CVE-2016-5426, CVE-2016-5427, CVE-2016-6172

#2781)

.gitignore

@@ -1 +1,14 @@
 pdns-2.9.22.tar.gz
+/pdns-3.0-pre.20110327.2103.tar.gz
+/pdns-3.0-rc2.tar.gz
+/pdns-3.0-rc3.tar.gz
+/pdns-3.0.tar.gz
+/pdns-3.0.1.tar.gz
+/pdns-3.1.tar.gz
+/pdns-3.2.tar.gz
+/pdns-3.3-rc1.tar.gz
+/pdns-3.3-rc2.tar.gz
+/pdns-3.3.tar.gz
+/pdns-3.3.1.tar.gz
+/pdns-3.3.2.tar.gz
+/pdns-3.3.3.tar.gz

0001-Reject-qname-s-wirelength-255-chopOff-handle-dot-ins.patch

@@ -0,0 +1,167 @@
+From 0086c2b1374072d2b0609407f8e60fade192ae88 Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <remi.gacogne@powerdns.com>
+Date: Fri, 1 Jul 2016 15:30:20 +0200
+Subject: [PATCH 1/2] Reject qname's wirelength > 255, `chopOff()` handle dot
+ inside labels
+
+(cherry picked from commit 881b5b03a590198d03008e4200dd00cc537712f3)
+---
+ pdns/dnsparser.cc | 17 +++++++++++----
+ pdns/dnsparser.hh |  2 +-
+ pdns/misc.cc      | 65 +++++++++++++++++++++++++++++++++++++------------------
+ 3 files changed, 58 insertions(+), 26 deletions(-)
+
+diff --git a/pdns/dnsparser.cc b/pdns/dnsparser.cc
+index e54b678..f3e3d87 100644
+--- a/pdns/dnsparser.cc
++++ b/pdns/dnsparser.cc
+@@ -380,8 +380,9 @@ uint8_t PacketReader::get8BitInt()
+ string PacketReader::getLabel(unsigned int recurs)
+ {
+   string ret;
++  size_t wirelength = 0;
+   ret.reserve(40);
+-  getLabelFromContent(d_content, d_pos, ret, recurs++);
++  getLabelFromContent(d_content, d_pos, ret, recurs++, wirelength);
+   return ret;
+ }
+ 
+@@ -431,7 +432,7 @@ string PacketReader::getText(bool multi)
+ }
+ 
+ 
+-void PacketReader::getLabelFromContent(const vector<uint8_t>& content, uint16_t& frompos, string& ret, int recurs) 
++void PacketReader::getLabelFromContent(const vector<uint8_t>& content, uint16_t& frompos, string& ret, int recurs, size_t& wirelength)
+ {
+   if(recurs > 100) // the forward reference-check below should make this test 100% obsolete
+     throw MOADNSException("Loop");
+@@ -440,6 +441,10 @@ void PacketReader::getLabelFromContent(const vector<uint8_t>& content, uint16_t&
+   // it is tempting to call reserve on ret, but it turns out it creates a malloc/free storm in the loop
+   for(;;) {
+     unsigned char labellen=content.at(frompos++);
++    wirelength++;
++    if (wirelength > 255) {
++      throw MOADNSException("Overly long DNS name ("+lexical_cast<string>(wirelength)+")");
++    }
+ 
+     if(!labellen) {
+       if(ret.empty())
+@@ -452,11 +457,15 @@ void PacketReader::getLabelFromContent(const vector<uint8_t>& content, uint16_t&
+ 
+       if(offset >= pos)
+         throw MOADNSException("forward reference during label decompression");
+-      return getLabelFromContent(content, offset, ret, ++recurs);
++      /* the compression pointer does not count into the wire length */
++      return getLabelFromContent(content, offset, ret, ++recurs, --wirelength);
+     }
+     else {
++      if (wirelength + labellen > 255) {
++        throw MOADNSException("Overly long DNS name ("+lexical_cast<string>(wirelength)+")");
++      }
++      wirelength += labellen;
+       // XXX FIXME THIS MIGHT BE VERY SLOW!
+-
+       for(string::size_type n = 0 ; n < labellen; ++n, frompos++) {
