdC/KRW31MDmH9XVPrkOMQCUCnArXkOwdKWsKf
+h8af9HqweXOT1FHJN/M3tWaBpv6KoduF2f2pj1VhPZ2EqFUycJ26lrHyOpsynQR6
++TD+c1uXotDwKN5RW+YL1cydk6mhib64fdOyPUeTcHehjMAFgM2f5wi35Ujcj8id
+37cWOqRsggSbMnGO4AUA/YtcVNG8TjZbakson8ENK7e8q4sEiNFUZ7/CtzNokwHQ
+5uOG1+qB85Y4ImGnIZVeiBpjt73VVawg4Zvm/omtW50P9R+4rVhMJZZFAgrWg8BH
+H/KNznW0vUuShG8B+2FA/eu5Ag0EXFtVDAEQAL5ftI1GgVJEFgX5VsuFnfBnH95c
+zqmwEXaTP4s7Xm3O0Wy579EzRUD1eEw/UaD/q2OHScwvMP65cZYQ9w4hnCN6H96P
+96Teo7LOMCssvSXIO7gqP33LKTqDzsIoAFHwWE3dq1jbyP6T1Je85mr0Edvk8kOC
+B1hudswAARno/7X9zGulhhwuEHk5Iey7R59yRUQqBctdNcetGyaiFjjX0evuVADi
+/z/s07XhDLDt7+3Vglh1/7XGC64QhB9QjZ8j0u7+0xfmLLjhi+7EpkDlAHIJXX1H
+0wAsPOGKlYruQUmIsMNfBINZeulHEBZ4cAd30xsM296DzJ6QL9sAGfYMhRs0YHB/
+EJ10Zv0iw1pU2jCCUv/9Kf4F4nwgHQWQP7JAbfhOIUOUq/YlxjTLnkd25+7vD3KH
+NQ6UiRDROR9Jwetpd/zokpf5O5iTBpVL+sCq+NsTZyDOjITve2sY0V8v10M+Z+pL
+cp/cUZ4JEDS/WJ4/ovBNJP8b+YwN/RBgCjl8UBX/N+e7AA52eYP2H9GK9XPkzSCE
+VxEf5PyjGrwedpoLkzagrHsDuWo3uBquLyneT/ozihqKQAuInUy5B7rWU4mpKHe5
+Vto5o6Zuj+6MgHgIQzRK6Da2ziMNEmroxwZibcYCtUPdvcvxGh+byclnzBclKjOw
+kAalFPx0SxEbHmzPABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9
+OAUCXFtVDAIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBK7WIv4CB360
+tcFGwUKiedJIzcMQBQJcW1UMAAoJEEKiedJIzcMQH+cQAIQYXDnqi4Hl21LtAgky
+pZxug+x/LECVlwkrIfaQF337+fG+H9J7SdU87Sn1Xe/YUgQnF0XP/fjIVFM0e/Tb
+xVlmTFqiejLnIwJJDgUaHO3POT2sGEyO3tc0mqSzyRBxtMQ8yvApccBhL5QODv3h
+hlRWgk5MXU0IPeXw134IWm+o/PRiPBoXPawvVfEVIBlUFaiSZASf4BAiSad4aJQe
+P8PyP7FPvQB1xiib0iSetn6ZmNeN2OSUJPiPA8aE9JCKuFtomVQEDM0BqQDl5A7h
+5O2uyf0Li+/ArqBvfBjrH03e5zbID02dO3D2BjsV3jUeVPQ5WDgVg8LH+nfg/rRy
+wfCsx9zFp1mt3K4xN2v7IKwxGndApgCcx17gsjzMvLz0J7sSGov4MNjzqvGEDKCl
+uUvNKXqy7je9xcQLpoyvWtoWFXWTbQAcK5Vv+hC67r9bHpjI1KuqA8hYqNKxsv7s
+wiLZdd4SK9SIuwf0j8/XTZwmoFfGolJil0ZNxyqBF39+CMVpaHdLM1qKZz99TVzS
+h4obOOjkUjK458xSo0XCbJ4qXYp7PgxyWK6GIbTozbbG/1ldw+LUnqxt8Shf797L
+J9lbI3ICuR2P5PYlKJf3b6D9GyfqyrP387fKAKhHsYkZ1XD54/8wIgTrdfeNPtL0
+1mjWDjw5KvO9kuPBjcmzgt+NrtsQAJwKeZsiqLLcY8kJ9xP+/xtTlh2iVuZMfxwq
+hwlo4MMCzpobLDZ/JKU398m77eboTKJSBfeUYxQd4ATn1L8NLKjLxKAaBkjEk0nN
+8w9OUQbFlhQ/asLzzF7Z9IGGh9/SEgBZ8V67a0O3Qw9Xdi3ARK3bbZ8RIVJ0+P9G
+CGrfq9j4ZmGA2L4irLjsvDAv7CSMb4WBKW8j0Jz5LFMwOMJgG1TT5c6lNqFj6y09
+rZcVLnt8+lUv2Bw3LC0oI1TjFkrrCzIdfg++mPi3K/ZFc50bvnWF4eCOjgZ5U9Vb
+sxFZq3+vTRcIfI9z2lZ9CNDRA1O5jGvuVtEGLiSLF2aJ6kiNriLuuGTlXfg/Fpgh
+GTvyppOTzF7PtHzHBQ/ZjnhWojnc/jyJRwLK8cCl6+EOc887v8BDmqgFWtmycsE2
+5fDJ7UFGP13g/eDL3ZUgMDty5dQaUOTX145t2KT+lMqpY6ZK2EC+eoqrnIGJ+tYy
+0l4RRxi10mbNhuPIIDdph7X+mUHgCeA9gyF0Y+LqiB6CX+zFg7ovLvnCbMPxdGXq
+z7AjfwqZBKI+BVuBeDtyW4onmElCu5cXNKsg3W0IlQlZf9PMDU6Ht0XLUs7EPfbQ
+sH1Vqi1XE1W/tGnkmjcpG/qlt9Gx1uwFGLP6iomqUBc2c0GZ6R1xplXvd3w3yC8d
+8lAgPGImuQINBFxbVToBEADkuxhQx9gxlzzCc0nUu2v82XsD+GzONp9irt14gslx
+te96eKaTXTi0t5eya0X5TIY3wbREwjlfAeM9AfcAmWcsM4izrfPtANM6WOxB2Tbz
+EY2cqv7NBQii7Z5aqPyjcIiT0b0Gs2evlDkn3xEBBqTSrNcnGSA29bZPIkaUb7Qo
+p/Ani0S3/tgcR21gXsJwkgpfNKwvPT03Lz3/o5rXAyag0M/25adgk9SVKNcXc8h2
+HSGv5ENjwUKNNnowVbNLw4287mFUM2Vd6unGJ2MBj7aUwTrfBl7gNV96mMdDJWcB
+hGKYkxUvibuHCa2KH7gTrnV6X7sdrgD5CbJMPq6OZNSP6n6bUVg22eHxoETplFwT
+4NvV3clRMWIAG1XgXR1l99LAh7PPnPMM1pHQGPwYHQskoBFS4g5knzHpB9h9TfZ3
+MM4cDZR5NgWmE0fYVnWe5ax+wW0/IOklUoHv3qoL4yiN9wFJq2oLzUNQd9+tsqiy
+vxSTh8iYmHegyn5KuBPsrMPgvqiKOdalTZKkak9DOx4cGQL2qHspKxiBOb6uox2v
+fjMQ5bDeUn+4DYMdnZNHeywCUegJmDakUtlfvN+136IDHGwfdGcitqzswzd3+PI2
+qlwPE19gkrp9NUaD3Qj2ZtDP7sU2cThc6Gra5KRFW8f98bI77j1Wu6pCnYFLqPz4
+QQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVToCGwIF
+CQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQR5HX64jryNAThDSqwz3zWa56YK
+eQUCXFtVOgAKCRAz3zWa56YKeSWOEADK8u03LESGSQlZQqnnCAI8iYs1s+XRMEnG
+2tAQ1OK7/4eNgr1yZckmaW4FBMgeEgYIBJ7v3SlW7Hf7dE10TYPNGbP6UxVW8HIP
+rA4CINcGZXWWwpS374JNMS6A5eb6viuEgEMEi00jx0MmLvCMZKypmwXQUl5YJ5nB
+ytpQ1681mCQxGBMhT1eKQt3B4nAsoEnP+HnqVM/nKxBemSBNXX+C0b/YeQoLC3sD
+L+Z0NRI8U6PZl9Rokod3uynH0vfBYCEJd6MvsjtnJlVVaseYIA3ESNrFG12tw95I
+wKNrVCANZ1DBSyK4ovmmWsDrH+uFTHSLNjlxIuVxUfmXcLfgcepVCmd/7Z7UrWYr
+SXSvP0VG4ZmEPE7tNb8bfyADftO1cVsmcHBQeSrgvpSrTv9L8MocojpR5vJc1f+a
+sBT7rAeGzZP9riz1GmryXawaZgdLfaaJfzRQkc1uTChb7kMN+UMhVUdCAXmho0XO
+SfcsW84u/LpjdYh2Ww41xQO6EWvbZDNgD/Fdmp8Uh1MqJ1Dejri6kjNn6wPImXJd
+Eu6nHqWDRdYsfT4XUB18tB+4aIpFzCyIgpf7p1uaVU7Oqip5sZkc/WXKr77lV23m
+PQvpGRNCzgU2TJY7ktR3LOvUVN6wNfLMHzeQk18NdmcEGUrJ0YYtl9vE5/Eg9L6x
+LBH9PKt17IQ8D/9DLwQX8pl3fuTM8ZbzIPLxiXhbgzBBTXKRE2u1888+RIq9xE7c
+aVFjwq4qpgqZ5SFonTcG4Pi5ck3mFAzyA5zLRF+ckpmBpwSPMpLwCpv10369D1jh
+AF3JsUwt6DIb2BISMhh2ThSUMSKO75q8GSotsKjJyjD6vl1x4L7WXubTWxEiNuwD
+3kAjFWS1Z1VWtA9SURWAbsDaCV4VmwCCpSIwRr9OTbyu9XuMdMxGNpl8SwW7MVQb
+x4aYNvR7Hl/wIR71AHAXoSfrKp3p12anXjYYASHmbm16ugP4H7HLMBfznKet2f76
+gIxJr1CsAMTSqypcC1UoVb6Gz8djeIR+GU+6efHI4TIUMy5uMIUx8tYbwSEeo/y6
+NnjpJFYYjJa671iSABInNxs4+X+1zrFa+wl45EnaFxziEet2Qzv/VsusoLvLwnYi
+BZckclAS5xoVGFW0WJ01OfLUDHxGMt9GSheL8c+GLMaMtaCWunpmmt9zZ9WdpBOu
+AGluMG1Cee50TrhXaGE8CdNr8nOdSeLNAveBAPmuVa0JDSe20/D/RuYJLKeG9Vsq
+BZvjuGlOUsfl6UjtiGRbgS9OWpxeez5ugc9yyV+rBGIpmnIb+9quz2HmGxE65eA2
+cRNsZRIjFLzeAx/0RMaT1nlLFTBbUuZ+tJ+fgFtRGMhifZn1pb2dMQo0N7kCDQRc
+W1VuARAAv4LYaNq2Zev/v7M5DnxLpgHRcMkG7TOQpycrlK5653llpZzTy3mh5peW
+vcq3IDmdeUIJxQ+WDh2f0vS+NIKDC/HAddfHrZPbhO7zLxLcMW5KmV05ancaRSP0
+s0+IyQmvVxUNrgPinZiphlvRGoLXS6pdgfc4jIR9B2umPecfvfu/6EWFPnXZgG8K
+yY3Z+mwrmEO0FaXHBQuu6nactiPe79N4bLe8hk9RW6yIxLBeJzIoOlIcJmuRHapt
+nS2lV3mfhZdFnkAp1o6a2TL5BwgMY0wZUKZr78HEMKh6LbPN9rPepf0neUeq/k1l
+NJU7V6XMS+rezF31vgSJ5KoNGYhxtWZ54uksH2rcw7+ltpSVtqY91G/vibpRCJG3
+LdX/kxHni1NEWyZlpS/6ntuH6HSoNYsR9IMsbESs3QVCH74ApK88CxYCRB0SEo0M
+yAElbQ3bfEKCKl/FwC4IzAYAJ2arWKwBHRSJlsrNCtczrjG7j3EyJrn8+Tm5yjO6
+0THQjvc/nBxrNE09r1Lzz7jrDWC9Rl+BH6wqdniymoYyUAQsX2rZ+Jhah1Zkf+Gu
+76qtY+EH494dPM+0FazcBlgBd6/J5mh3Wk9JuecXLTEUGtzd1GmI9CENPAklCauX
+tNOWeTop27djuKWsZxuP1GyV6UYixFVOSWteyAbA32cncVv/2ZUAEQEAAYkEcgQY
+AQgAJhYhBK4/rHlnEexZ/AB6pHS7a5pMuz04BQJcW1VuAhsCBQkDvSEAAkAJEHS7
+a5pMuz04wXQgBBkBCAAdFiEEFWiQaF6g32oTce8gF8xdsfAIhAcFAlxbVW4ACgkQ
+F8xdsfAIhAd4jxAAiO9+VRQQ3eBOsJRgANdgL/l51kq7qE3u8xnSqNkrmdYDdT2H
+TYH5W4n2AmGo50BDafdjd6tut0qtzA3/hGWCooydxKFOsnIYziUeoHvlICj3RkHO
+y7utcFhAgRWi+kzFwnnXGf13dMU9iG7yvKrCrCEw44gzoQ1KnY1Xsj18n5JkqxeT
+94bzcSbz20OpOSIMfSQPrpy18WrZYwHodcIZ3IUUACCpMZdfTa9c/qHRQ/rcwl+B
+0JlHx0V4AYiSAsiMVgflO1Eqi7apPuwxPPd5nnHkrdDM9CYC3LdBORBXwncG3oZ5
+eTSXmsvFxHXH41JHsm/1QFcVmFAYhu9qJFCGiD+8UeTFtT+nnHU69BszgtUskqX8
+k9PqLdK7Vxkp16wc6WOp1NeIQ6Fd4PxTGrPqs9bJk7TlYtTFWpA0X+EMj/San+Ku
+PxqLEa4Ab12R4vs1pCrn/g1z3C/6ujH4B70HOrRTIeTjULJ6xdwXGtwUA09hio0r
+pHhtyZhAh5irUJNto4ZOk/Qyd+dfMsNvRJfbVIK2mmeRaBnp902AsQNgYVdi2Aki
+0h4kz3bVLGw7iD/xV2hV69+JwLSijkkmOpz/EjMwj0hDDYrHH3Y3o0dV3dNdk/5i
+6lQgcxSVsl9kWlHcoEllKbf0Hb1muKVwoGGYxFYna2jsLFVjG29M7iPSgrHjmg/+
+I3fmsLZ0VI9kmxniUlZ6gz5NB5PJ3RXmwKO9LkBgE5C1wpuZbNEQ1NsR2bprlJPm
+++GNSo8HaheuTRJn42kkOgfIJwjuvXih3FE/NtRA/W8H2uF6YLDjBKGZJbxQcmsd
+CTEuCRCVP8X7C5n3rl1YqzfWfNr8QFxvH7ivG7KOlSxvyTKcYatWb9uDUPrnr74f
+ZaMljHGsNyKj70MzZcrrsmt61yWGR0h+02rmIKlskl4hkh+qF5ehI+Bkd7eblsBy
+rxEREHq/ij2Vd7l0Z606YCE8vj8WfcsJj8JjwR3A+nND/oNJTTbQ3b8OvasvqIey
+WqqmGg73nbHjd/VIAUsfvnsEYatDk4pAA/wQr9c4T4s5Q/QRwDrAsa4J89FrDjWC
+hQBPL7TaP8Af/3Y3/86jLCN4lnW1qjPXv5rhBFeI0EVi1k1qdV06qr5HOk7CwQTT
+uc4rCdFcEnw8kVKZa/yFnlJfRa0Z4IwSahdp5fdFEuad6LpOcFFnYxWtIWhcg4GT
+RcMha/OZnsfqOqiAt6In+1IwuJBz3uMM7xw2AMaxzAejGEL63F81C5iJ6Ld6kQK+
+XblDW0G643bVbzkBb46MAT+UnLuWQUs3NDtk1FEioJyWUgbO/srMH4MoWM7rG8ZT
+nQPohNmPBrqL2phmE27HQsQ0rTjH2Z2ol7iy9OFMtT0=
+=MkGo
+-----END PGP PUBLIC KEY BLOCK-----

