[OE-core] [PATCH 1/1] bind: 9.10..3-P3 -> 9.10.5-P3

kai.kang at windriver.com kai.kang at windriver.com
Wed Jul 12 01:25:05 UTC 2017


From: Kai Kang <kai.kang at windriver.com>

Upgrade bind from 9.10.3-P3 to 9.10.5-P3

* Update md5sum of LIC_FILES_CHKSUM that it update year in file COPYRIGHT
* Remvoe mips1-not-support-opcode.diff which has been merged
* Remove CVE patches that there are backported from upstream
* Use python3 for build and make sure install .py files to right directory

Signed-off-by: Kai Kang <kai.kang at windriver.com>
---
 ...0001-build-use-pkg-config-to-find-libxml2.patch |   10 +-
 .../bind/bind/CVE-2016-1285.patch                  |  154 ---
 .../bind/bind/CVE-2016-1286_1.patch                |   79 --
 .../bind/bind/CVE-2016-1286_2.patch                |  317 ------
 .../bind/bind/CVE-2016-2088.patch                  |  247 -----
 .../bind/bind/CVE-2016-2775.patch                  |   90 --
 .../bind/bind/CVE-2016-2776.patch                  |  123 ---
 .../bind/bind/CVE-2016-6170.patch                  | 1090 --------------------
 .../bind/bind/CVE-2016-8864.patch                  |  219 ----
 .../bind/bind/bind-confgen-build-unix.o-once.patch |   10 +-
 .../bind/bind/mips1-not-support-opcode.diff        |  104 --
 .../use-python3-and-fix-install-lib-path.patch     |   36 +
 .../bind/{bind_9.10.3-P3.bb => bind_9.10.5-P3.bb}  |   25 +-
 13 files changed, 61 insertions(+), 2443 deletions(-)
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch
 delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
 delete mode 100644 meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
 create mode 100644 meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch
 rename meta/recipes-connectivity/bind/{bind_9.10.3-P3.bb => bind_9.10.5-P3.bb} (85%)

diff --git a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
index 805cbb3..1e23c0f 100644
--- a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
@@ -7,15 +7,19 @@ Signed-off-by: Ross Burton <ross.burton at intel.com>
 Update context for version 9.10.3-P2.
 
 Signed-off-by: Kai Kang <kai.kang at windriver.com>
+
+Update context for version 9.10.5-P3.
+
+Signed-off-by: Kai Kang <kai.kang at windriver.com>
 ---
  configure.in | 23 +++--------------------
  1 file changed, 3 insertions(+), 20 deletions(-)
 
 diff --git a/configure.in b/configure.in
-index 0db826d..75819eb 100644
+index 4da73a4..6f2a754 100644
 --- a/configure.in
 +++ b/configure.in
-@@ -2107,26 +2107,9 @@ case "$use_libxml2" in
+@@ -2282,26 +2282,9 @@ case "$use_libxml2" in
  		DST_LIBXML2_INC=""
  		;;
  	auto|yes)
@@ -25,7 +29,7 @@ index 0db826d..75819eb 100644
 -			libxml2_cflags=`xml2-config --cflags`
 -			;;
 -		*)
--			if test "$use_libxml2" = "yes" ; then
+-			if test "yes" = "$use_libxml2" ; then
 -				AC_MSG_RESULT(no)
 -				AC_MSG_ERROR(required libxml2 version not available)
 -			else
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
deleted file mode 100644
index 2149bd1..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka at isc.org>
-Date: Thu, 18 Feb 2016 12:11:27 +1100
-Subject: [PATCH] 4318.   [security]      Malformed control messages can
- trigger assertions                         in named and rndc. (CVE-2016-1285)
- [RT #41666]
-
-(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
-
-CVE: CVE-2016-1285
-Upstream-Status: Backport
-[Removed doc/arm/notes.xml changes from upstream patch]
-
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- CHANGES                 |  3 +++
- bin/named/control.c     |  2 +-
- bin/named/controlconf.c |  2 +-
- bin/rndc/rndc.c         |  8 ++++----
- doc/arm/notes.xml       | 11 +++++++++++
- lib/isccc/cc.c          | 14 +++++++-------
- 6 files changed, 27 insertions(+), 13 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index b9bd9ef..2c727d5 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,6 @@
-+4318.	[security]	Malformed control messages can trigger assertions
-+			in named and rndc. (CVE-2016-1285) [RT #41666]
-+
- 	--- 9.10.3-P3 released ---
- 
- 4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
-diff --git a/bin/named/control.c b/bin/named/control.c
-index 8554335..81340ca 100644
---- a/bin/named/control.c
-+++ b/bin/named/control.c
-@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
- #endif
- 
- 	data = isccc_alist_lookup(message, "_data");
--	if (data == NULL) {
-+	if (!isccc_alist_alistp(data)) {
- 		/*
- 		 * No data section.