+         if(content.at(frompos)=='.' || content.at(frompos)=='\\') {
+           ret.append(1, '\\');
+diff --git a/pdns/dnsparser.hh b/pdns/dnsparser.hh
+index 414c73e..cc0cf44 100644
+--- a/pdns/dnsparser.hh
++++ b/pdns/dnsparser.hh
+@@ -128,7 +128,7 @@ public:
+   void xfrHexBlob(string& blob, bool keepReading=false);
+ 
+   static uint16_t get16BitInt(const vector<unsigned char>&content, uint16_t& pos);
+-  static void getLabelFromContent(const vector<uint8_t>& content, uint16_t& frompos, string& ret, int recurs);
++  static void getLabelFromContent(const vector<uint8_t>& content, uint16_t& frompos, string& ret, int recurs, size_t& wirelength);
+ 
+   void getDnsrecordheader(struct dnsrecordheader &ah);
+   void copyRecord(vector<unsigned char>& dest, uint16_t len);
+diff --git a/pdns/misc.cc b/pdns/misc.cc
+index 2d5dc21..73a8433 100644
+--- a/pdns/misc.cc
++++ b/pdns/misc.cc
+@@ -125,16 +125,27 @@ bool chopOff(string &domain)
+   if(domain.empty())
+     return false;
+ 
+-  string::size_type fdot=domain.find('.');
+-
+-  if(fdot==string::npos) 
+-    domain="";
+-  else {
+-    string::size_type remain = domain.length() - (fdot + 1);
+-    char tmp[remain];
+-    memcpy(tmp, domain.c_str()+fdot+1, remain);
+-    domain.assign(tmp, remain); // don't dare to do this w/o tmp holder :-)
++  bool escaped = false;
++  const string::size_type domainLen = domain.length();
++  for (size_t fdot = 0; fdot < domainLen; fdot++)
++  {
++    if (domain[fdot] == '.' && !escaped) {
++      string::size_type remain = domainLen - (fdot + 1);
++      char tmp[remain];
++      memcpy(tmp, domain.c_str()+fdot+1, remain);
++      domain.assign(tmp, remain); // don't dare to do this w/o tmp holder :-)
++
++      return true;
++    }
++    else if (domain[fdot] == '\\' && !escaped) {
++      escaped = true;
++    }
++    else {
++      escaped = false;
++    }
+   }
++
++  domain = "";
+   return true;
+ }
+ 
+@@ -144,19 +155,31 @@ bool chopOffDotted(string &domain)
+   if(domain.empty() || (domain.size()==1 && domain[0]=='.'))
+     return false;
+ 
+-  string::size_type fdot=domain.find('.');
+-  if(fdot == string::npos)
+-    return false;
+-
+-  if(fdot==domain.size()-1) 
+-    domain=".";
+-  else  {
+-    string::size_type remain = domain.length() - (fdot + 1);
+-    char tmp[remain];
+-    memcpy(tmp, domain.c_str()+fdot+1, remain);
+-    domain.assign(tmp, remain);
++  bool escaped = false;
++  const string::size_type domainLen = domain.length();
++  for (size_t fdot = 0; fdot < domainLen; fdot++)
++  {
++    if (domain[fdot] == '.' && !escaped) {
++      if (fdot==domain.size()-1) {
++        domain=".";
++      }
++      else {
++        string::size_type remain = domainLen - (fdot + 1);
++        char tmp[remain];
++        memcpy(tmp, domain.c_str()+fdot+1, remain);
++        domain.assign(tmp, remain); // don't dare to do this w/o tmp holder :-)
++      }
++      return true;
++    }
++    else if (domain[fdot] == '\\' && !escaped) {
++      escaped = true;
++    }
++    else {
++      escaped = false;
++    }
+   }
+-  return true;
++
++  return false;
+ }
+ 
+ 
+-- 
+2.10.2
+

