From 05956671a250e7664593e136d1d60cc2df36e245 Mon Sep 17 00:00:00 2001 From: Roy Li Date: Mon, 4 May 2015 16:43:39 +0800 Subject: bind: upgrade to 9.10.2 1. Remove two unneeded CVE patches, 9.10.2 fixed the CVE-2015-1349 also 2. Remove bind-subdirs-run-serially.patch and cross-build-fix.patch, similar fixes are merged into 9.10.2 3. update the dont-test-on-host.patch 4. update the Copyright file checksum, since the date in it has been changed. 5. replace the hardcode lib dir with $base_libdir in bind-add-crosscripts*.patch (From OE-Core rev: 41d53f0139a9cb29679dbcaaab8311a1364c65f4) Signed-off-by: Roy Li Signed-off-by: Richard Purdie --- .../bind/bind/bind-CVE-2012-3817.patch | 40 - ...d-crosscripts-search-path-for-xml2-config.patch | 2 +- .../bind/bind/bind-subdirs-run-serially.patch | 35 - .../bind/bind/bind9_9_5-CVE-2014-8500.patch | 990 --------------------- .../bind/bind/cross-build-fix.patch | 21 - .../bind/bind/dont-test-on-host.patch | 4 +- meta/recipes-connectivity/bind/bind_9.10.2.bb | 101 +++ meta/recipes-connectivity/bind/bind_9.9.5.bb | 105 --- 8 files changed, 104 insertions(+), 1194 deletions(-) delete mode 100644 meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch delete mode 100644 meta/recipes-connectivity/bind/bind/bind-subdirs-run-serially.patch delete mode 100644 meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch delete mode 100644 meta/recipes-connectivity/bind/bind/cross-build-fix.patch create mode 100644 meta/recipes-connectivity/bind/bind_9.10.2.bb delete mode 100644 meta/recipes-connectivity/bind/bind_9.9.5.bb diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch deleted file mode 100644 index 1e159bd2f8..0000000000 --- a/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch +++ /dev/null @@ -1,40 +0,0 @@ -bind: fix for CVE-2012-3817 - -Upstream-Status: Backport - -ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; -9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation -is enabled, does not properly initialize the failing-query cache, which allows -remote attackers to cause a denial of service (assertion failure and daemon exit) -by sending many queries. - -http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817 - -This patch is back-ported from bind-9.3.6-20.P1.el5_8.2.src.rpm package. - -Signed-off-by: Ming Liu ---- - resolver.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -8318,6 +8318,7 @@ dns_resolver_addbadcache(dns_resolver_t - goto cleanup; - bad->type = type; - bad->hashval = hashval; -+ bad->expire = *expire; - isc_buffer_init(&buffer, bad + 1, name->length); - dns_name_init(&bad->name, NULL); - dns_name_copy(name, &bad->name, &buffer); -@@ -8329,8 +8330,8 @@ dns_resolver_addbadcache(dns_resolver_t - if (resolver->badcount < resolver->badhash * 2 && - resolver->badhash > DNS_BADCACHE_SIZE) - resizehash(resolver, &now, ISC_FALSE); -- } -- bad->expire = *expire; -+ } else -+ bad->expire = *expire; - cleanup: - UNLOCK(&resolver->lock); - } diff --git a/meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch b/meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch index 4f1a3f8e89..d24276cf9e 100644 --- a/meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch +++ b/meta/recipes-connectivity/bind/bind/bind-add-crosscripts-search-path-for-xml2-config.patch @@ -24,7 +24,7 @@ index 3d04f4c..6032f67 100644 if test -f "$use_libxml2/bin/xml2-config" ; then libxml2_libs=`$use_libxml2/bin/xml2-config --libs` libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags` -+ elif test -f "$use_libxml2/lib/pkgconfig/libxml-2.0.pc" ; then ++ elif test -f "$use_libxml2/$base_libdir/pkgconfig/libxml-2.0.pc" ; then + libxml2_libs=`pkg-config libxml-2.0 --libs` + libxml2_cflags=`pkg-config libxml-2.0 --cflags` fi diff --git a/meta/recipes-connectivity/bind/bind/bind-subdirs-run-serially.patch b/meta/recipes-connectivity/bind/bind/bind-subdirs-run-serially.patch deleted file mode 100644 index 9db7a1786f..0000000000 --- a/meta/recipes-connectivity/bind/bind/bind-subdirs-run-serially.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b24468b6fe1f136bfd854773bc0e117aca0012d5 Mon Sep 17 00:00:00 2001 -From: Robert Yang -Date: Wed, 28 Jan 2015 01:23:09 -0800 -Subject: [PATCH] lib/export/isc/Makefile.in: let SUBDIRS run serially - -Fix parallel issue:: -make[2]: *** No rule to make target `nls/msgcat.o', needed by `libisc.a'. Stop. -make[2]: *** Waiting for unfinished jobs.... -make[3]: Leaving directory `bind-9.9.5/lib/export/isc/unix' - -Upstream-Status: Pending - -Signed-off-by: Robert Yang ---- - lib/export/isc/Makefile.in | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/export/isc/Makefile.in b/lib/export/isc/Makefile.in -index a92f66f..27dabcb 100644 ---- a/lib/export/isc/Makefile.in -+++ b/lib/export/isc/Makefile.in -@@ -103,6 +103,10 @@ SRCS = @ISC_EXTRA_SRCS@ \ - - LIBS = @LIBS@ - -+# Note: the order of SUBDIRS is important. -+# Attempt to disable parallel processing. -+.NOTPARALLEL: -+.NO_PARALLEL: - SUBDIRS = include unix nls @ISC_THREAD_DIR@ - TARGETS = timestamp - --- -1.7.9.5 - diff --git a/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch deleted file mode 100644 index 62142d2313..0000000000 --- a/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch +++ /dev/null @@ -1,990 +0,0 @@ -From 603a0e2637b35a2da820bc807f69bcf09c682dce Mon Sep 17 00:00:00 2001 -From: Evan Hunt -Date: Mon, 17 Nov 2014 23:49:07 -0800 -Subject: [PATCH] [v9_9] limit recursion depth and iterative queries - -4006. [security] A flaw in delegation handling could be exploited - to put named into an infinite loop. This has - been addressed by placing limits on the number - of levels of recursion named will allow (default 7), - and the number of iterative queries that it will - send (default 50) before terminating a recursive - query (CVE-2014-8500). - - The recursion depth limit is configured via the - "max-recursion-depth" option. [RT #35780] - -Upstream-Status: Backport - -Signed-off-by: Sona Sarmadi ---- - bin/named/config.c | 3 +- - bin/named/include/named/query.h | 2 - - bin/named/query.c | 7 ++- - bin/named/server.c | 5 ++ - bin/tests/system/many/clean.sh | 7 +++ - bin/tests/system/many/ns1/named.conf | 33 +++++++++++++ - bin/tests/system/many/ns2/named.conf | 30 ++++++++++++ - bin/tests/system/many/ns3/named.conf | 32 +++++++++++++ - bin/tests/system/many/ns4/named.conf | 30 ++++++++++++ - bin/tests/system/many/ns5/hints.db | 2 + - bin/tests/system/many/ns5/named.conf | 29 ++++++++++++ - bin/tests/system/many/setup.sh | 75 ++++++++++++++++++++++++++++++ - bin/tests/system/many/tests.sh | 48 +++++++++++++++++++ - doc/arm/Bv9ARM-book.xml | 12 +++++ - lib/dns/adb.c | 58 ++++++++++++++++------- - lib/dns/include/dns/adb.h | 8 ++++ - lib/dns/include/dns/resolver.h | 25 ++++++++++ - lib/dns/resolver.c | 90 ++++++++++++++++++++++++++++++------ - lib/isccfg/namedconf.c | 1 + - 20 files changed, 471 insertions(+), 37 deletions(-) - create mode 100644 bin/tests/system/many/clean.sh - create mode 100644 bin/tests/system/many/ns1/named.conf - create mode 100644 bin/tests/system/many/ns2/named.conf - create mode 100644 bin/tests/system/many/ns3/named.conf - create mode 100644 bin/tests/system/many/ns4/named.conf - create mode 100644 bin/tests/system/many/ns5/hints.db - create mode 100644 bin/tests/system/many/ns5/named.conf - create mode 100644 bin/tests/system/many/setup.sh - create mode 100644 bin/tests/system/many/tests.sh - -diff --git a/bin/named/config.c b/bin/named/config.c -index 2782720..5ee8c4e 100644 ---- a/bin/named/config.c -+++ b/bin/named/config.c -@@ -15,8 +15,6 @@ - * PERFORMANCE OF THIS SOFTWARE. - */ - --/* $Id: config.c,v 1.123 2012/01/06 23:46:41 tbox Exp $ */ -- - /*! \file */ - - #include -@@ -160,6 +158,7 @@ options {\n\ - dnssec-accept-expired no;\n\ - clients-per-query 10;\n\ - max-clients-per-query 100;\n\ -+ max-recursion-depth 7;\n\ - zero-no-soa-ttl-cache no;\n\ - nsec3-test-zone no;\n\ - allow-new-zones no;\n\ -diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h -index 3beabb8..b5e3900 100644 ---- a/bin/named/include/named/query.h -+++ b/bin/named/include/named/query.h -@@ -15,8 +15,6 @@ - * PERFORMANCE OF THIS SOFTWARE. - */ - --/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */ -- - #ifndef NAMED_QUERY_H - #define NAMED_QUERY_H 1 - -diff --git a/bin/named/query.c b/bin/named/query.c -index 982f76d..47bfc6a 100644 ---- a/bin/named/query.c -+++ b/bin/named/query.c -@@ -3877,12 +3877,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, - peeraddr = &client->peeraddr; - else - peeraddr = NULL; -- result = dns_resolver_createfetch2(client->view->resolver, -+ result = dns_resolver_createfetch3(client->view->resolver, - qname, qtype, qdomain, nameservers, - NULL, peeraddr, client->message->id, -- client->query.fetchoptions, -- client->task, -- query_resume, client, -+ client->query.fetchoptions, 0, -+ client->task, query_resume, client, - rdataset, sigrdataset, - &client->query.fetch); - -diff --git a/bin/named/server.c b/bin/named/server.c -index ac015a4..0559977 100644 ---- a/bin/named/server.c -+++ b/bin/named/server.c -@@ -3161,6 +3161,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, - cfg_obj_asuint32(obj), - max_clients_per_query); - -+ obj = NULL; -+ result = ns_config_get(maps, "max-recursion-depth", &obj); -+ INSIST(result == ISC_R_SUCCESS); -+ dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj)); -+ - #ifdef ALLOW_FILTER_AAAA_ON_V4 - obj = NULL; - result = ns_config_get(maps, "filter-aaaa-on-v4", &obj); -diff --git a/bin/tests/system/many/clean.sh b/bin/tests/system/many/clean.sh -new file mode 100644 -index 0000000..119b1f5 ---- /dev/null -+++ b/bin/tests/system/many/clean.sh -@@ -0,0 +1,7 @@ -+rm -f ns1/[1-9]*example.tld?.db -+rm -f ns2/[1-9]*example.tld?.db -+rm -f ns1/zones.conf -+rm -f ns2/zones.conf -+rm -f */root.db -+rm -f ns3/tld1.db -+rm -f ns4/tld2.db -diff --git a/bin/tests/system/many/ns1/named.conf b/bin/tests/system/many/ns1/named.conf -new file mode 100644 -index 0000000..abc9dca ---- /dev/null -+++ b/bin/tests/system/many/ns1/named.conf -@@ -0,0 +1,33 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+controls { /* empty */ }; -+ -+options { -+ query-source address 10.53.0.1; -+ notify-source 10.53.0.1; -+ transfer-source 10.53.0.1; -+ port 5300; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.1; }; -+ listen-on-v6 { none; }; -+ recursion no; -+}; -+ -+include "zones.conf"; -+ -+// zone "tld1" { type master; file "tld1.db"; }; -+// zone "tld2" { type master; file "tld2.db"; }; -diff --git a/bin/tests/system/many/ns2/named.conf b/bin/tests/system/many/ns2/named.conf -new file mode 100644 -index 0000000..16266e2 ---- /dev/null -+++ b/bin/tests/system/many/ns2/named.conf -@@ -0,0 +1,30 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+controls { /* empty */ }; -+ -+options { -+ query-source address 10.53.0.2; -+ notify-source 10.53.0.2; -+ transfer-source 10.53.0.2; -+ port 5300; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.2; }; -+ listen-on-v6 { none; }; -+ recursion no; -+}; -+ -+include "zones.conf"; -diff --git a/bin/tests/system/many/ns3/named.conf b/bin/tests/system/many/ns3/named.conf -new file mode 100644 -index 0000000..b950afe ---- /dev/null -+++ b/bin/tests/system/many/ns3/named.conf -@@ -0,0 +1,32 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+controls { /* empty */ }; -+ -+options { -+ query-source address 10.53.0.3; -+ notify-source 10.53.0.3; -+ transfer-source 10.53.0.3; -+ port 5300; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.3; }; -+ listen-on-v6 { none; }; -+ recursion no; -+}; -+ -+zone "." { type master; file "root.db"; }; -+ -+zone "tld1" { type master; file "tld1.db"; }; -diff --git a/bin/tests/system/many/ns4/named.conf b/bin/tests/system/many/ns4/named.conf -new file mode 100644 -index 0000000..ca9aa6a ---- /dev/null -+++ b/bin/tests/system/many/ns4/named.conf -@@ -0,0 +1,30 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+controls { /* empty */ }; -+ -+options { -+ query-source address 10.53.0.4; -+ notify-source 10.53.0.4; -+ transfer-source 10.53.0.4; -+ port 5300; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.4; }; -+ listen-on-v6 { none; }; -+ recursion no; -+}; -+ -+zone "tld2" { type master; file "tld2.db"; }; -diff --git a/bin/tests/system/many/ns5/hints.db b/bin/tests/system/many/ns5/hints.db -new file mode 100644 -index 0000000..c05809b ---- /dev/null -+++ b/bin/tests/system/many/ns5/hints.db -@@ -0,0 +1,2 @@ -+. 60 in ns ns.nil. -+ns.nil. 60 in A 10.53.0.3 -diff --git a/bin/tests/system/many/ns5/named.conf b/bin/tests/system/many/ns5/named.conf -new file mode 100644 -index 0000000..fce7d59 ---- /dev/null -+++ b/bin/tests/system/many/ns5/named.conf -@@ -0,0 +1,29 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+controls { /* empty */ }; -+ -+options { -+ query-source address 10.53.0.5; -+ notify-source 10.53.0.5; -+ transfer-source 10.53.0.5; -+ port 5300; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.5; }; -+ listen-on-v6 { none; }; -+}; -+ -+zone "." { type hint; file "hints.db"; }; -diff --git a/bin/tests/system/many/setup.sh b/bin/tests/system/many/setup.sh -new file mode 100644 -index 0000000..80695b5 ---- /dev/null -+++ b/bin/tests/system/many/setup.sh -@@ -0,0 +1,75 @@ -+i=1 -+ -+cat > ns3/root.db << EOF -+. 60 in soa ns.nil. hostmaster.ns.nil. 1 0 0 0 0 -+. 60 in ns ns.nil. -+ns.nil. 60 in a 10.53.0.3 -+tld1. 60 in ns ns.tld1. -+ns.tld1. 60 in a 10.53.0.3 -+tld2. 60 in ns ns.tld2. -+ns.tld2. 60 in a 10.53.0.4 -+EOF -+ -+cat > ns3/tld1.db << EOF -+tld1. 60 in soa ns.tld1. hostmaster.ns.tld1. 1 0 0 0 0 -+tld1. 60 in ns ns.tld1. -+ns.tld1. 60 in a 10.53.0.1 -+EOF -+ -+cat > ns4/tld2.db << EOF -+tld2. 60 in soa ns.tld2. hostmaster.ns.tld4. 1 0 0 0 0 -+tld2. 60 in ns ns.tld2. -+ns.tld2. 60 in a 10.53.0.1 -+EOF -+ -+: > ns1/zones.conf -+: > ns2/zones.conf -+ -+while [ $i -lt 1000 ] -+do -+j=`expr $i + 1` -+s=`expr $j % 2 + 1` -+n=`expr $i % 2 + 1` -+t=`expr $s + 2` -+ -+# i=1 j=2 s=1 n=2 -+# i=2 j=3 s=1 n=2 -+# i=3 j=4 s=1 n=2 -+ -+cat > ns1/${i}example.tld${s}.db << EOF -+${i}example.tld${s}. 60 in soa ns.${j}example.tld${n}. hostmaster 1 0 0 0 0 -+${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}. -+ns.${i}example.tld${s}. 60 in a 10.53.0.1 -+EOF -+ -+cat >> ns1/zones.conf << EOF -+zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; }; -+EOF -+ -+cat >> ns${t}/tld${s}.db << EOF -+${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}. -+EOF -+ -+i=$j -+ -+done -+ -+j=`expr $i + 1` -+s=`expr $j % 2 + 1` -+n=`expr $s % 2 + 1` -+t=`expr $s + 2` -+ -+cat > ns1/${i}example.tld${s}.db << EOF -+${i}example.tld${s}. 60 in soa ns.${i}example.tld${s}. hostmaster 1 0 0 0 0 -+${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}. -+ns.${i}example.tld${s}. 60 in a 10.53.0.1 -+EOF -+ -+cat >> ns1/zones.conf << EOF -+zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; }; -+EOF -+ -+cat >> ns${t}/tld${s}.db << EOF -+${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}. -+ns.${i}example.tld${s}. 60 in a 10.53.0.1 -+EOF -diff --git a/bin/tests/system/many/tests.sh b/bin/tests/system/many/tests.sh -new file mode 100644 -index 0000000..37964e2 ---- /dev/null -+++ b/bin/tests/system/many/tests.sh -@@ -0,0 +1,48 @@ -+#!