- 		 */
-diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
-index 765afdd..a39ab8b 100644
---- a/bin/named/controlconf.c
-+++ b/bin/named/controlconf.c
-@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
- 	 * Limit exposure to replay attacks.
- 	 */
- 	_ctrl = isccc_alist_lookup(request, "_ctrl");
--	if (_ctrl == NULL) {
-+	if (!isccc_alist_alistp(_ctrl)) {
- 		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
- 		goto cleanup_request;
- 	}
-diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
-index cb17050..b6e05c8 100644
---- a/bin/rndc/rndc.c
-+++ b/bin/rndc/rndc.c
-@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
- 	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
- 
- 	data = isccc_alist_lookup(response, "_data");
--	if (data == NULL)
--		fatal("no data section in response");
-+	if (!isccc_alist_alistp(data))
-+		fatal("bad or missing data section in response");
- 	result = isccc_cc_lookupstring(data, "err", &errormsg);
- 	if (result == ISC_R_SUCCESS) {
- 		failed = ISC_TRUE;
-@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
- 	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
- 
- 	_ctrl = isccc_alist_lookup(response, "_ctrl");
--	if (_ctrl == NULL)
--		fatal("_ctrl section missing");
-+	if (!isccc_alist_alistp(_ctrl))
-+		fatal("bad or missing ctrl section in response");
- 	nonce = 0;
- 	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
- 		nonce = 0;
-diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
-index 47a3b74..2bb961e 100644
---- a/lib/isccc/cc.c
-+++ b/lib/isccc/cc.c
-@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
- 	 * Extract digest.
- 	 */
- 	_auth = isccc_alist_lookup(alist, "_auth");
--	if (_auth == NULL)
-+	if (!isccc_alist_alistp(_auth))
- 		return (ISC_R_FAILURE);
- 	if (algorithm == ISCCC_ALG_HMACMD5)
- 		hmac = isccc_alist_lookup(_auth, "hmd5");
- 	else
- 		hmac = isccc_alist_lookup(_auth, "hsha");
--	if (hmac == NULL)
-+	if (!isccc_sexpr_binaryp(hmac))
- 		return (ISC_R_FAILURE);
- 	/*
- 	 * Compute digest.