codesign2021.txt

@@ -0,0 +1,534 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
+r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
+pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
+yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
+ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
+/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
+qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
+UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
+SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
+o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
+LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
+tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
+LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
+EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
+1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
+tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
+5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
+Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
+JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
+hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
+xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
+gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
+pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
+vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
+6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr
+gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF
+FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki
+33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I
+LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X
+gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa
+7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A
+5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu
+8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN
+bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo
+p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus
+HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF
+CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW
+f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi
+wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I
+u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY
+0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87
+RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP
+NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD
+6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL
+llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0
+85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x
+zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF
+1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0
+wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH
+/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo
+dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON
+LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA
+Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj
+cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE
+tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak
+a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX
+THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4
+EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n
+ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ
+A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY
+BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf
+5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv
+29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx
+Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh
+nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS
+odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87
+y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk
+Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr
+FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk
+7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv
+O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k
+IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V
+Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/
+2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o
+NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT
++pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7
+xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym
+JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn
+uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD
+jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06
+3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ
+ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb
+VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF
+SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6
+bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa
+C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc
+VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek
+IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN
+z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2
+jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg
+dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr
+2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB
+jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB
+CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr
+mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy
+4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu
+f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk
+vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO
+JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi
+8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S
+XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY
+TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY
+3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4
+uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM
+x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr
+0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J
+W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD
+4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm
+Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0
+p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW
+QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId
+GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ
+4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo
+VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM
+wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr
+iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1
+H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB
+UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w
+/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI
+/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101
+x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys
+uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM
+npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr
+9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M
+hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA
+DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA
+C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929
+y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln
+EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB
+CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA
+hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS
+BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0
+xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV
+qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4
+W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U
+9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn
+uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se
+mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I
+xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/
+WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV
+cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3
+E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU
+vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2
+LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4
+wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz
+nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq
+SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z
+zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj
+pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf
+7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/
+08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz
+QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ
+ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz
+iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs
+1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ
+z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB
+Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q
+fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg
+EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33
+AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ
+AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc
+bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x
+sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua
+TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO
+vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC
+qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0
+TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu
+8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z
+IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq
+x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw
+t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO
+/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu
+Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon
+UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q
+KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ
+SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN
+cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn
+BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+
+XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71
+e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6
+A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz
+Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR
+63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1
+oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN
+J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima
+chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9
+mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU
+rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv
+EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9
+5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE
+sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot
+s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2
+lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf
+vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu
+MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ
+BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa
+3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx
+W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C
+GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x
+8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo
+Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y
+chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh
+DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx
+l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0
+JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1
+P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi
+1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ
+snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo
+Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN
+iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws
+VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC
+m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa
+4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J
+Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS
+H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+
+g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD
+9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW
+TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o
+uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY
+QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS
+Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ==
+=fX+D
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS
+ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW
+AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/
+41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka
+4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z
+XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u
+/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5
+0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa
+9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM
+uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ
+hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB
+tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
+LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA
+MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB
+Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+
+ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID
+4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ
+JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J
+QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV
+3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1
+8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/
+/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8
+LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk
+QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH
+sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9
+BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL
+3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj
+IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE
+U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC
+6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G
+LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h
+BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2
+HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ
+kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d
+f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8
+4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b
+8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF
+CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln
+xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/
+LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh
+KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b
+mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya
+8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn
+vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn
+IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7
+VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw
+IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2
+YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C
+L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s
+1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl
+qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj
+nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x
+UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73
+qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc
+IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb
+s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6
+nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl
+8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7
+0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6
+ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf
+7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS
+PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc
+GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh
+nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX
+vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7
+7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo
+bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl
+ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j
+hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH
+Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn
+0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY
+AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP
+PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ
+xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN
+ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+
+oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp
+aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m
+/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY
+ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52
+BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB
+ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4
+GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW
+0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp
+69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA
+qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N
++tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w
+uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql
+yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc
+TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv
+XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f
+yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7
+zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf
+dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V
+XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d
+iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK
+W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY
+UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit
+BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV
+M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I
+EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr
+6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo
+Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb
+HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX
+ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT
++iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1
+iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs
+gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ
+AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP
+/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH
+6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA
+5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA
+ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC
+89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc
+493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb
+jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g
+DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh
+nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m
+5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld
+72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ
+RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc
+lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS
+qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV
+FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH
+eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ
++gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh
+uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN
+5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D
+IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag
+CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL
+ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR
+2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k
+IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n
+D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/
+X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm
+mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v
+zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv
+YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a
+88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id
+pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2
+Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu
+MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88
+h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa
+YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL
+XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4
+MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7
+eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz
+rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy
+5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid
+CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/
+zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6
+Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU
+a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2
+ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+
+GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14
+MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL
+hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe
+16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2
+isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7
+Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW
+NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc
+qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M
+bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt
+zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX
+DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk
+XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu
+ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4
+zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY
+JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi
+qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ
+zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS
+y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh
+qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx
+QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww
+QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH
+X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn
+vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi
+AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ
+aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY
+VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+
+flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p
+NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ
+Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w
+lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q
+se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc
+RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy
+MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE
+RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71
+PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3
+K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT
+Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP
+dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+
+qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe
+MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc
+wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ
+7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC
+PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj
+rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4
+b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g
+dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5
+Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS
+CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+
+96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/
+ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy
+a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT
+YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs
+KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp
+bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ
+la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u
+Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3
+Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ
+BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA
+CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7
+AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu
+9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK
+dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH
+fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II
+XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK
+yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz
+HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv
+SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN
+eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp
+jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv
+DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR
+Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p
+hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0
+rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV
+Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt
+ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ
+i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb
+rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637
+CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD
+LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l
+Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp
+dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF
++6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs
+gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ
+8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf
+nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C
+r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf
+eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD
+VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT
+zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh
+Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU
+JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6
+IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE
+fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB
+dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF
+W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d
+O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK
+jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ
+TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF
+M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39
+oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp
+AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi
+sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI
+ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8
+M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3
+Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A
+0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8
+x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv
+6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw
+QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi
+gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o
+c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb
+1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF
+8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8
+Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr
+rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt
+MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV
+grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l
+QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR
+f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu
+O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb
+SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT
+VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg
+J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di
+ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8
++SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH
+SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5
+8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76
+uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE
+JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4
+ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ
+Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c
+eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E
+dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0
+9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3
+d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526
+tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4
+lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT
+KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz
+iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR
+bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL
+d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r
+aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6
+X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5
+vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV
+4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC
+7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5
+UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa
+8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588
+7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90
+l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ
+4xcYgqlVpv15O7VrD+I=
+=Uugw
+-----END PGP PUBLIC KEY BLOCK-----