0002-Add-limits-to-the-size-of-received-AXFR-in-megabytes.patch

@@ -0,0 +1,116 @@
+From 2886c5826dd9af891cbaa3ac9fd928838ef75387 Mon Sep 17 00:00:00 2001
+From: Remi Gacogne <remi.gacogne@powerdns.com>
+Date: Thu, 7 Jul 2016 16:17:22 +0200
+Subject: [PATCH 2/2] Add limits to the size of received AXFR, in megabytes
+
+This prevents resource exhaustion in case the master is sending a
+very large amount of data in an update.
+
+(cherry picked from commit a014f4c224a7b21f1c648257d1fd1128413129aa)
+---
+ pdns/common_startup.cc    |  2 ++
+ pdns/docs/pdns.xml        | 11 +++++++++++
+ pdns/pdns.conf-dist       |  4 ++++
+ pdns/resolver.cc          | 15 +++++++++++----
+ pdns/resolver.hh          |  5 ++++-
+ pdns/slavecommunicator.cc |  2 +-
+ 6 files changed, 33 insertions(+), 6 deletions(-)
+
+diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
+index 41ca348..adc50e2 100644
+--- a/pdns/common_startup.cc
++++ b/pdns/common_startup.cc
+@@ -150,6 +150,8 @@ void declareArguments()
+ 
+   ::arg().set("include-dir","Include *.conf files from this directory");
+   ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
++
++  ::arg().set("xfr-max-received-mbytes", "Maximum number of megabytes received from an incoming AXFR")="100";
+ }
+ 
+ void declareStats(void)
+diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
+index ccb03f9..146f89f 100644
+--- a/pdns/pdns.conf-dist
++++ b/pdns/pdns.conf-dist
+@@ -464,4 +464,8 @@
+ #
+ # wildcard-url=no
+ 
++#################################
++# xfr-max-received-mbytes	Maximum number of megabytes received from an incoming AXFR
++#
++# xfr-max-received-mbytes=100
+ 
+diff --git a/pdns/resolver.cc b/pdns/resolver.cc
+index 792c8fb..9dd9182 100644
+--- a/pdns/resolver.cc
++++ b/pdns/resolver.cc
+@@ -305,8 +305,9 @@ AXFRRetriever::AXFRRetriever(const ComboAddress& remote,
+ 	const string& tsigkeyname,
+ 	const string& tsigalgorithm, 
+ 	const string& tsigsecret,
+-	const ComboAddress* laddr)
+-: d_tsigkeyname(tsigkeyname), d_tsigsecret(tsigsecret), d_tsigPos(0), d_nonSignedMessages(0)
++	const ComboAddress* laddr,
++	size_t maxReceivedBytes)
++: d_tsigkeyname(tsigkeyname), d_tsigsecret(tsigsecret), d_receivedBytes(0), d_maxReceivedBytes(maxReceivedBytes), d_tsigPos(0), d_nonSignedMessages(0)
+ {
+   ComboAddress local;
+   if (laddr != NULL) {
+@@ -384,8 +385,14 @@ int AXFRRetriever::getChunk(Resolver::res_t &res) // Implementation is making su
+   int len=getLength();
+   if(len<0)
+     throw ResolverException("EOF trying to read axfr chunk from remote TCP client");
+-  
+-  timeoutReadn(len); 
++
++  if (d_maxReceivedBytes > 0 && (d_maxReceivedBytes - d_receivedBytes) < (size_t) len)
++    throw ResolverException("Reached the maximum number of received bytes during AXFR");
++
++  timeoutReadn(len);
++
++  d_receivedBytes += (uint16_t) len;
++
+   MOADNSParser mdp(d_buf.get(), len);
+ 
+   int err = parseResult(mdp, "", 0, 0, &res);
+diff --git a/pdns/resolver.hh b/pdns/resolver.hh
+index 3633bf2..a783b84 100644
+--- a/pdns/resolver.hh
++++ b/pdns/resolver.hh
+@@ -86,7 +86,8 @@ class AXFRRetriever : public boost::noncopyable
+         const string& tsigkeyname=string(),
+         const string& tsigalgorithm=string(),
+         const string& tsigsecret=string(),
+-        const ComboAddress* laddr = NULL);
++        const ComboAddress* laddr = NULL,
++        size_t maxReceivedBytes=0);
+ 	~AXFRRetriever();
+     int getChunk(Resolver::res_t &res);  
+   
+@@ -105,6 +106,8 @@ class AXFRRetriever : public boost::noncopyable
+     string d_tsigsecret;
+     string d_prevMac; // RFC2845 4.4
+     string d_signData;
++    size_t d_receivedBytes;
++    size_t d_maxReceivedBytes;
+     uint32_t d_tsigPos;
+     uint d_nonSignedMessages; // RFC2845 4.4
+     TSIGRecordContent d_trc;
+diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
+index 492ac41..12c2316 100644
+--- a/pdns/slavecommunicator.cc
++++ b/pdns/slavecommunicator.cc
+@@ -153,7 +153,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
+     vector<DNSResourceRecord> rrs;
+ 
+     ComboAddress raddr(remote, 53);
+-    AXFRRetriever retriever(raddr, domain.c_str(), tsigkeyname, tsigalgorithm, tsigsecret, (laddr.sin4.sin_family == 0) ? NULL : &laddr);
++    AXFRRetriever retriever(raddr, domain.c_str(), tsigkeyname, tsigalgorithm, tsigsecret, (laddr.sin4.sin_family == 0) ? NULL : &laddr, ((size_t) ::arg().asNum("xfr-max-received-mbytes")) * 1024 * 1024);
+     Resolver::res_t recs;
+     while(retriever.getChunk(recs)) {
+       if(first) {
+-- 
+2.10.2
+

0003-Disable-secpoll.patch

@@ -0,0 +1,25 @@
+From 2bdeeb685e70105826739e774e93427e1bc69053 Mon Sep 17 00:00:00 2001
+From: Ruben Kerkhof <ruben@rubenkerkhof.com>
+Date: Mon, 31 Oct 2016 22:17:30 +0100
+Subject: [PATCH 3/3] Disable secpoll
+
+---
+ pdns/common_startup.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
+index adc50e2..a5ff792 100644
+--- a/pdns/common_startup.cc
++++ b/pdns/common_startup.cc
+@@ -149,7 +149,7 @@ void declareArguments()
+   ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
+ 
+   ::arg().set("include-dir","Include *.conf files from this directory");
+-  ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
++  ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="";
+ 
+   ::arg().set("xfr-max-received-mbytes", "Maximum number of megabytes received from an incoming AXFR")="100";
+ }
+-- 
+2.10.2
+