-@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
- 	REQUIRE(ackp != NULL && *ackp == NULL);
- 
- 	_ctrl = isccc_alist_lookup(message, "_ctrl");
--	if (_ctrl == NULL ||
-+	if (!isccc_alist_alistp(_ctrl) ||
- 	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
- 	    isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
- 		return (ISC_R_FAILURE);
-@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
- 	isccc_sexpr_t *_ctrl;
- 
- 	_ctrl = isccc_alist_lookup(message, "_ctrl");
--	if (_ctrl == NULL)
-+	if (!isccc_alist_alistp(_ctrl))
- 		return (ISC_FALSE);
- 	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
- 		return (ISC_TRUE);
-@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
- 	isccc_sexpr_t *_ctrl;
- 
- 	_ctrl = isccc_alist_lookup(message, "_ctrl");
--	if (_ctrl == NULL)
-+	if (!isccc_alist_alistp(_ctrl))
- 		return (ISC_FALSE);
- 	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
- 		return (ISC_TRUE);
-@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
- 
- 	_ctrl = isccc_alist_lookup(message, "_ctrl");
- 	_data = isccc_alist_lookup(message, "_data");
--	if (_ctrl == NULL || _data == NULL ||
-+	if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
- 	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
- 	    isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
- 		return (ISC_R_FAILURE);
-@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
- 	isccc_sexpr_t *_ctrl;
- 
- 	_ctrl = isccc_alist_lookup(message, "_ctrl");
--	if (_ctrl == NULL ||
-+	if (!isccc_alist_alistp(_ctrl) ||
- 	    isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
- 	    isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
- 		return (ISC_R_FAILURE);
--- 
-1.9.1
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
deleted file mode 100644
index ae5cc48..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001
-From: Mukund Sivaraman <muks at isc.org>
-Date: Mon, 22 Feb 2016 12:22:43 +0530
-Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
- (CVE-2016-1286) (#41753)
-
-(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
-
-CVE: CVE-2016-1286
-Upstream-Status: Backport
-
-[Removed doc/arm/notes.xml changes from upstream patch.]
-
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
-diff -ruN a/CHANGES b/CHANGES
---- a/CHANGES	2016-04-13 07:28:44.940873629 +0200
-+++ b/CHANGES	2016-04-13 07:38:38.923167851 +0200
-@@ -1,3 +1,7 @@
-+4319.  [security]      Fix resolver assertion failure due to improper
-+                       DNAME handling when parsing fetch reply messages.
-+                       (CVE-2016-1286) [RT #41753]
-+
- 4318.	[security]	Malformed control messages can trigger assertions
- 			in named and rndc. (CVE-2016-1285) [RT #41666]
- 
-diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
---- a/lib/dns/resolver.c	2016-04-13 07:28:43.088953790 +0200
-+++ b/lib/dns/resolver.c	2016-04-13 07:38:20.411968925 +0200
-@@ -6967,21 +6967,26 @@
- 				isc_boolean_t found_dname = ISC_FALSE;
- 				dns_name_t *dname_name;
- 
-+				/*
-+				 * Only pass DNAME or RRSIG(DNAME).
-+				 */
-+				if (rdataset->type != dns_rdatatype_dname &&
-+				    (rdataset->type != dns_rdatatype_rrsig ||
-+				     rdataset->covers != dns_rdatatype_dname))
-+					continue;
-+
-+				/*
-+				 * If we're not chaining, then the DNAME and
-+				 * its signature should not be external.
-+				 */
-+				if (!chaining && external) {
-+					log_formerr(fctx, "external DNAME");
-+					return (DNS_R_FORMERR);
-+				}
-+
- 				found = ISC_FALSE;
- 				aflag = 0;
- 				if (rdataset->type == dns_rdatatype_dname) {
--					/*
--					 * We're looking for something else,
--					 * but we found a DNAME.
--					 *
--					 * If we're not chaining, then the
--					 * DNAME should not be external.
--					 */
--					if (!chaining && external) {
--						log_formerr(fctx,
--							    "external DNAME");
--						return (DNS_R_FORMERR);
--					}
- 					found = ISC_TRUE;
- 					want_chaining = ISC_TRUE;
- 					POST(want_chaining);
-@@ -7010,9 +7015,7 @@
- 							&fctx->domain)) {
- 						return (DNS_R_SERVFAIL);
- 					}
--				} else if (rdataset->type == dns_rdatatype_rrsig
--					   && rdataset->covers ==
--					   dns_rdatatype_dname) {
-+				} else {
- 					/*
- 					 * We've found a signature that
- 					 * covers the DNAME.