generate-rndc-key.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+. /etc/rc.d/init.d/functions
+
+# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
+
+if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
+  echo -n $"Generating /etc/rndc.key:"
+  if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
+  then
+    chmod 640 /etc/rndc.key
+    chown root:named /etc/rndc.key
+    [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
+    success $"/etc/rndc.key generation"
+    echo
+  else
+    failure $"/etc/rndc.key generation"
+    echo
+    exit 1
+  fi
+fi

ldap2zone.c

@@ -0,0 +1,411 @@
+/*
+ * Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
+ * $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ */
+
+#define LDAP_DEPRECATED 1
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#include <ldap.h>
+
+struct string {
+    void *data;
+    size_t len;
+};
+
+struct assstack_entry {
+    struct string key;
+    struct string val;
+    struct assstack_entry *next;
+};
+
+struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key);
+void assstack_push(struct assstack_entry **stack, struct assstack_entry *item);
+void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item);
+void printsoa(struct string *soa);
+void printrrs(char *defaultttl, struct assstack_entry *item);
+void print_zone(char *defaultttl, struct assstack_entry *stack);
+void usage(char *name);
+void err(char *name, const char *msg);
+int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val);
+
+struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) {
+    for (; stack; stack = stack->next)
+	if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len))
+	    return stack;
+    return NULL;
+}
+
+void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) {
+    item->next = *stack;
+    *stack = item;
+}
+
+void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) {
+    struct assstack_entry *p;
+    
+    item->next = NULL;
+    if (!*stack) {
+	*stack = item;
+	return;
+    }
+    /* find end, should keep track of end somewhere */
+    /* really a queue, not a stack */
+    p = *stack;
+    while (p->next)
+	p = p->next;
+    p->next = item;
+}
+
+void printsoa(struct string *soa) {
+    char *s;
+    size_t i;
+    
+    s = (char *)soa->data;
+    i = 0;
+    while (i < soa->len) {
+	putchar(s[i]);
+	if (s[i++] == ' ')
+	    break;
+    }
+    while (i < soa->len) {
+	putchar(s[i]);
+	if (s[i++] == ' ')
+	    break;
+    } 
+    printf("(\n\t\t\t\t");
+    while (i < soa->len) {
+	putchar(s[i]);
+	if (s[i++] == ' ')
+	    break;
+    }
+    printf("; Serialnumber\n\t\t\t\t");
+    while (i < soa->len) {
+	if (s[i] == ' ')
+	    break;
+	putchar(s[i++]);
+    }
+    i++;
+    printf("\t; Refresh\n\t\t\t\t");
+    while (i < soa->len) {
+	if (s[i] == ' ')
+	    break;
+	putchar(s[i++]);
+    }
+    i++;
+    printf("\t; Retry\n\t\t\t\t");
+    while (i < soa->len) {
+	if (s[i] == ' ')
+	    break;
+	putchar(s[i++]);
+    }
+    i++;
+    printf("\t; Expire\n\t\t\t\t");
+    while (i < soa->len) {
+	putchar(s[i++]);
+    }
+    printf(" )\t; Minimum TTL\n");
+}
+
+void printrrs(char *defaultttl, struct assstack_entry *item) {
+    struct assstack_entry *stack;
+    char *s;
+    int first;
+    size_t i;
+    char *ttl, *type;
+    int top;
+    
+    s = (char *)item->key.data;
+
+    if (item->key.len == 1 && *s == '@') {
+	top = 1;
+	printf("@\t");
+    } else {
+	top = 0;
+	for (i = 0; i < item->key.len; i++)
+	    putchar(s[i]);
+	if (item->key.len < 8)
+	    putchar('\t');
+	putchar('\t');
+    }
+    
+    first = 1;
+    for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) {
+	ttl = (char *)stack->key.data;
+	s = strchr(ttl, ' ');
+	*s++ = '\0';
+	type = s;
+	
+	if (first)
+	    first = 0;
+        else
+	    printf("\t\t");
+	    
+	if (strcmp(defaultttl, ttl))
+	    printf("%s", ttl);
+	putchar('\t');
+	
+	if (top) {
+	    top = 0;
+	    printf("IN\t%s\t", type);
+	    /* Should always be SOA here */
+	    if (!strcmp(type, "SOA")) {
+		printsoa(&stack->val);
+		continue;
+	    }
+	} else
+	    printf("%s\t", type);
+
+	s = (char *)stack->val.data;
+	for (i = 0; i < stack->val.len; i++)
+	    putchar(s[i]);
+	putchar('\n');
+    }
+}
+
+void print_zone(char *defaultttl, struct assstack_entry *stack) {
+    printf("$TTL %s\n", defaultttl);
+    for (; stack; stack = stack->next)
+	printrrs(defaultttl, stack);
+};
+
+void usage(char *name) {
+    fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name);
+    exit(1);
+};
+
+void err(char *name, const char *msg) {
+    fprintf(stderr, "%s: %s\n", name, msg);
+    exit(1);
+};
+
+int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) {
+    struct string key;
+    struct assstack_entry *rr, *rrdata;
+    
+    /* Do nothing if name or value have 0 length */
+    if (!name->bv_len || !val->bv_len)
+	return 0;
+
+    /* see if already have an entry for this name */
+    key.len = name->bv_len;
+    key.data = name->bv_val;
+
+    rr = assstack_find(*stack, &key);
+    if (!rr) {
+	/* Not found, create and push new entry */
+	rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
+	if (!rr)
+	    return -1;
+	rr->key.len = name->bv_len;
+	rr->key.data = (void *) malloc(rr->key.len);
+	if (!rr->key.data) {
+	    free(rr);
+	    return -1;
+	}
+	memcpy(rr->key.data, name->bv_val, name->bv_len);
+	rr->val.len = sizeof(void *);
+	rr->val.data = NULL;
+	if (name->bv_len == 1 && *(char *)name->bv_val == '@')
+	    assstack_push(stack, rr);
+	else
+	    assstack_insertbottom(stack, rr);
+    }
+
+    rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
+    if (!rrdata) {
+	free(rr->key.data);
+	free(rr);
+	return -1;
+    }
+    rrdata->key.len = strlen(type) + strlen(ttl) + 1;
+    rrdata->key.data = (void *) malloc(rrdata->key.len);
+    if (!rrdata->key.data) {
+	free(rrdata);
+	free(rr->key.data);
+	free(rr);
+	return -1;
+    }
+    sprintf((char *)rrdata->key.data, "%s %s", ttl, type);
+	
+    rrdata->val.len = val->bv_len;
+    rrdata->val.data = (void *) malloc(val->bv_len);
+    if (!rrdata->val.data) {
+	free(rrdata->key.data);
+	free(rrdata);
+	free(rr->key.data);
+	free(rr);
+	return -1;
+    }
+    memcpy(rrdata->val.data, val->bv_val, val->bv_len);
+
+    if (!strcmp(type, "SOA"))
+	assstack_push((struct assstack_entry **) &(rr->val.data), rrdata);
+    else
+	assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata);
+    return 0;
+}
+
+int main(int argc, char **argv) {
+    char *s, *hostporturl, *base = NULL;
+    char *ttl, *defaultttl;
+    LDAP *ld;
+    char *fltr = NULL;
+    LDAPMessage *res, *e;
+    char *a, **ttlvals, **soavals, *serial;
+    struct berval **vals, **names;
+    char type[64];
+    BerElement *ptr;
+    int i, j, rc, msgid;
+    struct assstack_entry *zone = NULL;
+    
+    if (argc < 4 || argc > 5)
+        usage(argv[0]);
+
+    hostporturl = argv[2];
+
+    if (hostporturl != strstr( hostporturl, "ldap"))
+	err(argv[0], "Not an LDAP URL");
+
+    s = strchr(hostporturl, ':');
+
+    if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/')
+	err(argv[0], "Not an LDAP URL");
+
+    s = strchr(s+3, '/');
+    if (s) {
+	*s++ = '\0';
+	base = s;
+	s = strchr(base, '?');
+	if (s)
+	    err(argv[0], "LDAP URL can only contain host, port and base");
+    }
+
+    defaultttl = argv[3];
+    
+    rc = ldap_initialize(&ld, hostporturl);
+    if (rc != LDAP_SUCCESS)
+	err(argv[0], "ldap_initialize() failed");
+
+    if (argc == 5) {
+	/* serial number specified, check if different from one in SOA */
+	fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1);
+	sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]);
+	msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
+	if (msgid == -1)
+	    err(argv[0], "ldap_search() failed");
+
+	while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
+	    /* not supporting continuation references at present */
+	    if (rc != LDAP_RES_SEARCH_ENTRY)
+		err(argv[0], "ldap_result() returned cont.ref? Exiting");
+
+	    /* only one entry per result message */
+	    e = ldap_first_entry(ld, res);
+	    if (e == NULL) {
+		ldap_msgfree(res);
+		err(argv[0], "ldap_first_entry() failed");
+	    }
+	
+	    soavals = ldap_get_values(ld, e, "SOARecord");
+	    if (soavals)
+		break;
+	}
+
+	ldap_msgfree(res);
+	if (!soavals) {
+		err(argv[0], "No SOA Record found");
+	}
+	
+	/* We have a SOA, compare serial numbers */
+	/* Only checkinf first value, should be only one */
+	s = strchr(soavals[0], ' ');
+	s++;
+	s = strchr(s, ' ');
+	s++;
+	serial = s;
+	s = strchr(s, ' ');
+	*s = '\0';
+	if (!strcmp(serial, argv[4])) {
+	    ldap_value_free(soavals);
+	    err(argv[0], "serial numbers match");
+	}
+	ldap_value_free(soavals);
+    }
+
+    if (!fltr)
+	fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1);
+    if (!fltr)
+	err(argv[0], "Malloc failed");
+    sprintf(fltr, "(zoneName=%s)", argv[1]);
+
+    msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
+    if (msgid == -1)
+	err(argv[0], "ldap_search() failed");
+
+    while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
+	/* not supporting continuation references at present */
+	if (rc != LDAP_RES_SEARCH_ENTRY)
+	    err(argv[0], "ldap_result() returned cont.ref? Exiting");
+
+	/* only one entry per result message */
+	e = ldap_first_entry(ld, res);
+	if (e == NULL) {
+	    ldap_msgfree(res);
+	    err(argv[0], "ldap_first_entry() failed");
+	}
+	
+	names = ldap_get_values_len(ld, e, "relativeDomainName");
+	if (!names)
+	    continue;
+	
+	ttlvals = ldap_get_values(ld, e, "dNSTTL");
+	ttl = ttlvals ? ttlvals[0] : defaultttl;
+
+	for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) {
+	    char *s;
+
+	    for (s = a; *s; s++)
+		*s = toupper(*s);
+	    s = strstr(a, "RECORD");
+	    if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) {
+		ldap_memfree(a);
+		continue;
+	    }
+			
+	    strncpy(type, a, s - a);
+	    type[s - a] = '\0';
+	    vals = ldap_get_values_len(ld, e, a);
+	    if (vals) {
+		for (i = 0; vals[i]; i++)
+		    for (j = 0; names[j]; j++)
+			if (putrr(&zone, names[j], type, ttl, vals[i]))
+			    err(argv[0], "malloc failed");
+		ldap_value_free_len(vals);
+	    }
+	    ldap_memfree(a);
+	}
+
+	if (ptr)
+	    ber_free(ptr, 0);
+	if (ttlvals)
+	    ldap_value_free(ttlvals);
+	ldap_value_free_len(names);
+	/* free this result */
+	ldap_msgfree(res);
+    }
+
+    /* free final result */
+    ldap_msgfree(res);
+
+    print_zone(defaultttl, zone);
+    return 0;
+}