pdns-default-config.patch

@@ -0,0 +1,9 @@
+--- pdns-3.3-rc2/pdns/pdns.conf-dist.orig	2013-06-14 11:51:22.000000000 +0200
++++ pdns-3.3-rc2/pdns/pdns.conf-dist	2013-06-28 13:45:37.307992960 +0200
+@@ -1,3 +1,6 @@
++setuid=pdns
++setgid=pdns
++launch=bind
+ # Autogenerated configuration file template
+ #################################
+ # add-superfluous-nsec3-for-old-bind	Add superfluous NSEC3 record to positive wildcard response

pdns-fix-crash-on-sigstop.patch

@@ -1,16 +0,0 @@
-diff -ur pdns-2.9.22.orig/pdns/unix_semaphore.cc pdns-2.9.22/pdns/unix_semaphore.cc
---- pdns-2.9.22.orig/pdns/unix_semaphore.cc	2010-12-14 17:18:02.667000233 +0100
-+++ pdns-2.9.22/pdns/unix_semaphore.cc	2010-12-14 17:18:08.138000485 +0100
-@@ -156,7 +156,11 @@
- 
- int Semaphore::wait()
- {
--  return sem_wait(m_pSemaphore);
-+  int ret;
-+  do
-+    ret = sem_wait(m_pSemaphore);
-+  while (ret == -1 && errno == EINTR);
-+  return ret;
- }
- int Semaphore::tryWait()
- {

pdns-fix-postgres-detection.patch

@@ -1,22 +0,0 @@
-diff -up pdns-2.9.22/configure.orig pdns-2.9.22/configure
---- pdns-2.9.22/configure.orig	2010-01-14 20:40:16.000000000 +0100
-+++ pdns-2.9.22/configure	2010-01-14 20:41:13.000000000 +0100
-@@ -23298,7 +23298,7 @@ if test "${with_pgsql+set}" = set; then
-   withval=$with_pgsql; PGSQL_lib_check="$withval/lib/pgsql $with_pgsql/lib"
- 	PGSQL_inc_check="$withval/include/pgsql"
- else
--  PGSQL_lib_check="/usr/local/pgsql/lib/pgsql /usr/local/lib/pgsql /opt/pgsql/lib/pgsql /usr/lib/pgsql /usr/local/pgsql/lib /usr/local/lib /opt/pgsql/lib /usr/lib"
-+  PGSQL_lib_check="/usr/local/pgsql/lib/pgsql /usr/local/lib/pgsql /opt/pgsql/lib/pgsql /usr/lib/pgsql /usr/local/pgsql/lib /usr/local/lib /opt/pgsql/lib /usr/lib /usr/lib64"
- 	PGSQL_inc_check="/usr/local/pgsql/include/pgsql /usr/include /usr/local/include/postgresql/ /usr/local/include /opt/pgsql/include/pgsql /opt/pgsql/include /usr/include/pgsql/ /usr/include/postgresql"
- fi
- 
-@@ -23318,8 +23318,7 @@ fi
- echo $ECHO_N "checking for PgSQL library directory... $ECHO_C" >&6; }
- 	PGSQL_libdir=
- 	for m in $PGSQL_lib_check; do
--	        if test -d "$m" && \
--		   (test -f "$m/libpq.a" || test -f "$m/libpq++.a")
-+	        if test -d "$m" && test -f "$m/libpq.so"
- 	        then
- 	                PGSQL_libdir=$m
- 	                break

pdns-fixinit.patch

@@ -1,7 +1,15 @@
-diff -up pdns-2.9.22-rc2/pdns/pdns.in.fixinit pdns-2.9.22-rc2/pdns/pdns.in
---- pdns-2.9.22-rc2/pdns/pdns.in.fixinit	2008-02-03 13:14:00.000000000 +0100
-+++ pdns-2.9.22-rc2/pdns/pdns.in	2008-12-03 04:07:26.000000000 +0100
-@@ -47,6 +47,7 @@ case "$1" in
+--- pdns-3.3/pdns/pdns.in.orig	2013-06-10 09:02:40.000000000 +0200
++++ pdns-3.3/pdns/pdns.in	2013-07-08 22:36:59.277997994 +0200
+@@ -8,7 +8,7 @@
+ # Required-Stop:     $remote_fs $network $syslog
+ # Should-Start:
+ # Should-Stop:
+-# Default-Start:     2 3 4 5
++# Default-Start:     
+ # Default-Stop:      0 1 6
+ # Short-Description: PowerDNS authoritative server
+ # Description:       PowerDNS authoritative server
+@@ -63,6 +63,7 @@ case "$1" in
  		if test "$NOTRUNNING" = "0" 
  		then 
  			doPC quit
@@ -9,7 +17,7 @@ diff -up pdns-2.9.22-rc2/pdns/pdns.in.fixinit pdns-2.9.22-rc2/pdns/pdns.in
  			echo $ret
  		else
  			echo "not running"
-@@ -57,6 +58,7 @@ case "$1" in
+@@ -73,6 +74,7 @@ case "$1" in
  	force-stop)
  		echo -n "Stopping PowerDNS authoritative nameserver: "
  		killall -v -9 pdns_server
@@ -17,11 +25,37 @@ diff -up pdns-2.9.22-rc2/pdns/pdns.in.fixinit pdns-2.9.22-rc2/pdns/pdns.in
  		echo "killed"
  	;;
  