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
deleted file mode 100644
index 5f5cb0d..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
+++ /dev/null
@@ -1,317 +0,0 @@
-From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka at isc.org>
-Date: Mon, 29 Feb 2016 07:16:48 +1100
-Subject: [PATCH] Part 2 of: 4319.   [security]      Fix resolver assertion
- failure due to improper                         DNAME handling when parsing
- fetch reply messages.                         (CVE-2016-1286) [RT #41753]
-
-CVE: CVE-2016-1286
-Upstream-Status: Backport
-
-(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374)
-Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
----
- lib/dns/resolver.c | 192 ++++++++++++++++++++++++++---------------------------
- 1 file changed, 93 insertions(+), 99 deletions(-)
-
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 70aba87..41e9df4 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
- }
- 
- static inline isc_result_t
--dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
--	     dns_name_t *oname, dns_fixedname_t *fixeddname)
-+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
-+	     unsigned int nlabels, dns_fixedname_t *fixeddname)
- {
- 	isc_result_t result;
- 	dns_rdata_t rdata = DNS_RDATA_INIT;
--	unsigned int nlabels;
--	int order;
--	dns_namereln_t namereln;
- 	dns_rdata_dname_t dname;
- 	dns_fixedname_t prefix;
- 
-@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
- 	if (result != ISC_R_SUCCESS)
- 		return (result);
- 
--	/*
--	 * Get the prefix of qname.
--	 */
--	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
--	if (namereln != dns_namereln_subdomain) {
--		char qbuf[DNS_NAME_FORMATSIZE];
--		char obuf[DNS_NAME_FORMATSIZE];
--
--		dns_rdata_freestruct(&dname);
--		dns_name_format(qname, qbuf, sizeof(qbuf));
--		dns_name_format(oname, obuf, sizeof(obuf));
--		log_formerr(fctx, "unrelated DNAME in answer: "
--				   "%s is not in %s", qbuf, obuf);
--		return (DNS_R_FORMERR);
--	}
- 	dns_fixedname_init(&prefix);
- 	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
- 	dns_fixedname_init(fixeddname);
-@@ -6736,13 +6718,13 @@ static isc_result_t
- answer_response(fetchctx_t *fctx) {
- 	isc_result_t result;
- 	dns_message_t *message;
--	dns_name_t *name, *qname, tname, *ns_name;
-+	dns_name_t *name, *dname, *qname, tname, *ns_name;
- 	dns_rdataset_t *rdataset, *ns_rdataset;
- 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
- 	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
- 	unsigned int aflag;
- 	dns_rdatatype_t type;
--	dns_fixedname_t dname, fqname;
-+	dns_fixedname_t fdname, fqname;
- 	dns_view_t *view;
- 
- 	FCTXTRACE("answer_response");
-@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) {
- 	view = fctx->res->view;
- 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
- 	while (!done && result == ISC_R_SUCCESS) {
-+		dns_namereln_t namereln;
-+		int order;
-+		unsigned int nlabels;
-+
- 		name = NULL;
- 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
- 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
--		if (dns_name_equal(name, qname)) {
-+		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
-+		if (namereln == dns_namereln_equal) {
- 			wanted_chaining = ISC_FALSE;
- 			for (rdataset = ISC_LIST_HEAD(name->list);
- 			     rdataset != NULL;
-@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) {
- 						 */
- 						INSIST(!external);
- 						if (aflag ==
--						    DNS_RDATASETATTR_ANSWER)
-+						    DNS_RDATASETATTR_ANSWER) {
- 							have_answer = ISC_TRUE;
--						name->attributes |=
--							DNS_NAMEATTR_ANSWER;
-+							name->attributes |=
-+								DNS_NAMEATTR_ANSWER;
-+						}
- 						rdataset->attributes |= aflag;
- 						if (aa)
- 							rdataset->trust =
-@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) {
- 			if (wanted_chaining)
- 				chaining = ISC_TRUE;
- 		} else {
-+			dns_rdataset_t *dnameset = NULL;
-+
- 			/*
- 			 * Look for a DNAME (or its SIG).  Anything else is
- 			 * ignored.