makefile-replace-libs.py

@@ -0,0 +1,143 @@
+#!/usr/bin/python3
+#
+# Makefile modificator
+#
+# Should help in building bin/tests/system tests standalone,
+# linked to libraries installed into the system.
+# TODO:
+# - Fix top_srcdir, because dyndb/driver/Makefile uses $TOPSRC/mkinstalldirs
+# - Fix conf.sh to contain paths to system tools
+# - Export $TOP/version somewhere, where it would be used
+# - system tests needs bin/tests code. Do not include just bin/tests/system
+#
+# Possible solution:
+#
+# sed -e 's/$TOP\/s\?bin\/\(delv\|confgen\|named\|nsupdate\|pkcs11\|python\|rndc\|check\|dig\|dnssec\|tools\)\/\([[:alnum:]-]\+\)/`type -p \2`/' conf.sh
+# sed -e 's,../../../../\(isc-config.sh\),\1,' builtin/tests.sh
+# or use: $NAMED -V | head -1 | cut -d ' ' -f 2
+
+import re
+import argparse
+
+"""
+Script for replacing Makefile ISC_INCLUDES with runtime flags.
+
+Should translate part of Makefile to use isc-config.sh instead static linked sources.
+ISC_INCLUDES = -I/home/pemensik/rhel/bind/bind-9.11.12/build/lib/isc/include \
+        -I${top_srcdir}/lib/isc \
+        -I${top_srcdir}/lib/isc/include \
+        -I${top_srcdir}/lib/isc/unix/include \
+        -I${top_srcdir}/lib/isc/pthreads/include \
+        -I${top_srcdir}/lib/isc/x86_32/include
+
+Should be translated to:
+ISC_INCLUDES = $(shell isc-config.sh --cflags isc)
+"""
+
+def isc_config(mode, lib):
+    if mode:
+        return '$(shell isc-config.sh {mode} {lib})'.format(mode=mode, lib=lib)
+    else:
+        return ''
+
+def check_match(match, debug=False):
+    """
+    Check this definition is handled by internal library
+    """
+    if not match:
+        return False
+    lib = match.group(2).lower()
+    ok = not lib_filter or lib in lib_filter
+    if debug:
+        print('{status} {lib}: {text}'.format(status=ok, lib=lib, text=match.group(1)))
+    return ok
+
+def fix_line(match, mode):
+    lib = match.group(2).lower()
+    return match.group(1)+isc_config(mode, lib)+"\n"
+
+def fix_file_lines(path, debug=False):
+    """
+    Opens file and scans fixes selected parameters
+
+    Returns list of lines if something should be changed,
+    None if no action is required
+    """
+    fixed = []
+    changed = False
+    with open(path, 'r') as fin:
+        fout = None
+
+        line = next(fin, None)
+        while line:
+            appended = False
+            while line.endswith("\\\n"):
+                line += next(fin, None)
+
+            inc = re_includes.match(line)
+            deplibs = re_deplibs.match(line)
+            libs = re_libs.match(line)
+            newline = None
+            if check_match(inc, debug=debug):
+                newline = fix_line(inc, '--cflags')
+            elif check_match(deplibs, debug=debug):
+                newline = fix_line(libs, None)
+            elif check_match(libs, debug=debug):
+                newline = fix_line(libs, '--libs')
+
+            if newline and line != newline:
+                changed = True
+                line = newline
+
+            fixed.append(line)
+            line = next(fin, None)
+
+    if not changed:
+        return None
+    else:
+        return fixed
+
+def write_lines(path, lines):
+    fout = open(path, 'w')
+    for line in lines:
+        fout.write(line)
+    fout.close()
+
+def print_lines(lines):
+    for line in lines:
+        print(line, end='')
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(description='Makefile multiline include replacer')
+    parser.add_argument('files', nargs='+')
+    parser.add_argument('--filter', type=str,
+            default='isc isccc isccfg dns lwres bind9 irs',
+            help='List of libraries supported by isc-config.sh')
+    parser.add_argument('--check', action='store_true',
+            help='Test file only')
+    parser.add_argument('--print', action='store_true',
+            help='Print changed file only')
+    parser.add_argument('--debug', action='store_true',
+            help='Enable debug outputs')
+
+    args = parser.parse_args()
+    lib_filter = None
+
+    re_includes = re.compile(r'^\s*((\w+)_INCLUDES\s+=\s*).*')
+    re_deplibs = re.compile(r'^\s*((\w+)DEPLIBS\s*=).*')
+    re_libs = re.compile(r'^\s*((\w+)LIBS\s*=).*')
+
+    if args.filter:
+        lib_filter = set(args.filter.split(' '))
+        pass
+
+    for path in args.files:
+        lines = fix_file_lines(path, debug=args.debug)
+        if lines:
+            if args.print:
+                print_lines(lines)
+            elif not args.check:
+                write_lines(path, lines)
+                print('File {path} was fixed'.format(path=path))
+        else:
+            print('File {path} does not need fixing'.format(path=path))

named-chroot-setup.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Set-up/destroy chroot environment for named (DNS)
+BindsTo=named-chroot.service
+Wants=named-setup-rndc.service
+After=named-setup-rndc.service
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
+ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files

named-chroot.files

@@ -0,0 +1,25 @@
+# Configuration of files used in chroot
+# Following files are made available after named-chroot.service start
+# if they are missing or empty in target directory.
+/etc/localtime
+/etc/named.root.key
+/etc/named.conf
+/etc/named.rfc1912.zones
+/etc/rndc.conf
+/etc/rndc.key
+/etc/named.iscdlv.key
+/etc/crypto-policies/back-ends/bind.config
+/etc/protocols
+/etc/services
+/etc/named.dnssec.keys
+/etc/pki/dnssec-keys
+/etc/named
+/usr/lib64/bind
+/usr/lib/bind
+/usr/share/GeoIP
+/run/named
+/proc/sys/net/ipv4/ip_local_port_range
+# Warning: the order is important
+# If a directory containing $ROOTDIR is listed here,
+# it MUST be listed last. (/var/named contains /var/named/chroot)
+/var/named