-@@ -69,6 +71,7 @@ case "$1" in
- 			$pdns_server --daemon --guardian=yes
- 			if test "$?" = "0"
+@@ -84,6 +86,7 @@ case "$1" in
+ 		else
+ 			if $pdns_server --daemon --guardian=yes
  			then
 +				touch /var/lock/subsys/pdns
  				echo "started"	
- 			fi
+ 	            	else
+ 				echo "starting failed"
+@@ -92,6 +95,16 @@ case "$1" in
  		fi 
+ 	;;		
+ 
++	condrestart)
++		if [ -f /var/lock/subsys/pdns ]; 
++		then
++			echo "running, restarting"
++		$0 restart
++		else
++			echo "not running"
++		fi
++	;;
++
+ 	force-reload | restart)
+ 		echo -n "Restarting PowerDNS authoritative nameserver: "
+ 		if test "$NOTRUNNING" = "1" 
+@@ -194,7 +207,7 @@ case "$1" in
+ 
+ 
+ 	*)
+-	echo pdns [start\|stop\|force-reload\|reload\|restart\|status\|dump\|show\|mrtg\|cricket\|monitor]
++	echo pdns [start\|stop\|condrestart\|force-reload\|reload\|restart\|status\|dump\|show\|mrtg\|cricket\|monitor]
+ 
+ 	;;
+ esac

pdns-gcc44.patch

@@ -1,11 +0,0 @@
-diff -up pdns-2.9.22/pdns/misc.hh.orig pdns-2.9.22/pdns/misc.hh
---- pdns-2.9.22/pdns/misc.hh.orig	2009-02-26 17:09:41.000000000 +0100
-+++ pdns-2.9.22/pdns/misc.hh	2009-02-26 17:09:54.000000000 +0100
-@@ -20,6 +20,7 @@
- #define MISC_HH
- #include <stdint.h>
- #include <cstring>
-+#include <cstdio>
- 
- #if 0
- #include <iostream>

pdns.spec

@@ -1,23 +1,29 @@
-Summary:	A modern, advanced and high performance authoritative-only nameserver
-Name:		pdns
-Version:	2.9.22
-Release:	10%{?dist}
+%global backends %{nil}
 
-Group:		System Environment/Daemons
-License:	GPLv2
-URL:		http://powerdns.com
-BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Source0:	http://downloads.powerdns.com/releases/%{name}-%{version}.tar.gz
-Patch0:		%{name}-fixinit.patch
-Patch1:		%{name}-gcc44.patch
-Patch2:		pdns-fix-postgres-detection.patch
-Patch3:		pdns-fix-crash-on-sigstop.patch
+Name: pdns
+Version: 3.3.3
+Release: 2%{?dist}
+Summary: A modern, advanced and high performance authoritative-only nameserver
+Group: System Environment/Daemons
+License: GPLv2
+URL: http://powerdns.com
+Source0: http://downloads.powerdns.com/releases/%{name}-%{version}.tar.gz
+Patch0: pdns-default-config.patch
+Patch1: pdns-fixinit.patch
+Patch2: 0001-Reject-qname-s-wirelength-255-chopOff-handle-dot-ins.patch
+Patch3: 0002-Add-limits-to-the-size-of-received-AXFR-in-megabytes.patch
+Patch4: 0003-Disable-secpoll.patch
 
-Requires(post):	%{_sbindir}/useradd, /sbin/chkconfig
-Requires(preun):	/sbin/service, /sbin/chkconfig
+Requires(pre): shadow-utils
+Requires(post): /sbin/chkconfig
+Requires(preun): /sbin/service, /sbin/chkconfig
+Requires(postun): /sbin/service
 
-BuildRequires:	boost-devel, chrpath
-Provides:	powerdns = %{version}-%{release}
+BuildRequires: boost-devel
+BuildRequires: lua-devel
+BuildRequires: cryptopp-devel
+BuildRequires: bison
+Provides: powerdns = %{version}-%{release}
 
 %description
 The PowerDNS Nameserver is a modern, advanced and high performance
@@ -25,165 +31,267 @@ authoritative-only nameserver. It is written from scratch and conforms
 to all relevant DNS standards documents.
 Furthermore, PowerDNS interfaces with almost any database.
 