-@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) {
- 			wanted_chaining = ISC_FALSE;
- 			for (rdataset = ISC_LIST_HEAD(name->list);
- 			     rdataset != NULL;
--			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
--				isc_boolean_t found_dname = ISC_FALSE;
--				dns_name_t *dname_name;
--
-+			     rdataset = ISC_LIST_NEXT(rdataset, link))
-+			{
- 				/*
- 				 * Only pass DNAME or RRSIG(DNAME).
- 				 */
-@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) {
- 				 * its signature should not be external.
- 				 */
- 				if (!chaining && external) {
--					log_formerr(fctx, "external DNAME");
-+					char qbuf[DNS_NAME_FORMATSIZE];
-+					char obuf[DNS_NAME_FORMATSIZE];
-+
-+					dns_name_format(name, qbuf,
-+							sizeof(qbuf));
-+					dns_name_format(&fctx->domain, obuf,
-+							sizeof(obuf));
-+					log_formerr(fctx, "external DNAME or "
-+						    "RRSIG covering DNAME "
-+						    "in answer: %s is "
-+						    "not in %s", qbuf, obuf);
-+					return (DNS_R_FORMERR);
-+				}
-+
-+				if (namereln != dns_namereln_subdomain) {
-+					char qbuf[DNS_NAME_FORMATSIZE];
-+					char obuf[DNS_NAME_FORMATSIZE];
-+
-+					dns_name_format(qname, qbuf,
-+							sizeof(qbuf));
-+					dns_name_format(name, obuf,
-+							sizeof(obuf));
-+					log_formerr(fctx, "unrelated DNAME "
-+						    "in answer: %s is "
-+						    "not in %s", qbuf, obuf);
- 					return (DNS_R_FORMERR);
- 				}
- 
--				found = ISC_FALSE;
- 				aflag = 0;
- 				if (rdataset->type == dns_rdatatype_dname) {
--					found = ISC_TRUE;
- 					want_chaining = ISC_TRUE;
- 					POST(want_chaining);
- 					aflag = DNS_RDATASETATTR_ANSWER;
--					result = dname_target(fctx, rdataset,
--							      qname, name,
--							      &dname);
-+					result = dname_target(rdataset, qname,
-+							      nlabels, &fdname);
- 					if (result == ISC_R_NOSPACE) {
- 						/*
- 						 * We can't construct the
-@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) {
- 					} else if (result != ISC_R_SUCCESS)
- 						return (result);
- 					else
--						found_dname = ISC_TRUE;
-+						dnameset = rdataset;
- 
--					dname_name = dns_fixedname_name(&dname);
-+					dname = dns_fixedname_name(&fdname);
- 					if (!is_answertarget_allowed(view,
--							qname,
--							rdataset->type,
--							dname_name,
--							&fctx->domain)) {
-+							qname, rdataset->type,
-+							dname, &fctx->domain)) {
- 						return (DNS_R_SERVFAIL);
- 					}
- 				} else {
-@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) {
- 					 * We've found a signature that
- 					 * covers the DNAME.
- 					 */
--					found = ISC_TRUE;
- 					aflag = DNS_RDATASETATTR_ANSWERSIG;
- 				}
- 
--				if (found) {
-+				/*
-+				 * We've found an answer to our
-+				 * question.
-+				 */
-+				name->attributes |= DNS_NAMEATTR_CACHE;
-+				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
-+				rdataset->trust = dns_trust_answer;
-+				if (!chaining) {
- 					/*
--					 * We've found an answer to our
--					 * question.
-+					 * This data is "the" answer to
-+					 * our question only if we're
-+					 * not chaining.
- 					 */
--					name->attributes |=
--						DNS_NAMEATTR_CACHE;
--					rdataset->attributes |=
--						DNS_RDATASETATTR_CACHE;
--					rdataset->trust = dns_trust_answer;
--					if (!chaining) {
--						/*
--						 * This data is "the" answer
--						 * to our question only if
--						 * we're not chaining.