/bin/sh -+# -+# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+# -+# Permission to use, copy, modify, and/or distribute this software for any -+# purpose with or without fee is hereby granted, provided that the above -+# copyright notice and this permission notice appear in all copies. -+# -+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+# PERFORMANCE OF THIS SOFTWARE. -+ -+SYSTEMTESTTOP=.. -+. $SYSTEMTESTTOP/conf.sh -+ -+status=0 -+n=0 -+ -+n=`expr $n + 1` -+echo "I: attempt lookup 1example.tld2 soa ($n)" -+ret=0 -+$DIG +tcp 1example.tld1 soa @10.53.0.5 -p 5300 > dig.out.test$n -+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo "I:failed"; fi -+status=`expr $status + $ret` -+ -+n=`expr $n + 1` -+echo "I: attempt lookup 992example.tld2 soa ($n)" -+ret=0 -+$DIG +tcp 992example.tld2 soa @10.53.0.5 -p 5300 > dig.out.test$n -+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo "I:failed"; fi -+status=`expr $status + $ret` -+ -+n=`expr $n + 1` -+echo "I: attempt lookup 993example.tld1 soa ($n)" -+ret=0 -+$DIG +tcp 993example.tld1 soa @10.53.0.5 -p 5300 > dig.out.test$n -+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo "I:failed"; fi -+status=`expr $status + $ret` -+ -+echo "I:exit status: $status" -+exit $status -diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index 9f7bd38..fff4249 100644 ---- a/doc/arm/Bv9ARM-book.xml -+++ b/doc/arm/Bv9ARM-book.xml -@@ -4861,6 +4861,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] - max-acache-size size_spec ; - clients-per-query number ; - max-clients-per-query number ; -+ max-recursion-depth number ; - masterfile-format (text|raw) ; - empty-server name ; - empty-contact name ; -@@ -8680,6 +8681,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; - - - -+ -+ max-recursion-depth -+ -+ -+ Sets the maximum number of levels of recursion -+ permitted at any one time while resolving a name. -+ The default is 7. -+ -+ -+ -+ - - notify-delay - -diff --git a/lib/dns/adb.c b/lib/dns/adb.c -index 2ccb51e..fe9b3f7 100644 ---- a/lib/dns/adb.c -+++ b/lib/dns/adb.c -@@ -199,6 +199,7 @@ struct dns_adbfetch { - unsigned int magic; - dns_fetch_t *fetch; - dns_rdataset_t rdataset; -+ unsigned int depth; - }; - - /*% -@@ -300,7 +301,7 @@ static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *); - static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *); - static void clean_target(dns_adb_t *, dns_name_t *); - static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, -- unsigned int); -+ isc_uint32_t, unsigned int); - static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t); - static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **, - isc_stdtime_t); -@@ -308,7 +309,7 @@ static void cancel_fetches_at_name(dns_adbname_t *); - static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t, - dns_rdatatype_t); - static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t, -- dns_rdatatype_t); -+ unsigned int, dns_rdatatype_t); - static inline void check_exit(dns_adb_t *); - static void destroy(dns_adb_t *); - static isc_boolean_t shutdown_names(dns_adb_t *); -@@ -984,7 +985,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) { - * Clean up the name's various lists. These two are destructive - * in that they will always empty the list. - */ -- clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK); -+ clean_finds_at_name(name, ev, 0, DNS_ADBFIND_ADDRESSMASK); - result4 = clean_namehooks(adb, &name->v4); - result6 = clean_namehooks(adb, &name->v6); - clean_target(adb, &name->target); -@@ -1409,7 +1410,7 @@ event_free(isc_event_t *event) { - */ - static void - clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype, -- unsigned int addrs) -+ isc_uint32_t qtotal, unsigned int addrs) - { - isc_event_t *ev; - isc_task_t *task; -@@ -1469,6 +1470,7 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype, - ev->ev_sender = find; - find->result_v4 = find_err_map[name->fetch_err]; - find->result_v6 = find_err_map[name->fetch6_err]; -+ find->qtotal += qtotal; - ev->ev_type = evtype; - ev->ev_destroy = event_free; - ev->ev_destroy_arg = find; -@@ -1827,6 +1829,7 @@ new_adbfind(dns_adb_t *adb) { - h->flags = 0; - h->result_v4 = ISC_R_UNEXPECTED; - h->result_v6 = ISC_R_UNEXPECTED; -+ h->qtotal = 0; - ISC_LINK_INIT(h, publink); - ISC_LINK_INIT(h, plink); - ISC_LIST_INIT(h->list); -@@ -2799,6 +2802,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - isc_stdtime_t now, dns_name_t *target, - in_port_t port, dns_adbfind_t **findp) - { -+ return (dns_adb_createfind2(adb, task, action, arg, name, -+ qname, qtype, options, now, -+ target, port, 0, findp)); -+} -+ -+isc_result_t -+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, -+ void *arg, dns_name_t *name, dns_name_t *qname, -+ dns_rdatatype_t qtype, unsigned int options, -+ isc_stdtime_t now, dns_name_t *target, -+ in_port_t port, unsigned int depth, -+ dns_adbfind_t **findp) -+{ - dns_adbfind_t *find; - dns_adbname_t *adbname; - int bucket; -@@ -3029,7 +3045,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - * Start V4. - */ - if (WANT_INET(wanted_fetches) && -- fetch_name(adbname, start_at_zone, -+ fetch_name(adbname, start_at_zone, depth, - dns_rdatatype_a) == ISC_R_SUCCESS) { - DP(DEF_LEVEL, - "dns_adb_createfind: started A fetch for name %p", -@@ -3040,7 +3056,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - * Start V6. - */ - if (WANT_INET6(wanted_fetches) && -- fetch_name(adbname, start_at_zone, -+ fetch_name(adbname, start_at_zone, depth, - dns_rdatatype_aaaa) == ISC_R_SUCCESS) { - DP(DEF_LEVEL, - "dns_adb_createfind: " -@@ -3656,6 +3672,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { - isc_result_t result; - unsigned int address_type; - isc_boolean_t want_check_exit = ISC_FALSE; -+ isc_uint32_t qtotal = 0; - - UNUSED(task); - -@@ -3666,6 +3683,8 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { - adb = name->adb; - INSIST(DNS_ADB_VALID(adb)); - -+ qtotal = dev->qtotal; -+ - bucket = name->lock_bucket; - LOCK(&adb->namelocks[bucket]); - -@@ -3783,6 +3802,12 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { - DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s", - buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA", - dns_result_totext(dev->result)); -+ /* -+ * Don't record a failure unless this is the initial -+ * fetch of a chain. -+ */ -+ if (fetch->depth > 1) -+ goto out; - /* XXXMLG Don't pound on bad servers. */ - if (address_type == DNS_ADBFIND_INET) { - name->expire_v4 = ISC_MIN(name->expire_v4, now + 300); -@@ -3814,15 +3839,14 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) { - free_adbfetch(adb, &fetch); - isc_event_free(&ev); - -- clean_finds_at_name(name, ev_status, address_type); -+ clean_finds_at_name(name, ev_status, qtotal, address_type); - - UNLOCK(&adb->namelocks[bucket]); - } - - static isc_result_t --fetch_name(dns_adbname_t *adbname, -- isc_boolean_t start_at_zone, -- dns_rdatatype_t type) -+fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone, -+ unsigned int depth, dns_rdatatype_t type) - { - isc_result_t result; - dns_adbfetch_t *fetch = NULL; -@@ -3867,12 +3891,14 @@ fetch_name(dns_adbname_t *adbname, - result = ISC_R_NOMEMORY; - goto cleanup; - } -- -- result = dns_resolver_createfetch(adb->view->resolver, &adbname->name, -- type, name, nameservers, NULL, -- options, adb->task, fetch_callback, -- adbname, &fetch->rdataset, NULL, -- &fetch->fetch); -+ fetch->depth = depth; -+ -+ result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name, -+ type, name, nameservers, NULL, -+ NULL, 0, options, depth, adb->task, -+ fetch_callback, adbname, -+ &fetch->rdataset, NULL, -+ &fetch->fetch); - if (result != ISC_R_SUCCESS) - goto cleanup; - -diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h -index 35350ff..7501f01 100644 ---- a/lib/dns/include/dns/adb.h -+++ b/lib/dns/include/dns/adb.h -@@ -118,6 +118,8 @@ struct dns_adbfind { - isc_result_t result_v6; /*%< RO: v6 result */ - ISC_LINK(dns_adbfind_t) publink; /*%< RW: client use */ - -+ isc_uint32_t qtotal; -+ - /* Private */ - isc_mutex_t lock; /* locks all below */ - in_port_t port; -@@ -334,6 +336,12 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - dns_rdatatype_t qtype, unsigned int options, - isc_stdtime_t now, dns_name_t *target, - in_port_t port, dns_adbfind_t **find); -+isc_result_t -+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, -+ void *arg, dns_name_t *name, dns_name_t *qname, -+ dns_rdatatype_t qtype, unsigned int options, -+ isc_stdtime_t now, dns_name_t *target, in_port_t port, -+ unsigned int depth, dns_adbfind_t **find); - /*%< - * Main interface for clients. The adb will look up the name given in - * "name" and will build up a list of found addresses, and perhaps start -diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h -index 4e20eb6..c256049 100644 ---- a/lib/dns/include/dns/resolver.h -+++ b/lib/dns/include/dns/resolver.h -@@ -82,6 +82,7 @@ typedef struct dns_fetchevent { - isc_sockaddr_t * client; - dns_messageid_t id; - isc_result_t vresult; -+ isc_uint32_t qtotal; - } dns_fetchevent_t; - - /* -@@ -275,6 +276,18 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, - dns_rdataset_t *rdataset, - dns_rdataset_t *sigrdataset, - dns_fetch_t **fetchp); -+isc_result_t -+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, -+ dns_rdatatype_t type, -+ dns_name_t *domain, dns_rdataset_t *nameservers, -+ dns_forwarders_t *forwarders, -+ isc_sockaddr_t *client, isc_uint16_t id, -+ unsigned int options, unsigned int depth, -+ isc_task_t *task, -+ isc_taskaction_t action, void *arg, -+ dns_rdataset_t *rdataset, -+ dns_rdataset_t *sigrdataset, -+ dns_fetch_t **fetchp); - /*%< - * Recurse to answer a question. - * -@@ -576,6 +589,18 @@ dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp); - * \li resolver to be valid. - */ - -+void -+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth); -+unsigned int -+dns_resolver_getmaxdepth(dns_resolver_t *resolver); -+/*% -+ * Get and set how many NS indirections will be followed when looking for -+ * nameserver addresses. -+ * -+ * Requires: -+ * \li resolver to be valid. -+ */ -+ - ISC_LANG_ENDDECLS - - #endif /* DNS_RESOLVER_H */ -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index e517dad..6a635b2 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -131,6 +131,16 @@ - #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */ - #endif - -+/* The default maximum number of recursions to follow before giving up. */ -+#ifndef DEFAULT_RECURSION_DEPTH -+#define DEFAULT_RECURSION_DEPTH 7 -+#endif -+ -+/* The default maximum number of iterative queries to allow before giving up. */ -+#ifndef DEFAULT_MAX_QUERIES -+#define DEFAULT_MAX_QUERIES 50 -+#endif -+ - /*% - * Maximum EDNS0 input packet size. - */ -@@ -297,6 +307,7 @@ struct fetchctx { - isc_uint64_t duration; - isc_boolean_t logged; - unsigned int querysent; -+ unsigned int totalqueries; - unsigned int referrals; - unsigned int lamecount; - unsigned int neterr; -@@ -307,6 +318,7 @@ struct fetchctx { - isc_boolean_t timeout; - dns_adbaddrinfo_t *addrinfo; - isc_sockaddr_t *client; -+ unsigned int depth; - }; - - #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!') -@@ -419,6 +431,7 @@ struct dns_resolver { - isc_timer_t * spillattimer; - isc_boolean_t zero_no_soa_ttl; - unsigned int query_timeout; -+ unsigned int maxdepth; - - /* Locked by lock. */ - unsigned int references; -@@ -1097,6 +1110,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) { - event->result == DNS_R_NCACHENXRRSET); - } - -+ event->qtotal = fctx->totalqueries; - isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); - count++; - } -@@ -1537,7 +1551,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, - if (result != ISC_R_SUCCESS) - goto cleanup_dispatch; - } -+ - fctx->querysent++; -+ fctx->totalqueries++; - - ISC_LIST_APPEND(fctx->queries, query, link); - query->fctx->nqueries++; -@@ -2194,9 +2210,10 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) { - */ - INSIST(!SHUTTINGDOWN(fctx)); - fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; -- if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) -+ if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) { - want_try = ISC_TRUE; -- else { -+ fctx->totalqueries += find->qtotal; -+ } else { - fctx->findfail++; - if (fctx->pending == 0) { - /* -@@ -2479,12 +2496,13 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, - * See what we know about this address. - */ - find = NULL; -- result = dns_adb_createfind(fctx->adb, -- res->buckets[fctx->bucketnum].task, -- fctx_finddone, fctx, name, -- &fctx->name, fctx->type, -- options, now, NULL, -- res->view->dstport, &find); -+ result = dns_adb_createfind2(fctx->adb, -+ res->buckets[fctx->bucketnum].task, -+ fctx_finddone, fctx, name, -+ &fctx->name, fctx->type, -+ options, now, NULL, -+ res->view->dstport, -+ fctx->depth + 1, &find); - if (result != ISC_R_SUCCESS) { - if (result == DNS_R_ALIAS) { - /* -@@ -2592,6 +2610,11 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) { - - res = fctx->res; - -+ if (fctx->depth > res->maxdepth) { -+ FCTXTRACE("too much NS indirection"); -+ return (DNS_R_SERVFAIL); -+ } -+ - /* - * Forwarders. - */ -@@ -3030,6 +3053,9 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) { - - REQUIRE(!ADDRWAIT(fctx)); - -+ if (fctx->totalqueries > DEFAULT_MAX_QUERIES) -+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); -+ - addrinfo = fctx_nextaddress(fctx); - if (addrinfo == NULL) { - /* -@@ -3388,6 +3414,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) { - * Normal fctx startup. - */ - fctx->state = fetchstate_active; -+ fctx->totalqueries = 0; - /* - * Reset the control event for later use in shutting down - * the fctx. -@@ -3457,6 +3484,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client, - event->fetch = fetch; - event->client = client; - event->id = id; -+ event->qtotal = 0; - dns_fixedname_init(&event->foundname); - - /* -@@ -3493,7 +3521,8 @@ log_ns_ttl(fetchctx_t *fctx, const char *where) { - static isc_result_t - fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - dns_name_t *domain, dns_rdataset_t *nameservers, -- unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp) -+ unsigned int options, unsigned int bucketnum, unsigned int depth, -+ fetchctx_t **fctxp) - { - fetchctx_t *fctx; - isc_result_t result; -@@ -3545,6 +3574,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - fctx->state = fetchstate_init; - fctx->want_shutdown = ISC_FALSE; - fctx->cloned = ISC_FALSE; -+ fctx->depth = depth; - ISC_LIST_INIT(fctx->queries); - ISC_LIST_INIT(fctx->finds); - ISC_LIST_INIT(fctx->altfinds); -@@ -3563,6 +3593,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, - fctx->pending = 0; - fctx->restarts = 0; - fctx->querysent = 0; -+ fctx->totalqueries = 0; - fctx->referrals = 0; - TIME_NOW(&fctx->start); - fctx->timeouts = 0; -@@ -7781,6 +7812,7 @@ dns_resolver_create(dns_view_t *view, - res->spillattimer = NULL; - res->zero_no_soa_ttl = ISC_FALSE; - res->query_timeout = DEFAULT_QUERY_TIMEOUT; -+ res->maxdepth = DEFAULT_RECURSION_DEPTH; - res->nbuckets = ntasks; - res->activebuckets = ntasks; - res->buckets = isc_mem_get(view->mctx, -@@ -8219,9 +8251,9 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name, - dns_rdataset_t *sigrdataset, - dns_fetch_t **fetchp) - { -- return (dns_resolver_createfetch2(res, name, type, domain, -+ return (dns_resolver_createfetch3(res, name, type, domain, - nameservers, forwarders, NULL, 0, -- options, task, action, arg, -+ options, 0, task, action, arg, - rdataset, sigrdataset, fetchp)); - } - -@@ -8237,6 +8269,25 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, - dns_rdataset_t *sigrdataset, - dns_fetch_t **fetchp) - { -+ return (dns_resolver_createfetch3(res, name, type, domain, -+ nameservers, forwarders, client, id, -+ options, 0, task, action, arg, -+ rdataset, sigrdataset, fetchp)); -+} -+ -+isc_result_t -+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, -+ dns_rdatatype_t type, -+ dns_name_t *domain, dns_rdataset_t *nameservers, -+ dns_forwarders_t *forwarders, -+ isc_sockaddr_t *client, dns_messageid_t id, -+ unsigned int options, unsigned int depth, -+ isc_task_t *task, -+ isc_taskaction_t action, void *arg, -+ dns_rdataset_t *rdataset, -+ dns_rdataset_t *sigrdataset, -+ dns_fetch_t **fetchp) -+{ - dns_fetch_t *fetch; - fetchctx_t *fctx = NULL; - isc_result_t result = ISC_R_SUCCESS; -@@ -8325,11 +8376,12 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, - - if (fctx == NULL) { - result = fctx_create(res, name, type, domain, nameservers, -- options, bucketnum, &fctx); -+ options, bucketnum, depth, &fctx); - if (result != ISC_R_SUCCESS) - goto unlock; - new_fctx = ISC_TRUE; -- } -+ } else if (fctx->depth > depth) -+ fctx->depth = depth; - - result = fctx_join(fctx, task, client, id, action, arg, - rdataset, sigrdataset, fetch); -@@ -9101,3 +9153,15 @@ dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) { - - resolver->query_timeout = seconds; - } -+ -+void -+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) { -+ REQUIRE(VALID_RESOLVER(resolver)); -+ resolver->maxdepth = maxdepth; -+} -+ -+unsigned int -+dns_resolver_getmaxdepth(dns_resolver_t *resolver) { -+ REQUIRE(VALID_RESOLVER(resolver)); -+ return (resolver->maxdepth); -+} -diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index bfd4bab..5f8b037 100644 ---- a/lib/isccfg/namedconf.c -+++ b/lib/isccfg/namedconf.c -@@ -1393,6 +1393,7 @@ view_clauses[] = { - { "max-cache-ttl", &cfg_type_uint32, 0 }, - { "max-clients-per-query", &cfg_type_uint32, 0 }, - { "max-ncache-ttl", &cfg_type_uint32, 0 }, -+ { "max-recursion-depth", &cfg_type_uint32, 0 }, - { "max-udp-size", &cfg_type_uint32, 0 }, - { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP }, - { "minimal-responses", &cfg_type_boolean, 0 }, --- -1.9.1 - diff --git a/meta/recipes-connectivity/bind/bind/cross-build-fix.patch b/meta/recipes-connectivity/bind/bind/cross-build-fix.patch deleted file mode 100644 index 4c37b6b00c..0000000000 --- a/meta/recipes-connectivity/bind/bind/cross-build-fix.patch +++ /dev/null @@ -1,21 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -11/30/2010 -gen.c should be build by ${BUILD_CC} - -Signed-off-by: Qing He - -diff --git a/lib/export/dns/Makefile.in b/lib/export/dns/Makefile.in -index aeadf57..d3fae74 100644 ---- a/lib/export/dns/Makefile.in -+++ b/lib/export/dns/Makefile.in -@@ -166,7 +166,8 @@ code.h: gen - ./gen -s ${srcdir} > code.h - - gen: ${srcdir}/gen.c -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS} -+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ -+ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} - - #We don't need rbtdb64 for this library - #rbtdb64.@O@: rbtdb.c diff --git a/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch index 288e58bb60..6989d6d4b0 100644 --- a/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch +++ b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch @@ -10,8 +10,8 @@ Index: bind-9.9.5/bin/Makefile.in VPATH = @srcdir@ top_srcdir = @top_srcdir@ --SUBDIRS = named rndc dig dnssec tools tests nsupdate \ -+SUBDIRS = named rndc dig dnssec tools nsupdate \ +-SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \ ++SUBDIRS = named rndc dig delv dnssec tools nsupdate \ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ TARGETS = diff --git a/meta/recipes-connectivity/bind/bind_9.10.2.bb b/meta/recipes-connectivity/bind/bind_9.10.2.bb new file mode 100644 index 0000000000..21be397a9a --- /dev/null +++ b/meta/recipes-connectivity/bind/bind_9.10.2.bb @@ -0,0 +1,101 @@ +SUMMARY = "ISC Internet Domain Name Server" +HOMEPAGE = "http://www.isc.org/sw/bind/" +SECTION = "console/network" + +LICENSE = "ISC & BSD" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f" + +DEPENDS = "openssl libcap" + +SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ + file://conf.patch \ + file://make-etc-initd-bind-stop-work.patch \ + file://mips1-not-support-opcode.diff \ + file://dont-test-on-host.patch \ + file://generate-rndc-key.sh \ + file://named.service \ + file://bind9 \ + file://init.d-add-support-for-read-only-rootfs.patch \ + file://bind-add-crosscripts-search-path-for-xml2-config.patch \ + file://bind-confgen-build-unix.o-once.patch \ + " + +SRC_URI[md5sum] = "dca7a9967947bffa98547fca6130fc04" +SRC_URI[sha256sum] = "6f9bb7908aa45c1edfa391e356fc0afc1ded175386cdefb6cf9e1289f7457a98" + +# --enable-exportlib is necessary for building dhcp +ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" +EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \ + --disable-devpoll --disable-epoll --with-gost=no \ + --with-gssapi=no --with-ecdsa=yes \ + --sysconfdir=${sysconfdir}/bind \ + --with-openssl=${STAGING_LIBDIR}/.. \ + " +inherit autotools-brokensep update-rc.d systemd useradd pkgconfig + +PACKAGECONFIG ?= "libxml2" + +PACKAGECONFIG[libxml2] = "--with-libxml2=${STAGING_LIBDIR}/..,--with-libxml2=no,libxml2" + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "--system --home /var/cache/bind --no-create-home \ + --user-group bind" + +INITSCRIPT_NAME = "bind" +INITSCRIPT_PARAMS = "defaults" + +SYSTEMD_SERVICE_${PN} = "named.service" + +PARALLEL_MAKE = "" + +RDEPENDS_${PN} = "python-core" + +PACKAGE_BEFORE_PN += "${PN}-utils" +FILES_${PN}-utils = "${bindir}/host ${bindir}/dig" +FILES_${PN}-dev += "${bindir}/isc-config.h" +FILES_${PN} += "${sbindir}/generate-rndc-key.sh" + +do_install_prepend() { + # clean host path in isc-config.sh before the hardlink created + # by "make install": + # bind9-config -> isc-config.sh + sed -i -e "s,${STAGING_LIBDIR},${libdir}," ${S}/isc-config.sh +} + +do_install_append() { + rm "${D}${bindir}/nslookup" + rm "${D}${mandir}/man1/nslookup.1" + rmdir "${D}${localstatedir}/run" + rmdir --ignore-fail-on-non-empty "${D}${localstatedir}" + install -d "${D}${localstatedir}/cache/bind" + install -d "${D}${sysconfdir}/bind" + install -d "${D}${sysconfdir}/init.d" + install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/" + install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind" + sed -i -e '1s,#!.