named-chroot.service

@@ -0,0 +1,30 @@
+# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
+# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
+# broken when rsyslogd daemon is restarted (due update, for example).
+
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Requires=named-chroot-setup.service
+Before=nss-lookup.target
+After=named-chroot-setup.service
+After=network.target
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/var/named/chroot/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
+
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=false
+
+[Install]
+WantedBy=multi-user.target

named-pkcs11.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=network.target
+After=named-setup-rndc.service
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
+
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

named-setup-rndc.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Generate rndc key for BIND (DNS)
+
+[Service]
+Type=oneshot
+
+ExecStart=/usr/libexec/generate-rndc-key.sh

named.conf

@@ -0,0 +1,59 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+	listen-on port 53 { 127.0.0.1; };
+	listen-on-v6 port 53 { ::1; };
+	directory 	"/var/named";
+	dump-file 	"/var/named/data/cache_dump.db";
+	statistics-file "/var/named/data/named_stats.txt";
+	memstatistics-file "/var/named/data/named_mem_stats.txt";
+	secroots-file	"/var/named/data/named.secroots";
+	recursing-file	"/var/named/data/named.recursing";
+	allow-query     { localhost; };
+
+	/* 
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	*/
+	recursion yes;
+
+	dnssec-validation yes;
+
+	managed-keys-directory "/var/named/dynamic";
+	geoip-directory "/usr/share/GeoIP";
+
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+	include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+zone "." IN {
+	type hint;
+	file "named.ca";
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
+

named.conf.sample

@@ -0,0 +1,243 @@
+/*
+ Sample named.conf BIND DNS server 'named' configuration file
+ for the Red Hat BIND distribution.
+
+ See the BIND Administrator's Reference Manual (ARM) for details, in:
+   file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
+ Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
+ its manual.
+*/
+
+options
+{
+	// Put files that named is allowed to write in the data/ directory:
+	directory 		"/var/named";		// "Working" directory
+	dump-file 		"data/cache_dump.db";
+        statistics-file 	"data/named_stats.txt";
+        memstatistics-file 	"data/named_mem_stats.txt";
+	secroots-file		"data/named.secroots";
+	recursing-file		"data/named.recursing";
+
+
+	/*
+	  Specify listenning interfaces. You can use list of addresses (';' is
+	  delimiter) or keywords "any"/"none"
+	*/
+	//listen-on port 53	{ any; };
+	listen-on port 53	{ 127.0.0.1; };
+
+	//listen-on-v6 port 53	{ any; };
+	listen-on-v6 port 53	{ ::1; };
+
+	/*
+	  Access restrictions
+
+	  There are two important options:
+	    allow-query { argument; };
+	      - allow queries for authoritative data
+
+	    allow-query-cache { argument; };
+	      - allow queries for non-authoritative data (mostly cached data)
+
+	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
+	  Examples:
+	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
+	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
+	*/
+
+	allow-query		{ localhost; };
+	allow-query-cache	{ localhost; };
+
+	/* Enable/disable recursion - recursion yes/no;
+
+	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
+	   recursion. 
+	 - If your recursive DNS server has a public IP address, you MUST enable access 
+	   control to limit queries to your legitimate users. Failing to do so will
+	   cause your server to become part of large scale DNS amplification 
+	   attacks. Implementing BCP38 within your network would greatly
+	   reduce such attack surface 
+	 */
+	recursion yes;
+
+	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
+
+	/* Enable DNSSEC validation on recursive servers */
+	dnssec-validation yes;
+
+	/* In Fedora we use /run/named instead of default /var/run/named
+	   so we have to configure paths properly. */
+	pid-file "/run/named/named.pid";
+	session-keyfile "/run/named/session.key";
+
+	managed-keys-directory "/var/named/dynamic";
+
+    /* In Fedora we use system-wide Crypto Policy */
+    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+    include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging 
+{
+/*      If you want to enable debugging, eg. using the 'rndc trace' command,
+ *      named will try to write the 'named.run' file in the $directory (/var/named).
+ *      By default, SELinux policy does not allow named to modify the /var/named directory,
+ *      so put the default debug log file in data/ :
+ */
+        channel default_debug {
+                file "data/named.run";
+                severity dynamic;
+        };
+};
+
+/*
+ Views let a name server answer a DNS query differently depending on who is asking.
+
+ By default, if named.conf contains no "view" clauses, all zones are in the 
+ "default" view, which matches all clients.
+
+ Views are processed sequentially. The first match is used so the last view should
+ match "any" - it's fallback and the most restricted view.
+
+ If named.conf contains any "view" clause, then all zones MUST be in a view.
+*/
+
+view "localhost_resolver"
+{
+/* This view sets up named to be a localhost resolver ( caching only nameserver ).
+ * If all you want is a caching-only nameserver, then you need only define this view:
+ */
+	match-clients 		{ localhost; };
+	recursion yes;
+
+	# all views must contain the root hints zone:
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+        /* these are zones that contain definitions for all the localhost
+         * names and addresses, as recommended in RFC1912 - these names should
+	 * not leak to the other nameservers:
+	 */
+	include "/etc/named.rfc1912.zones";
+};
+view "internal"
+{
+/* This view will contain zones you want to serve only to "internal" clients
+   that connect via your directly attached LAN interfaces - "localnets" .
+ */
+	match-clients		{ localnets; };
+	recursion yes;
+
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+        /* these are zones that contain definitions for all the localhost
+         * names and addresses, as recommended in RFC1912 - these names should
+	 * not leak to the other nameservers:
+	 */
+	include "/etc/named.rfc1912.zones";
+
+	// These are your "authoritative" internal zones, and would probably
+	// also be included in the "localhost_resolver" view above :
+
+	/*
+	  NOTE for dynamic DNS zones and secondary zones:
+
+	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
+
+	  If you are using views and DDNS/secondary zones it is strongly
+	  recommended to read FAQ on ISC site (www.isc.org), section
+	  "Configuration and Setup Questions", questions
+	  "How do I share a dynamic zone between multiple views?" and
+	  "How can I make a server a slave for both an internal and an external
+	   view at the same time?"
+	*/
+
+	zone "my.internal.zone" { 
+		type master;
+		file "my.internal.zone.db";
+	};
+	zone "my.slave.internal.zone" {
+		type slave;
+		file "slaves/my.slave.internal.zone.db";
+		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
+		// put slave zones in the slaves/ directory so named can update them
+	};	
+	zone "my.ddns.internal.zone" {
+		type master;
+		allow-update { key ddns_key; };
+		file "dynamic/my.ddns.internal.zone.db";
+		// put dynamically updateable zones in the slaves/ directory so named can update them
+	};
+};
+
+key ddns_key
+{
+	algorithm hmac-sha256;
+	secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
+};
+
+view "external"
+{
+/* This view will contain zones you want to serve only to "external" clients
+ * that have addresses that are not match any above view:
+ */
+	match-clients		{ any; };
+
+	zone "." IN {
+	        type hint;
+	        file "/var/named/named.ca";
+	};
+
+	recursion no;
+	// you'd probably want to deny recursion to external clients, so you don't
+        // end up providing free DNS service to all takers
+
+	// These are your "authoritative" external zones, and would probably
+        // contain entries for just your web and mail servers:
+
+	zone "my.external.zone" { 
+		type master;
+		file "my.external.zone.db";
+	};
+};
+
+/* Trusted keys
+
+  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
+  should configure at least one trusted key.
+
+  Note that no key written below is valid. Especially root key because root zone
+  is not signed yet.
+*/
+/*
+trust-anchors {
+// Root Key
+. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		      +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		      ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		      0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		      oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		      RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		      R1AkUTV74bU=";
+
+// Key for forward zone
+example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
+				LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
+				LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
+				UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
+				yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
+				Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
+				Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
+				xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
+
+
+// Key for reverse zone.
+2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
+};
+*/

named.empty

@@ -0,0 +1,10 @@
+$TTL 3H
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1

named.localhost

@@ -0,0 +1,10 @@
+$TTL 1D
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1

named.logrotate

@@ -0,0 +1,12 @@
+/var/named/data/named.run {
+    missingok
+    su named named
+    create 0644 named named
+    postrotate
+        /usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
+        /usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
+    endscript
+}

named.loopback

@@ -0,0 +1,11 @@
+$TTL 1D
+@	IN SOA	@ rname.invalid. (
+					0	; serial
+					1D	; refresh
+					1H	; retry
+					1W	; expire
+					3H )	; minimum
+	NS	@
+	A	127.0.0.1
+	AAAA	::1
+	PTR	localhost.