-%package	backend-mysql
-Summary:	MySQL backend for %{name}
-Group:		System Environment/Daemons
-Requires:	%{name} = %{version}-%{release}
-BuildRequires:	mysql-devel
+%package tools
+Summary: Extra tools for %{name}
+Group: System Environment/Daemons
 
-%package	backend-postgresql
-Summary:	PostgreSQL backend for %{name}
-Group:		System Environment/Daemons
-Requires:	%{name} = %{version}-%{release}
-BuildRequires:	postgresql-devel
+%description tools
+This package contains the extra tools for %{name}
 
-%package	backend-pipe
-Summary:	Pipe backend for %{name}
-Group:		System Environment/Daemons
-Requires:	%{name} = %{version}-%{release}
+%package backend-mysql
+Summary: MySQL backend for %{name}
+Group: System Environment/Daemons
+Requires: %{name}%{?_isa} = %{version}-%{release}
+BuildRequires: mysql-devel
+%global backends %{backends} gmysql
 
-%package	backend-geo
-Summary:	Geo backend for %{name}
-Group:		System Environment/Daemons
-Requires:	%{name} = %{version}-%{release}
-
-%package	backend-ldap
-Summary:	LDAP backend for %{name}
-Group:		System Environment/Daemons
-Requires:	%{name} = %{version}-%{release}
-BuildRequires:	openldap-devel
-
-%package	backend-sqlite
-Summary:	SQLite backend for %{name}
-Group:		System Environment/Daemons
-Requires:	%{name} = %{version}-%{release}
-BuildRequires:	sqlite-devel
-
-%description	backend-mysql
+%description backend-mysql
 This package contains the gmysql backend for %{name}
 
-%description	backend-postgresql
+%package backend-postgresql
+Summary: PostgreSQL backend for %{name}
+Group: System Environment/Daemons
+Requires: %{name}%{?_isa} = %{version}-%{release}
+BuildRequires: postgresql-devel
+%global backends %{backends} gpgsql
+
+%description backend-postgresql
 This package contains the gpgsql backend for %{name}
 
-%description	backend-pipe
+%package backend-pipe
+Summary: Pipe backend for %{name}
+Group: System Environment/Daemons
+Requires: %{name}%{?_isa} = %{version}-%{release}
+%global backends %{backends} pipe
+
+%description backend-pipe
 This package contains the pipe backend for %{name}
 
-%description	backend-geo
+%package backend-remote
+Summary: Remote backend for %{name}
+Group: System Environment/Daemons
+Requires: %{name}%{?_isa} = %{version}-%{release}
+BuildRequires: libcurl-devel
+%global backends %{backends} remote
+
+%description backend-remote
+This package contains the remote backend for %{name}
+
+%package backend-geo
+Summary: Geo backend for %{name}
+Group: System Environment/Daemons
+Requires: %{name}%{?_isa} = %{version}-%{release}
+%global backends %{backends} geo
+
+%description backend-geo
 This package contains the geo backend for %{name}
 It allows different answers to DNS queries coming from different
 IP address ranges or based on the geographic location
 
-%description	backend-ldap
+%package backend-ldap
+Summary: LDAP backend for %{name}
+Group: System Environment/Daemons
+Requires: %{name}%{?_isa} = %{version}-%{release}
+BuildRequires: openldap-devel
+%global backends %{backends} ldap
+
+%description backend-ldap
 This package contains the ldap backend for %{name}
 
-%description	backend-sqlite
-This package contains the SQLite backend for %{name}
+%package backend-lua
+Summary: LUA backend for %{name}
+Group: System Environment/Daemons
+Requires: %{name}%{?_isa} = %{version}-%{release}
+%global backends %{backends} lua
 
+%description backend-lua
+This package contains the lua backend for %{name}
+
+%package backend-sqlite
+Summary: SQLite backend for %{name}
+Group: System Environment/Daemons
+Requires: %{name}%{?_isa} = %{version}-%{release}
+BuildRequires: sqlite-devel
+%global backends %{backends} gsqlite3
+
+%description backend-sqlite
+This package contains the SQLite backend for %{name}
 
 %prep
 %setup -q
-%patch0 -p1 -b .fixinit
-%patch1 -p1 -b .gcc44
-%patch2 -p1 -b .postgres
-%patch3 -p1 -b .sigstop
+%patch0 -p1 -b .default-config-patch
+%patch1 -p1 -b .fixinit
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
-export CPPFLAGS="-DLDAP_DEPRECATED %{optflags}"
+export CPPFLAGS="-DLDAP_DEPRECATED"
 
 %configure \
 	--sysconfdir=%{_sysconfdir}/%{name} \
 	--libdir=%{_libdir}/%{name} \
 	--disable-static \
+	--disable-dependency-tracking \
+	--disable-silent-rules \
 	--with-modules='' \
-	--with-dynmodules='pipe gmysql gpgsql geo ldap gsqlite3' \
-	--with-mysql-lib=%{_libdir}/mysql \
-	--with-sqlite3-lib=%{_libdir}
+	--with-lua \
+	--with-dynmodules='%{backends}' \
+	--enable-cryptopp \
+	--enable-tools \
+	--enable-remotebackend-http \
+	--enable-unit-tests
+
+
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 
 make %{?_smp_mflags}
 