--						 */
--						INSIST(!external);
--						if (aflag ==
--						    DNS_RDATASETATTR_ANSWER)
--							have_answer = ISC_TRUE;
-+					INSIST(!external);
-+					if (aflag == DNS_RDATASETATTR_ANSWER) {
-+						have_answer = ISC_TRUE;
- 						name->attributes |=
- 							DNS_NAMEATTR_ANSWER;
--						rdataset->attributes |= aflag;
--						if (aa)
--							rdataset->trust =
--							  dns_trust_authanswer;
--					} else if (external) {
--						rdataset->attributes |=
--						    DNS_RDATASETATTR_EXTERNAL;
--					}
--
--					/*
--					 * DNAME chaining.
--					 */
--					if (found_dname) {
--						/*
--						 * Copy the dname into the
--						 * qname fixed name.
--						 *
--						 * Although we check for
--						 * failure of the copy
--						 * operation, in practice it
--						 * should never fail since
--						 * we already know that the
--						 * result fits in a fixedname.
--						 */
--						dns_fixedname_init(&fqname);
--						result = dns_name_copy(
--						  dns_fixedname_name(&dname),
--						  dns_fixedname_name(&fqname),
--						  NULL);
--						if (result != ISC_R_SUCCESS)
--							return (result);
--						wanted_chaining = ISC_TRUE;
--						name->attributes |=
--							DNS_NAMEATTR_CHAINING;
--						rdataset->attributes |=
--						    DNS_RDATASETATTR_CHAINING;
--						qname = dns_fixedname_name(
--								   &fqname);
- 					}
-+					rdataset->attributes |= aflag;
-+					if (aa)
-+						rdataset->trust =
-+						  dns_trust_authanswer;
-+				} else if (external) {
-+					rdataset->attributes |=
-+					    DNS_RDATASETATTR_EXTERNAL;
- 				}
- 			}
-+
-+			/*
-+			 * DNAME chaining.
-+			 */
-+			if (dnameset != NULL) {
-+				/*
-+				 * Copy the dname into the qname fixed name.
-+				 *
-+				 * Although we check for failure of the copy
-+				 * operation, in practice it should never fail
-+				 * since we already know that the  result fits
-+				 * in a fixedname.
-+				 */
-+				dns_fixedname_init(&fqname);
-+				qname = dns_fixedname_name(&fqname);
-+				result = dns_name_copy(dname, qname, NULL);
-+				if (result != ISC_R_SUCCESS)
-+					return (result);
-+				wanted_chaining = ISC_TRUE;
-+				name->attributes |= DNS_NAMEATTR_CHAINING;
-+				dnameset->attributes |=
-+					    DNS_RDATASETATTR_CHAINING;
-+			}
- 			if (wanted_chaining)
- 				chaining = ISC_TRUE;
- 		}
--- 
-1.9.1
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
deleted file mode 100644
index 1b84d46..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
+++ /dev/null
@@ -1,247 +0,0 @@
-CVE-2016-2088
-
-Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the
-v9_10_3_patch branch.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088
-https://kb.isc.org/article/AA-01351
-
-CVE: CVE-2016-2088
-Upstream-Status: Backport
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen at intel.com>
-
-
-Original commit message from Mark Andrews <marka at isc.org> below:
-
-4322.   [security]      Duplicate EDNS COOKIE options in a response could
-                        trigger an assertion failure. (CVE-2016-2088)
-                        [RT #41809]
-
-(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
-(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
----
- CHANGES            |  4 ++++
- bin/dig/dighost.c  |  9 +++++++++
- bin/named/client.c | 33 +++++++++++++++++++++++----------
- doc/arm/notes.xml  |  7 +++++++
- lib/dns/resolver.c | 14 +++++++++++++-
- 5 files changed, 56 insertions(+), 11 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index c5b5d2b..d2e3360 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,7 @@
-+4322.  [security]      Duplicate EDNS COOKIE options in a response could
-+                       trigger an assertion failure. (CVE-2016-2088)
-+                       [RT #41809]
-+
- 4319.  [security]      Fix resolver assertion failure due to improper
-                        DNAME handling when parsing fetch reply messages.