named.rfc1912.zones

@@ -0,0 +1,45 @@
+// named.rfc1912.zones:
+//
+// Provided by Red Hat caching-nameserver package 
+//
+// ISC BIND named zone configuration for zones recommended by
+// RFC 1912 section 4.1 : localhost TLDs and address zones
+// and https://tools.ietf.org/html/rfc6303
+// (c)2007 R W Franks
+// 
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+// Note: empty-zones-enable yes; option is default.
+// If private ranges should be forwarded, add 
+// disable-empty-zone "."; into options
+// 
+
+zone "localhost.localdomain" IN {
+	type master;
+	file "named.localhost";
+	allow-update { none; };
+};
+
+zone "localhost" IN {
+	type master;
+	file "named.localhost";
+	allow-update { none; };
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
+	type master;
+	file "named.loopback";
+	allow-update { none; };
+};
+
+zone "1.0.0.127.in-addr.arpa" IN {
+	type master;
+	file "named.loopback";
+	allow-update { none; };
+};
+
+zone "0.in-addr.arpa" IN {
+	type master;
+	file "named.empty";
+	allow-update { none; };
+};

named.root

@@ -0,0 +1,92 @@
+;       This file holds the information on root name servers needed to 
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers). 
+; 
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache 
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+; 
+;       last update:     June 24, 2021 
+;       related version of root zone:     2021062401
+; 
+; FORMERLY NS.INTERNIC.NET 
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+; 
+; FORMERLY NS1.ISI.EDU 
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
+; 
+; FORMERLY C.PSI.NET 
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+; 
+; FORMERLY TERP.UMD.EDU 
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+; 
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
+; 
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+; 
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
+; 
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+; 
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+; 
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+; 
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+; 
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+; 
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file

named.root.key

@@ -0,0 +1,13 @@
+trust-anchors {
+        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+        # for current trust anchor information.
+        #
+        # This key (20326) was published in the root zone in 2017.
+        # Servers which were already using the old key (19036) should
+        # roll seamlessly to this new one via RFC 5011 rollover. Servers
+        # being set up for the first time can use the contents of this
+        # file as initializing keys; thereafter, the keys in the
+        # managed key database will be trusted and maintained
+        # automatically.
+        . initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
+};

named.rwtab

@@ -0,0 +1,6 @@
+dirs    /var/named
+
+files	/var/named/named.ca
+files	/var/named/named.empty
+files	/var/named/named.localhost
+files	/var/named/named.loopback

named.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Wants=named-setup-rndc.service
+Before=nss-lookup.target
+After=named-setup-rndc.service
+After=network.target
+
+[Service]
+Type=forking
+Environment=NAMEDCONF=/etc/named.conf
+EnvironmentFile=-/etc/sysconfig/named
+Environment=KRB5_KTNAME=/etc/named.keytab
+PIDFile=/run/named/named.pid
+
+ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
+ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
+ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
+
+ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target

named.sysconfig

@@ -0,0 +1,17 @@
+# BIND named process options
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# OPTIONS="whatever"     --  These additional options will be passed to named
+#                            at startup. Don't add -t here, enable proper
+#                            -chroot.service unit file.
+#
+# NAMEDCONF=/etc/named/alternate.conf
+#                        --  Don't use -c to change configuration file.
+#                            Extend systemd named.service instead or use this
+#                            variable.
+#
+# DISABLE_ZONE_CHECKING  --  By default, service file calls named-checkzone
+#                            utility for every zone to ensure all zones are
+#                            valid before named starts. If you set this option
+#                            to 'yes' then service file doesn't perform those
+#                            checks.

setup-named-chroot.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+
+ROOTDIR="$1"
+CONFIG_FILES="${3:-/etc/named-chroot.files}"
+
+usage()
+{
+  echo
+  echo 'This script setups chroot environment for BIND'
+  echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
+}
+
+if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
+  echo 'Wrong number of arguments'
+  usage
+  exit 1
+fi
+
+# Exit if ROOTDIR doesn't exist
+if ! [ -d "$ROOTDIR" ]; then
+  echo "Root directory $ROOTDIR doesn't exist"
+  usage
+  exit 1
+fi
+
+if ! [ -r "$CONFIG_FILES" ]; then
+  echo "Files list $CONFIG_FILES doesn't exist" 2>&1
+  usage
+  exit 1
+fi
+
+dev_create()
+{
+  DEVNAME="$ROOTDIR/dev/$1"
+  shift
+  if ! [ -e "$DEVNAME" ]; then
+    /bin/mknod -m 0664 "$DEVNAME" $@
+    /bin/chgrp named "$DEVNAME"
+    if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
+      /usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
+    fi
+  fi
+}
+
+dev_chroot_prep()
+{
+  dev_create random  c 1 8
+  dev_create urandom c 1 9
+  dev_create zero    c 1 5
+  dev_create null    c 1 3
+}
+
+files_comment_filter()
+{
+  if [ -d "$1" ]; then
+    grep -v '^[[:space:]]*#' "$1"/*.files
+  else
+    grep -v '^[[:space:]]*#' "$1"
+  fi
+}
+
+mount_chroot_conf()
+{
+  if [ -n "$ROOTDIR" ]; then
+    # Check devices are prepared
+    dev_chroot_prep
+    files_comment_filter "$CONFIG_FILES" | while read -r all; do
+      # Skip nonexistant files
+      [ -e "$all" ] || continue
+
+      # If mount source is a file
+      if ! [ -d "$all" ]; then
+        # mount it only if it is not present in chroot or it is empty
+        if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
+          touch "$ROOTDIR$all"
+          mount --bind "$all" "$ROOTDIR$all"
+        fi
+      else
+        # Mount source is a directory. Mount it only if directory in chroot is
+        # empty.
+        if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
+          mount --bind --make-private "$all" "$ROOTDIR$all"
+        fi
+      fi
+    done
+  fi
+}
+
+umount_chroot_conf()
+{
+  if [ -n "$ROOTDIR" ]; then
+    files_comment_filter "$CONFIG_FILES" | while read -r all; do
+      # Check if file is mount target. Do not use /proc/mounts because detecting
+      # of modified mounted files can fail.
+      if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
+        umount "$ROOTDIR$all"
+        # Remove temporary created files
+        [ -f "$all" ] && rm -f "$ROOTDIR$all"
+      fi
+    done
+  fi
+}
+
+case "$2" in
+  on)
+    mount_chroot_conf
+    ;;
+  off)
+    umount_chroot_conf
+    ;;
+  *)
+    echo 'Second argument has to be "on" or "off"'
+    usage
+    exit 1
+esac
+
+exit 0

setup-named-softhsm.sh

@@ -0,0 +1,124 @@
+#!/bin/sh
+#
+# This script will initialise token storage of softhsm PKCS11 provider
+# in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Quotes around eval are mandatory!
+# Recommended use:
+# eval "$(bash setup-named-softhsm.sh -A)"
+#
+
+SOFTHSM2_CONF="$1"
+TOKENPATH="$2"
+GROUPNAME="$3"
+# Do not use this script for real keys worth protection
+# This is intended for crypto accelerators using PKCS11 interface.
+# Uninitialized token would fail any crypto operation.
+PIN=1234
+SO_PIN=1234
+LABEL=rpm
+
+set -e
+
+echo_i()
+{
+	echo "#" $@
+}
+
+random()
+{
+	if [ -x "$(which openssl 2>/dev/null)" ]; then
+		openssl rand -base64 $1
+	else
+		dd if=/dev/urandom bs=1c count=$1 | base64
+	fi
+}
+
+usage()
+{
+	echo "Usage: $0 -A [token directory] [group]"
+	echo "   or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
+if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
+	usage >&2
+	exit 1
+fi
+
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+	# Automagic mode instead
+	MODE=secure
+	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+	PIN_SOURCE="$TOKENPATH/pin"
+	SOPIN_SOURCE="$TOKENPATH/so-pin"
+	TOKENPATH="$TOKENPATH/tokens"
+else
+	MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
+if ! [ -f "$SOFTHSM2_CONF" ]; then
+cat  << SED > "$SOFTHSM2_CONF"
+# SoftHSM v2 configuration file
+
+directories.tokendir = ${TOKENPATH}
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+SED
+else
+	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
+fi
+
+if [ -n "$PIN_SOURCE" ]; then
+	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+	if [ -n "$GROUPNAME" ]; then
+		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+	fi
+fi
+
+export SOFTHSM2_CONF
+
+if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
+then
+	echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
+else
+	PIN=$(random 6)
+	SO_PIN=$(random 18)
+	if [ -n "$PIN_SOURCE" ]; then
+		echo -n "$PIN" > "$PIN_SOURCE"
+		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+	fi
+
+	echo_i "Initializing tokens to ${TOKENPATH}..."
+	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
+
+	if [ -n "$GROUPNAME" ]; then
+		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
+		chmod -R -- g=rX,o= "$TOKENPATH"
+	fi
+fi
+
+echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""

softhsm2.conf.in

@@ -0,0 +1,10 @@
+# SoftHSM v2 configuration file
+
+directories.tokendir = @TOKENPATH@
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false

sources

@@ -0,0 +1,3 @@
+SHA512 (bind-9.17.20.tar.xz) = ae0428b40a3f7a7c3db093da97b05d7901c4e48b2a9a9fac61d02b8e4d192f668ef05baf0f7d07402d88d3ed510f951637d7717a9da3c167b933166267adf070
+SHA512 (bind-9.17.20.tar.xz.asc) = 16a3689da98601ca28d5acf5a33f9ffdd2ac03c797ceca593f4c1fe19ec07582a9d5305b0a9df84122e7dc085950e686f55c617af7f9f5692666d2944016cfcc
+SHA512 (isc-logo.pdf) = 08124d14c4884aa6c078ef6b98ec37146319b51ca2dff44b6e38d1742d06778ce053299c15ad28e32dff36847242b2bb586848a1bb7cc5c05d9b2fdf2fd4a0bc

tests/Master-server-chrooted/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/tests/Sanity/Master-server-chrooted
+#   Description: Run basic empty named service and try to resolve localhost on it
+#   Author: Petr Mensik <pemensik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2018 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/tests/Sanity/Master-server-chrooted
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Petr Mensik <pemensik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Run basic empty named-chroot service and try to resolve localhost on it" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          bind" >> $(METADATA)
+	@echo "Requires:        bind bind-utils bind-chroot bind-sdb-chroot" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/Master-server-chrooted/PURPOSE

@@ -0,0 +1,6 @@
+PURPOSE of /CoreOS/tests/Sanity/Master-server-chrooted
+Description: Run basic empty named-chroot service and try to resolve localhost on it
+Author: Petr Mensik <pemensik@redhat.com>
+
+Check also clean package both when running and finished.
+https://bugzilla.redhat.com/show_bug.cgi?id=1592873

tests/Master-server-chrooted/runtest.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/tests/Sanity/Master-server-chrooted
+#   Description: Run basic empty named-chroot service and try to resolve localhost on it
+#   Author: Petr Mensik <pemensik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2018 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="bind"
+
+test_service()
+{
+    local SERVICE="$1"
+    local PACKAGE="$2"
+	rlRun "rlServiceStart $SERVICE"
+	rlRun "dig @localhost localhost | grep '^localhost'"
+	rlRun "dig @localhost -x 127.0.0.1 | grep 'PTR[[:space:]]\+localhost.$'" 0 "Reverse address works"
+	rlRun "rpm -V $PACKAGE" 0 "Checking $SERVICE package when running"
+	rlRun "rlServiceRestore $SERVICE"
+	rlRun "rpm -V $PACKAGE" 0 "Checking $SERVICE package when stopped"
+}
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm bind
+	rlAssertRpm bind-utils
+	rlAssertRpm bind-chroot
+    rlPhaseEnd
+
+    rlPhaseStartTest "Testing named"
+	test_service named bind
+    rlPhaseEnd
+
+    rlPhaseStartTest "Testing named-chroot"
+	test_service named-chroot bind-chroot
+    rlPhaseEnd
+
+    rlPhaseStartTest "Testing named-sdb-chroot"
+	    if rpm -q bind-sdb-chroot; then
+		test_service named-sdb-chroot bind-sdb-chroot
+	    else
+		rlLog "bind-sdb-chroot not installed, skipping it"
+	    fi
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+	# noop
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/Master-server-not-chrooted/Makefile