 %install
-%{__rm} -rf %{buildroot}
 make install DESTDIR=%{buildroot}
 
 %{__rm} -f %{buildroot}%{_libdir}/%{name}/*.la
 %{__install} -p -D -m 0755 pdns/pdns %{buildroot}%{_initrddir}/pdns
 %{__mv} %{buildroot}%{_sysconfdir}/%{name}/pdns.conf{-dist,}
 
-# add the pdns user to the config file
-sed -i '1i\setuid=pdns' %{buildroot}%{_sysconfdir}/%{name}/pdns.conf
-sed -i '2i\setgid=pdns' %{buildroot}%{_sysconfdir}/%{name}/pdns.conf
+chmod 600 %{buildroot}%{_sysconfdir}/%{name}/pdns.conf
 
-# strip the static rpath from the binaries
-chrpath --delete %{buildroot}%{_bindir}/pdns_control
-chrpath --delete %{buildroot}%{_bindir}/zone2ldap
-chrpath --delete %{buildroot}%{_bindir}/zone2sql
-chrpath --delete %{buildroot}%{_sbindir}/pdns_server
-chrpath --delete %{buildroot}%{_libdir}/%{name}/*.so
+%check
+make %{?_smp_mflags} -C pdns check
+
+%pre
+getent group pdns >/dev/null || groupadd -r pdns
+getent passwd pdns >/dev/null || \
+	useradd -r -g pdns -d / -s /sbin/nologin \
+	-c "PowerDNS user" pdns
+exit 0
 
 %post
-if [ $1 -eq 1 ]; then
-	/sbin/chkconfig --add pdns
-	userid=`id -u pdns 2>/dev/null`
-	if [ x"$userid" = x ]; then
-		%{_sbindir}/useradd -c "PowerDNS user" -s /sbin/nologin -r -d / pdns > /dev/null || :
-	fi
-fi
+/sbin/chkconfig --add pdns
+
 %preun
 if [ $1 -eq 0 ]; then
 	/sbin/service pdns stop >/dev/null 2>&1 || :
 	/sbin/chkconfig --del pdns
 fi
 
-%clean
-%{__rm} -rf %{buildroot}
+%postun
+if [ $1 -ge 1 ]; then
+	/sbin/service pdns condrestart >/dev/null 2>&1 || :
+fi
 
 %files
-%defattr(-,root,root,-)
-%doc ChangeLog TODO pdns/COPYING
+%doc COPYING README
 %{_bindir}/pdns_control
+%{_bindir}/pdnssec
 %{_bindir}/zone2ldap
 %{_bindir}/zone2sql
+%{_bindir}/zone2json
 %{_sbindir}/pdns_server
 %{_mandir}/man8/pdns_control.8.gz
 %{_mandir}/man8/pdns_server.8.gz
 %{_mandir}/man8/zone2sql.8.gz
+%{_mandir}/man8/zone2ldap.8.gz
+%{_mandir}/man8/pdnssec.8.gz
 %{_initrddir}/pdns
 %dir %{_libdir}/%{name}/
 %dir %{_sysconfdir}/%{name}/
 %config(noreplace) %{_sysconfdir}/%{name}/pdns.conf
 
+%files tools
+%{_bindir}/dnsbulktest
+%{_bindir}/dnsreplay
+%{_bindir}/dnsscan
+%{_bindir}/dnsscope
+%{_bindir}/dnstcpbench
+%{_bindir}/dnswasher
+%{_bindir}/nproxy
+%{_bindir}/nsec3dig
+%{_mandir}/man8/dnsreplay.8.gz
+%{_mandir}/man8/dnsscope.8.gz
+%{_mandir}/man8/dnswasher.8.gz
+%{_mandir}/man1/dnstcpbench.1.gz
+
 %files backend-mysql
-%defattr(-,root,root,-)
-%doc pdns/COPYING
+%doc pdns/dnssec.schema.mysql.sql
+%doc pdns/no-dnssec.schema.mysql.sql
 %{_libdir}/%{name}/libgmysqlbackend.so
 
 %files backend-postgresql
-%defattr(-,root,root,-)
-%doc pdns/COPYING
+%doc pdns/dnssec.schema.pgsql.sql
+%doc pdns/no-dnssec.schema.pgsql.sql
 %{_libdir}/%{name}/libgpgsqlbackend.so
 
 %files backend-pipe
-%defattr(-,root,root,-)
-%doc pdns/COPYING
 %{_libdir}/%{name}/libpipebackend.so
 
+%files backend-remote
+%{_libdir}/%{name}/libremotebackend.so
+
 %files backend-geo
-%defattr(-,root,root,-)
-%doc pdns/COPYING modules/geobackend/README
+%doc modules/geobackend/README
 %{_libdir}/%{name}/libgeobackend.so
 
 %files backend-ldap
-%defattr(-,root,root,-)
-%doc pdns/COPYING
 %{_libdir}/%{name}/libldapbackend.so
 