*python,#! /usr/bin/env python,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds + + # Install systemd related files + install -d ${D}${localstatedir}/cache/bind + install -d ${D}${sbindir} + install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir} + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/named.service ${D}${systemd_unitdir}/system + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ + -e 's,@SBINDIR@,${sbindir},g' \ + ${D}${systemd_unitdir}/system/named.service + + install -d ${D}${sysconfdir}/default + install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default +} + +CONFFILES_${PN} = " \ + ${sysconfdir}/bind/named.conf \ + ${sysconfdir}/bind/named.conf.local \ + ${sysconfdir}/bind/named.conf.options \ + ${sysconfdir}/bind/db.0 \ + ${sysconfdir}/bind/db.127 \ + ${sysconfdir}/bind/db.empty \ + ${sysconfdir}/bind/db.local \ + ${sysconfdir}/bind/db.root \ + " + diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb deleted file mode 100644 index e34cdedde7..0000000000 --- a/meta/recipes-connectivity/bind/bind_9.9.5.bb +++ /dev/null @@ -1,105 +0,0 @@ -SUMMARY = "ISC Internet Domain Name Server" -HOMEPAGE = "http://www.isc.org/sw/bind/" -SECTION = "console/network" - -LICENSE = "ISC & BSD" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=a3df5f651469919a0e6cb42f84fb6ff1" - -DEPENDS = "openssl libcap" - -SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ - file://conf.patch \ - file://cross-build-fix.patch \ - file://make-etc-initd-bind-stop-work.patch \ - file://mips1-not-support-opcode.diff \ - file://dont-test-on-host.patch \ - file://generate-rndc-key.sh \ - file://named.service \ - file://bind9 \ - file://init.d-add-support-for-read-only-rootfs.patch \ - file://bind9_9_5-CVE-2014-8500.patch \ - file://bind-add-crosscripts-search-path-for-xml2-config.patch \ - file://bind-subdirs-run-serially.patch \ - file://bind-confgen-build-unix.o-once.patch \ - " - -SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e" -SRC_URI[sha256sum] = "d4b64c1dde442145a316679acff2df4008aa117ae52dfa3a6bc69efecc7840d1" - -# --enable-exportlib is necessary for building dhcp -ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" -EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \ - --disable-devpoll --disable-epoll --with-gost=no \ - --with-gssapi=no --with-ecdsa=yes \ - --sysconfdir=${sysconfdir}/bind \ - --with-openssl=${STAGING_LIBDIR}/.. \ - --enable-exportlib --with-export-includedir=${includedir} --with-export-libdir=${libdir} \ - " -inherit autotools-brokensep update-rc.d systemd useradd pkgconfig - -PACKAGECONFIG ?= "libxml2" - -PACKAGECONFIG[libxml2] = "--with-libxml2=${STAGING_LIBDIR}/..,--with-libxml2=no,libxml2" - -USERADD_PACKAGES = "${PN}" -USERADD_PARAM_${PN} = "--system --home /var/cache/bind --no-create-home \ - --user-group bind" - -INITSCRIPT_NAME = "bind" -INITSCRIPT_PARAMS = "defaults" - -SYSTEMD_SERVICE_${PN} = "named.service" - -PARALLEL_MAKE = "" - -RDEPENDS_${PN} = "python-core" - -PACKAGE_BEFORE_PN += "${PN}-utils" -FILES_${PN}-utils = "${bindir}/host ${bindir}/dig" -FILES_${PN}-dev += "${bindir}/isc-config.h" -FILES_${PN} += "${sbindir}/generate-rndc-key.sh" - -do_install_prepend() { - # clean host path in isc-config.sh before the hardlink created - # by "make install": - # bind9-config -> isc-config.sh - sed -i -e "s,${STAGING_LIBDIR},${libdir}," ${S}/isc-config.sh -} - -do_install_append() { - rm "${D}${bindir}/nslookup" - rm "${D}${mandir}/man1/nslookup.1" - rmdir "${D}${localstatedir}/run" - rmdir --ignore-fail-on-non-empty "${D}${localstatedir}" - install -d "${D}${localstatedir}/cache/bind" - install -d "${D}${sysconfdir}/bind" - install -d "${D}${sysconfdir}/init.d" - install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/" - install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind" - sed -i -e '1s,#!.*python,#! /usr/bin/env python,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds - - # Install systemd related files - install -d ${D}${localstatedir}/cache/bind - install -d ${D}${sbindir} - install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir} - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/named.service ${D}${systemd_unitdir}/system - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ - -e 's,@SBINDIR@,${sbindir},g' \ - ${D}${systemd_unitdir}/system/named.service - - install -d ${D}${sysconfdir}/default - install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default -} - -CONFFILES_${PN} = " \ - ${sysconfdir}/bind/named.conf \ - ${sysconfdir}/bind/named.conf.local \ - ${sysconfdir}/bind/named.conf.options \ - ${sysconfdir}/bind/db.0 \ - ${sysconfdir}/bind/db.127 \ - ${sysconfdir}/bind/db.empty \ - ${sysconfdir}/bind/db.local \ - ${sysconfdir}/bind/db.root \ - " - -- cgit 1.2.3-korg