@@ -0,0 +1,65 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/bind/Sanity/Master-server-not-chrooted
+#   Description: Set up master nameserver, test it.
+#   Author: Martin Cermak <mcermak@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/bind/Sanity/Master-server-not-chrooted
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE named.conf zonefile 
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Martin Cermak <mcermak@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Set up master nameserver in chrooted env, test it." >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          bind" >> $(METADATA)
+	@echo "Requires:        bind bind-chroot redhat-lsb" >> $(METADATA)
+	@echo "Requires:        bind-utils" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "RhtsRequires: library(bind/bind-setup)" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/Master-server-not-chrooted/PURPOSE

@@ -0,0 +1,6 @@
+PURPOSE of /CoreOS/bind/Sanity/Master-server-not-chrooted
+Description: Set up master nameserver in chrooted env, test it.
+             This is a very basic sanity test for bind9.
+             The main purpose for me was to learn how
+             bind works :-)
+Author: Martin Cermak <mcermak@redhat.com>

tests/Master-server-not-chrooted/named.conf

@@ -0,0 +1,11 @@
+options {
+        directory       "/var/named";
+        allow-query     { any; };
+};
+
+zone "<DOMAIN>" IN {
+  type master;
+  file "<DOMAIN>.zone";
+  allow-update { none; };
+};
+

tests/Master-server-not-chrooted/runtest.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/bind/Sanity/Master-server-not-chrooted
+#   Description: Set up master nameserver, test it.
+#   Author: Martin Cermak <mcermak@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+#set -x
+. /usr/bin/rhts-environment.sh
+. /usr/lib/beakerlib/beakerlib.sh
+
+# Some heplful functions
+randomString () {
+    TEMPSTR=`date +%c%N | md5sum | awk '{print $1}'`
+    echo ${TEMPSTR:0:8}
+    unset TEMPSTR
+}
+
+randomIp () {
+    echo "192.168.1.`echo $[ $RANDOM / 256 + 1 ]`"
+}
+
+randomSerial () {
+    date +%N
+}
+
+# Variable declarations
+CONF="/etc/named.conf"
+IP1=`randomIp`
+IP2=`randomIp`
+IP3=`randomIp`
+IP4=`randomIp`
+IP5=`randomIp`
+SERIAL=`randomSerial`
+ORIGPWD=`pwd`
+
+# The test
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+
+        rlRun "rlImport bind/bind-setup"
+
+        bsBindSetupStart "$ORIGPWD/named.conf" "off"
+
+        rlRun "TDOMAIN=`randomString`.cz"
+        rlRun "TZONEFILE=$ROOTDIR/var/named/$TDOMAIN.zone"
+
+        # set up /etc/named.conf
+        rlRun "sed -i \"s/<DOMAIN>/$TDOMAIN/g\" $CONF"
+
+        # set up zonefile
+        rlRun "cp $ORIGPWD/zonefile $TZONEFILE"
+        rlRun "chmod a+r $TZONEFILE"
+        rlRun "sed -i \"s/<DOMAIN>/$TDOMAIN/g\" $TZONEFILE"
+        rlRun "sed -i \"s/<IP1>/$IP1/g\" $TZONEFILE"
+        rlRun "sed -i \"s/<IP2>/$IP2/g\" $TZONEFILE"
+        rlRun "sed -i \"s/<IP3>/$IP3/g\" $TZONEFILE"
+        rlRun "sed -i \"s/<IP4>/$IP4/g\" $TZONEFILE"
+        rlRun "sed -i \"s/<IP5>/$IP5/g\" $TZONEFILE"
+        rlRun "sed -i \"s/<SERIAL>/$SERIAL/g\" $TZONEFILE"
+
+        bsBindSetupDone
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        # perform tests
+        rlRun "dig @localhost $TDOMAIN | grep \"^$TDOMAIN\" | head -n 1 | grep \"$IP1\""
+        rlRun "dig @localhost server1.$TDOMAIN | grep \"^server1.$TDOMAIN\" | grep \"$IP2\""
+        rlRun "dig @localhost server2.$TDOMAIN | grep \"^server2.$TDOMAIN\" | grep \"$IP3\""
+        rlRun "dig @localhost dns1.$TDOMAIN | grep \"^dns1.$TDOMAIN\" | grep \"$IP4\""
+        rlRun "dig @localhost dns2.$TDOMAIN | grep \"^dns2.$TDOMAIN\" | grep \"$IP5\""
+        rlRun "dig @localhost ftp.$TDOMAIN | grep \"^ftp.$TDOMAIN\" | grep \"server1.$TDOMAIN\""
+        rlRun "dig @localhost mail.$TDOMAIN | grep \"^mail.$TDOMAIN\" | grep \"server1.$TDOMAIN\""
+        rlRun "dig @localhost mail2.$TDOMAIN | grep \"^mail2.$TDOMAIN\" | grep \"server2.$TDOMAIN\""
+        rlRun "dig @localhost www.$TDOMAIN | grep \"^www.$TDOMAIN\" | grep \"server2.$TDOMAIN\""
+
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        bsBindSetupCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+        rlRun "rm -rf $TZONEFILE"
+    rlPhaseEnd
+rlJournalEnd

tests/Master-server-not-chrooted/zonefile

@@ -0,0 +1,27 @@
+$ORIGIN <DOMAIN>.
+$TTL 86400
+@     IN     SOA    dns1.<DOMAIN>.  hostmaster.<DOMAIN>. (
+                    <SERIAL>  ; serial
+                    21600      ; refresh after 6 hours
+                    3600       ; retry after 1 hour
+                    604800     ; expire after 1 week
+                    86400 )    ; minimum TTL of 1 day
+
+      IN     NS     dns1.<DOMAIN>.
+      IN     NS     dns2.<DOMAIN>.
+
+      IN     MX     10     mail.<DOMAIN>.
+      IN     MX     20     mail2.<DOMAIN>.
+
+             IN     A       <IP1>
+
+server1      IN     A       <IP2>
+server2      IN     A       <IP3>
+dns1         IN     A       <IP4>
+dns2         IN     A       <IP5>
+
+ftp          IN     CNAME   server1
+mail         IN     CNAME   server1
+mail2        IN     CNAME   server2
+www          IN     CNAME   server2
+

tests/Run-internal-BIND-test-suite/Makefile

@@ -0,0 +1,77 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of tests/Run-internal-BIND-test-suite
+#   Description: Run internal BIND test suite
+#   Author: Martin Cermak <mcermak@redhat.com>
+#   Author: Petr Mensik <pemensik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=tests/Run-internal-BIND-test-suite
+export TESTVERSION=1.3
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE knownerror* setup-named-softhsm.sh bind-systest-filter.sh
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Martin Cermak <mcermak@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Run internal BIND test suite" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        8h" >> $(METADATA)
+	@echo "RunFor:          bind" >> $(METADATA)
+	@echo "Requires:        bind rpm-build bind-utils" >> $(METADATA)
+	@echo "Requires:        perl-Net-DNS perl-Net-DNS-Nameserver" >> $(METADATA)
+	@echo "Requires:        perl-Time-HiRes" >> $(METADATA)
+	@echo "Requires:        bind-pkcs11 bind-pkcs11-utils softhsm" >> $(METADATA)
+	@echo "Requires:        openssl-devel libtool autoconf" >> $(METADATA)
+# Try to satisfy all build dependencies from here
+	@echo "Requires:        bind-devel" >> $(METADATA)
+	@echo "Requires:        net-tools" >> $(METADATA)
+	@echo "Requires:        dnf-utils" >> $(METADATA)
+	@echo "Requires:        kyua" >> $(METADATA)
+	@echo "Requires:        libcmocka-devel" >> $(METADATA)
+# Obsolete, uses cmocka
+#	@echo "Requires:        libatf-c gcc-c++" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Bug:             642970" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/Run-internal-BIND-test-suite/PURPOSE