-                        (CVE-2016-1286) [RT #41753]
-diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
-index ca82f8e..340904f 100644
---- a/bin/dig/dighost.c
-+++ b/bin/dig/dighost.c
-@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
- 	isc_buffer_t optbuf;
- 	isc_uint16_t optcode, optlen;
- 	dns_rdataset_t *opt = msg->opt;
-+	isc_boolean_t seen_cookie = ISC_FALSE;
- 
- 	result = dns_rdataset_first(opt);
- 	if (result == ISC_R_SUCCESS) {
-@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
- 			optlen = isc_buffer_getuint16(&optbuf);
- 			switch (optcode) {
- 			case DNS_OPT_COOKIE:
-+				/*
-+				 * Only process the first cookie option.
-+				 */
-+				if (seen_cookie) {
-+					isc_buffer_forward(&optbuf, optlen);
-+					break;
-+				}
- 				process_sit(l, msg, &optbuf, optlen);
-+				seen_cookie = ISC_TRUE;
- 				break;
- 			default:
- 				isc_buffer_forward(&optbuf, optlen);
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 683305c..0d7331a 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -120,7 +120,10 @@
-  */
- #endif
- 
--#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
-+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
-+
-+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
-+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
- 
- /*% nameserver client manager structure */
- struct ns_clientmgr {
-@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
- {
- 	char nsid[BUFSIZ], *nsidp;
- #ifdef ISC_PLATFORM_USESIT
--	unsigned char sit[SIT_SIZE];
-+	unsigned char sit[COOKIE_SIZE];
- #endif
- 	isc_result_t result;
- 	dns_view_t *view;
-@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
- 	flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
- 
- 	/* Set EDNS options if applicable */
--	if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
-+	if (WANTNSID(client) &&
- 	    (ns_g_server->server_id != NULL ||
- 	     ns_g_server->server_usehostname)) {
- 		if (ns_g_server->server_usehostname) {
-@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
- 
- 		INSIST(count < DNS_EDNSOPTIONS);
- 		ednsopts[count].code = DNS_OPT_COOKIE;
--		ednsopts[count].length = SIT_SIZE;
-+		ednsopts[count].length = COOKIE_SIZE;
- 		ednsopts[count].value = sit;
- 		count++;
- 	}
-@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
- 
- static void
- process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
--	unsigned char dbuf[SIT_SIZE];
-+	unsigned char dbuf[COOKIE_SIZE];
- 	unsigned char *old;
- 	isc_stdtime_t now;
- 	isc_uint32_t when;
- 	isc_uint32_t nonce;
- 	isc_buffer_t db;
- 
-+	/*
-+	 * If we have already seen a ECS option skip this ECS option.
-+	 */
-+	if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
-+		isc_buffer_forward(buf, optlen);
-+		return;
-+	}
- 	client->attributes |= NS_CLIENTATTR_WANTSIT;
- 
- 	isc_stats_increment(ns_g_server->nsstats,
- 			    dns_nsstatscounter_sitopt);
- 
--	if (optlen != SIT_SIZE) {
-+	if (optlen != COOKIE_SIZE) {
- 		/*
- 		 * Not our token.