+%files backend-lua
+%{_libdir}/%{name}/libluabackend.so
+
 %files backend-sqlite
-%defattr(-,root,root,-)
-%doc pdns/COPYING
+%doc pdns/dnssec.schema.sqlite3.sql
+%doc pdns/no-dnssec.schema.sqlite3.sql
+%doc pdns/bind-dnssec.schema.sqlite3.sql
 %{_libdir}/%{name}/libgsqlite3backend.so
 
-
 %changelog
+* Mon Oct 31 2016 Ruben Kerkhof <ruben@rubenkerkhof.com> - 3.3.3-2
+- CVE-2016-5426, CVE-2016-5427, CVE-2016-6172
+
+* Wed Jun 10 2015 Morten Stevens <mstevens@imt-systems.com> - 3.3.3-1
+- Update to 3.3.3
+- Disable security status polling by default
+
+* Fri May 01 2015 Morten Stevens <mstevens@imt-systems.com> - 3.3.2-1
+- Update to latest upstream release 3.3.2
+
+* Mon Apr 27 2015 Morten Stevens <mstevens@imt-systems.com> - 3.3.1-2
+- CVE-2015-1868
+- Run the unit tests during check
+- Remove polarssl-devel as build dependency
+
+* Tue Dec 17 2013 Morten Stevens <mstevens@imt-systems.com> - 3.3.1-1
+- Update to latest upstream release 3.3.1
+- Some more DNSSEC improvements
+- Several bugs fixed since 3.1
+- Add extra tools package for pdns
+- Add Remote backend
+- Add LUA backend
+- Enable remotebackend-http
+- Add extra tools package for pdns
+- Add polarssl-devel as build dependency
+- Fix bogus date in changelog
+
+* Sun Oct 28 2012 Morten Stevens <mstevens@imt-systems.com> - 3.1-2
+- Spec improvements
+
+* Fri Oct 26 2012 Morten Stevens <mstevens@imt-systems.com> - 3.1-1
+- Update to latest upstream release 3.1
+- DNSSEC improvements
+- several bugs fixed since 2.9.22
+- Added condrestart option
+
+* Sat Oct 20 2012 Morten Stevens <mstevens@imt-systems.com> - 2.9.22.6-2
+- Fixed permissions of pdns.conf file (rhbz#646510)
+- Set bind as default backend
+
+* Wed Feb 01 2012 Ruben Kerkhof <ruben@rubenkerkhof.com> 2.9.22.6-1
+- Upstream released new version. Fixes crash introduced in 2.9.22.5
+
+* Mon Jan 09 2012 Ruben Kerkhof <ruben@rubenkerkhof.com> 2.9.22.5-1
+- CVE-2012-0206
+
 * Tue Dec 14 2010 Ruben Kerkhof <ruben@rubenkerkhof.com> 2.9.22-10
 - Fix crash on SIGSTOP and SIGCONT, thanks to Anders Kaseorg (#652841)
 
@@ -236,30 +344,39 @@ fi
 * Tue Sep 11 2007 Ruben Kerkhof <ruben@rubenkerkhof.com> 2.9.21-2
 - Fix license tag
 - Add README for geo backend to docs
+
 * Tue Apr 24 2007 Ruben Kerkhof <ruben@rubenkerkhof.com> 2.9.21-1
 - Upstream released 2.9.21
 - Enabled new SQLite backend
-* Thu Apr 10 2007 <ruben@rubenkerkhof.com> 2.9.20-9
+
+* Tue Apr 10 2007 <ruben@rubenkerkhof.com> 2.9.20-9
 - Add Requires for chkconfig, service and useradd (#235582)
+
 * Mon Jan 1 2007 <ruben@rubenkerkhof.com> 2.9.20-8
 - Add the pdns user and group to the config file
 - Don't restart pdns on an upgrade
 - Minor cleanups in scriptlets
+
 * Mon Jan 1 2007 <ruben@rubenkerkhof.com> 2.9.20-7
 - Fixed typo in scriptlet
+
 * Mon Jan 1 2007 <ruben@rubenkerkhof.com> 2.9.20-6
 - Check if user pdns exists before adding it
+
 * Sat Dec 30 2006 <ruben@rubenkerkhof.com> 2.9.20-5
 - Strip rpath from the backends as well
+
 * Fri Dec 29 2006 <ruben@rubenkerkhof.com> 2.9.20-4
 - Disable rpath
+
 * Thu Dec 28 2006 <ruben@rubenkerkhof.com> 2.9.20-3
 - More fixes as per review #219973
+
 * Wed Dec 27 2006 <ruben@rubenkerkhof.com> 2.9.20-2
 - A few changes for FE review (bz #219973):
 - Renamed package to pdns, since that's how upstream calls it
 - Removed calls to ldconfig
 - Subpackages now require %%{version}-%%{release}
+
 * Sat Dec 16 2006 <ruben@rubenkerkhof.com> 2.9.20-1
 - Initial import
-

sources

@@ -1 +1 @@
-8a6ff842733aca885577eb54e983a1ff  pdns-2.9.22.tar.gz
+4cc9ce7d63c0f78d57b1f337c023906c  pdns-3.3.3.tar.gz