@@ -0,0 +1,6 @@
+PURPOSE of tests/Run-internal-BIND-test-suite
+Description: Run internal BIND test suite
+Author: Martin Cermak <mcermak@redhat.com>
+Bug summary: Run internal BIND test suite
+Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=642970
+

tests/Run-internal-BIND-test-suite/bind-systest-filter.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+#
+# This script will filter out output from BINDs tests
+# It supports form from BIND 9.9 and BIND 9.11
+# Its purpose is to display only failed tests from list of all tests
+
+CURRENT_TEST=
+CURRENT_OUTPUT=
+STATUS_ONLY=
+
+for P; do
+	case "$P" in
+		-s|--status)	STATUS_ONLY=yes; shift ;;
+	esac
+done
+
+cat $@ | while read LINE; do
+	if [ "${LINE#S:}" != "$LINE" ]; then
+		CURRENT_TEST=`echo $LINE | cut -d: -f2`
+		CURRENT_OUTPUT="$LINE"$'\n'
+	elif [ "${LINE#R:}" != "$LINE" ]; then
+		# echo "$CURRENT_TEST $LINE"
+		if [ "${LINE/#R:*:*}" != "$LINE" ]; then
+			# more recent results contain test name
+			# R:dlz:FAIL
+			CURRENT_TEST="${LINE#R:}"
+			CURRENT_TEST="${CURRENT_TEST/%:*}"
+			RESULT="${LINE/#*:}"
+		else
+			# S:dlz:time
+			# R:FAIL
+			RESULT="${LINE/#R*:/}"
+		fi
+		if [ "$RESULT" != "PASS" ]; then
+			if [ -n "$STATUS_ONLY" ]; then
+				echo "$RESULT $CURRENT_TEST"
+			else
+				CURRENT_OUTPUT+="$LINE"
+				echo "$CURRENT_OUTPUT"
+				echo
+			fi
+		fi
+		CURRENT_OUTPUT=
+	else
+		CURRENT_OUTPUT+="$LINE"$'\n'
+	fi
+done

tests/Run-internal-BIND-test-suite/knownerror

@@ -0,0 +1,2 @@
+A:System test dlz
+A:System test idna

tests/Run-internal-BIND-test-suite/runtest.sh

@@ -0,0 +1,185 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of tests/Run-internal-BIND-test-suite
+#   Description: Run internal BIND test suite
+#   Author: Martin Cermak <mcermak@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/lib/beakerlib/beakerlib.sh
+
+PACKAGE="bind"
+
+# Set those variables to n to skip tests on variants
+#DEFAULT_VARIANTS="normal pkcs11 sdb"
+DEFAULT_VARIANTS="normal"
+#TEST_VARIANTS="normal"
+
+#
+# Runs test suite and checks known errors
+# Prepared to be repeated with another variants
+run_testsuite()
+{
+	local RESULT_TEXT="$TMPDIR/test${NAMED_VARIANT}.txt"
+	local FOUNDERROR=`mktemp found-XXXXXXXX.err`
+	local KNOWNERROR=/dev/null
+
+	if [ -f "$ORIG/knownerror${NAMED_VARIANT}.$TAG" ]; then
+		KNOWNERROR=`readlink -f $ORIG/knownerror.$TAG`
+	elif [ -f "$ORIG/knownerror${NAMED_VARIANT}" ]; then
+		KNOWNERROR=`readlink -f $ORIG/knownerror`
+	fi
+
+	# Sometime it can fail. Report just failures that are not known
+        rlRun "make test -j${CORES:-1} &> $RESULT_TEXT" 0-255 "Perform the test."
+        rlRun "grep -C 10 FAIL $RESULT_TEXT" 0-255 "Quickly show the test error (if any)."
+
+	rlRun "$FILTER $RESULT_TEXT" 0 "Showing unsuccessful tests"
+	rlRun "$FILTER -s $RESULT_TEXT > $FOUNDERROR" 0
+	rlRun "ls $KNOWNERROR $FOUNDERROR $RESULT_TEXT" 0 'check if there is needed files'
+	rlLog "`cat $FOUNDERROR`"
+
+	rlAssertLesserOrEqual "Checking number of found errors is in limits" "$(grep '^FAIL' $FOUNDERROR | wc -l)" "$(wc -l <$KNOWNERROR)"
+        cat $FOUNDERROR | while read STATUS TEST ; do
+		if [ "$STATUS" = FAIL ]; then
+			rlRun "grep '$TEST' $KNOWNERROR" 0 "Check $TEST failure is expected"
+		else
+			rlLog "$STATUS $TEST"
+		fi
+        done
+}
+
+rlJournalStart
+    rlPhaseStartSetup
+        # package assertions
+        rlAssertRpm $PACKAGE 
+        rlAssertRpm rpm-build
+        rlAssertRpm perl-Net-DNS-Nameserver
+
+	#pwd
+	ORIG=`pwd`
+	SETUP_SOFTHSM=`readlink -f setup-named-softhsm.sh`
+	FILTER=`readlink -f bind-systest-filter.sh`
+	CORES=`grep 'processor\s*:' /proc/cpuinfo | wc -l`
+
+	TAG=generic
+	if [ -f /etc/os-release ]; then
+		# extract platform tag
+		TAG=`(source /etc/os-release && echo ${PLATFORM_ID#platform:})`
+	fi
+
+        #tempdir
+        rlRun "TMPDIR=\`mktemp -d\`" 0 "Creating tmp directory"
+        rlRun "pushd $TMPDIR"
+
+        # topdir
+	TOPDIR=`rpm -E '%{_topdir}'`
+
+        # cleanup in topdir
+        mkdir -p $TOPDIR/{BUILD,SOURCES,SPECS}
+        rm -rf $TOPDIR/{BUILD,SOURCES,SPECS}/*
+
+        # download src rpm
+	if ! ls bind*.src.rpm; then
+		rlRun "dnf --enablerepo='*-source' download --source bind" 0 "Fetch source from repository"
+		rlRun "rpm -i bind*.src.rpm"
+	fi
+	
+        rlRun "rpm --define '_topdir $TOPDIR' -Uvh *rpm &> $TMPDIR/install.txt"
+        rlRun "cd $TOPDIR/SPECS" 
+
+	rlRun "dnf -y builddep *.spec"
+
+        # stop bind if it is running
+        rlServiceStop named
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        # rebuild from source
+        rlRun "rpmbuild -ba *.spec &> $TMPDIR/build.txt"
+
+        # the test
+        rlRun "cd $TOPDIR/BUILD/bind*"
+
+        rlLogInfo "Test takes place in `pwd`"
+
+        rlRun "chown -R root ."
+
+	if [ -x "$SETUP_SOFTHSM" ]; then
+		rlRun "eval \"$(bash $SETUP_SOFTHSM -A)\"" 0 "Preparing PKCS#11 token slot"
+		rlRun "pkcs11-tokens" 0 "Testing token slot availability"
+	else
+		rlLog "PKCS#11 not initialized"
+	fi
+
+	if [ -d build ]; then
+		BUILD=build
+	else
+		BUILD=.
+	fi
+
+        rlRun "./bin/tests/system/ifconfig.sh up" 0 "Setup fake network interfaces."
+
+	# required by idna test 
+	export LC_ALL=en_US.UTF-8
+
+        rlRun "pushd $BUILD"
+
+	if echo "${TEST_VARIANTS:-$DEFAULT_VARIANTS}" | grep -q normal; then
+		rlLog "Running normal variant"
+		export NAMED_VARIANT= DNSSEC_VARIANT=
+		run_testsuite
+		rlLog "Finished normal variant"
+	fi
+
+	if echo "${TEST_VARIANTS:-$DEFAULT_VARIANTS}" | grep -q sdb; then
+		rlLog "Running sdb variant"
+		export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
+		run_testsuite
+		rlLog "Finished sdb variant"
+	fi
+
+	if echo "${TEST_VARIANTS:-$DEFAULT_VARIANTS}" | grep -q pkcs11; then
+		rlLog "Running pkcs11 variant"
+		# Unfortunately, PKCS11 variant uses shared key storage
+		# It cannot use more threads for that reason
+		export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
+		CORES=1 run_testsuite
+		rlLog "Finished pkcs11 variant"
+	fi
+
+        rlRun "popd"
+
+        rlRun "./bin/tests/system/ifconfig.sh down" 0 "Remove fake network interfaces."
+
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlBundleLogs "BUILD_LOGS" "$TMPDIR/install.txt" "$TMPDIR/builddeps.txt" "$TMPDIR/build.txt"
+        rlBundleLogs "TEST_LOGS" "$TMPDIR"/test*.txt
+        rlRun "popd"
+        rlRun "rm -r $TMPDIR" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalEnd

tests/Run-internal-BIND-test-suite/setup-named-softhsm.sh

@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# This script will initialise token storage of softhsm PKCS11 provider
+# in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Recommended use:
+# eval $(bash setup-named-softhsm.sh -A)
+#
+
+SOFTHSM2_CONF="$1"
+TOKENPATH="$2"
+GROUPNAME="$3"
+# Do not use this script for real keys worth protection
+# This is intended for crypto accelerators using PKCS11 interface.
+# Uninitialized token would fail any crypto operation.
+PIN=1234
+SO_PIN=1234
+LABEL=rpm
+
+set -e
+
+echo_i()
+{
+	echo "#" $@
+}
+
+random()
+{
+	if [ -x "$(which openssl 2>/dev/null)" ]; then
+		openssl rand -base64 $1
+	else
+		dd if=/dev/urandom bs=1c count=$1 | base64
+	fi
+}
+
+usage()
+{
+	echo "Usage: $0 -A [token directory] [group]"
+	echo "   or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
+if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
+	usage >&2
+	exit 1
+fi
+
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+	# Automagic mode instead
+	MODE=secure
+	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+	PIN_SOURCE="$TOKENPATH/pin"
+	SOPIN_SOURCE="$TOKENPATH/so-pin"
+	TOKENPATH="$TOKENPATH/tokens"
+else
+	MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
+if ! [ -f "$SOFTHSM2_CONF" ]; then
+cat  << SED > "$SOFTHSM2_CONF"
+# SoftHSM v2 configuration file
+
+directories.tokendir = ${TOKENPATH}
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+SED
+else
+	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
+fi
+
+if [ -n "$PIN_SOURCE" ]; then
+	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+	if [ -n "$GROUPNAME" ]; then
+		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+	fi
+fi
+
+export SOFTHSM2_CONF
+
+if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
+then
+	echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
+else
+	PIN=$(random 6)
+	SO_PIN=$(random 18)
+	if [ -n "$PIN_SOURCE" ]; then
+		echo -n "$PIN" > "$PIN_SOURCE"
+		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+	fi
+
+	echo_i "Initializing tokens to ${TOKENPATH}..."
+	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
+
+	if [ -n "$GROUPNAME" ]; then
+		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
+		chmod -R -- g=rX,o= "$TOKENPATH"
+	fi
+fi
+
+echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""

tests/tests.yml

@@ -0,0 +1,26 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - Master-server-chrooted
+    - Master-server-not-chrooted
+    - Run-internal-BIND-test-suite
+    required_packages:
+    - bind
+    - bind-chroot
+    - bind-sdb-chroot
+    - redhat-lsb
+    - bind-utils
+    - dnf-utils
+    - kyua
+    - bind-devel
+    - perl-Net-DNS
+    - perl-Net-DNS-Nameserver
+    - perl-Time-HiRes
+    - softhsm
+    - bind-pkcs11
+    - bind-pkcs11-utils

trusted-key.key

@@ -0,0 +1 @@
+. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=