- 		 */
-@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
- 	isc_buffer_init(&db, dbuf, sizeof(dbuf));
- 	compute_sit(client, when, nonce, &db);
- 
--	if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
-+	if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
- 		isc_stats_increment(ns_g_server->nsstats,
- 				    dns_nsstatscounter_sitnomatch);
- 		return;
- 	}
- 	isc_stats_increment(ns_g_server->nsstats,
- 			    dns_nsstatscounter_sitmatch);
--
- 	client->attributes |= NS_CLIENTATTR_HAVESIT;
- }
- #endif
-@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
- 			optlen = isc_buffer_getuint16(&optbuf);
- 			switch (optcode) {
- 			case DNS_OPT_NSID:
--				isc_stats_increment(ns_g_server->nsstats,
-+				if (!WANTNSID(client))
-+					isc_stats_increment(
-+						    ns_g_server->nsstats,
- 						    dns_nsstatscounter_nsidopt);
- 				client->attributes |= NS_CLIENTATTR_WANTNSID;
- 				isc_buffer_forward(&optbuf, optlen);
-@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
- 				break;
- #endif
- 			case DNS_OPT_EXPIRE:
--				isc_stats_increment(ns_g_server->nsstats,
-+				if (!WANTEXPIRE(client))
-+					isc_stats_increment(
-+						  ns_g_server->nsstats,
- 						  dns_nsstatscounter_expireopt);
- 				client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
- 				isc_buffer_forward(&optbuf, optlen);
-diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index ebf4f55..095eb5b 100644
---- a/doc/arm/notes.xml
-+++ b/doc/arm/notes.xml
-@@ -51,6 +51,13 @@
-     <title>Security Fixes</title>
-     <itemizedlist>
-       <listitem>
-+       <para>
-+         Duplicate EDNS COOKIE options in a response could trigger
-+         an assertion failure. This flaw is disclosed in CVE-2016-2088.
-+         [RT #41809]
-+       </para>
-+      </listitem>
-+      <listitem>
- 	<para>
- 	  Specific APL data could trigger an INSIST.  This flaw
- 	  was discovered by Brian Mitchell and is disclosed in
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index a797e3f..ba1ae23 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
- 	unsigned char *sit;
- 	dns_adbaddrinfo_t *addrinfo;
- 	unsigned char cookie[8];
-+	isc_boolean_t seen_cookie = ISC_FALSE;
- #endif
-+	isc_boolean_t seen_nsid = ISC_FALSE;
- 
- 	result = dns_rdataset_first(opt);
- 	if (result == ISC_R_SUCCESS) {
-@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
- 			INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
- 			switch (optcode) {
- 			case DNS_OPT_NSID:
--				if (query->options & DNS_FETCHOPT_WANTNSID)
-+				if (!seen_nsid &&
-+				    query->options & DNS_FETCHOPT_WANTNSID)
- 					log_nsid(&optbuf, optlen, query,
- 						 ISC_LOG_DEBUG(3),
- 						 query->fctx->res->mctx);
- 				isc_buffer_forward(&optbuf, optlen);
-+				seen_nsid = ISC_TRUE;
- 				break;
- #ifdef ISC_PLATFORM_USESIT
- 			case DNS_OPT_COOKIE:
-+				/*
-+				 * Only process the first cookie option.
-+				 */
-+				if (seen_cookie) {
-+					isc_buffer_forward(&optbuf, optlen);
-+					break;
-+				}
- 				sit = isc_buffer_current(&optbuf);
- 				compute_cc(query, cookie, sizeof(cookie));
- 				INSIST(query->fctx->rmessage->sitbad == 0 &&
-@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
- 				isc_buffer_forward(&optbuf, optlen);
- 				inc_stats(query->fctx->res,
- 					  dns_resstatscounter_sitin);
-+				seen_cookie = ISC_TRUE;
- 				break;
- #endif
- 			default:
--- 
-2.1.4
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
deleted file mode 100644
index 5393063..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka at isc.org>
-Date: Wed, 12 Oct 2016 19:52:59 +0900
-Subject: [PATCH]
-4406.   [security]      getrrsetbyname with a non absolute name could
-                        trigger an infinite recursion bug in lwresd
-                        and named with lwres configured if when combined
-                        with a search list entry the resulting name is
-                        too long. (CVE-2016-2775) [RT #42694]
-
-Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
-v9.11.0_patch branch.
-
-CVE: CVE-2016-2775
-Upstream-Status: Backport
-
-Signed-off-by: zhengruoqin <zhengrq.fnst at cn.fujitsu.com>
-
----
- CHANGES                          |  6 ++++++
- bin/named/lwdgrbn.c              | 16 ++++++++++------
- bin/tests/system/lwresd/lwtest.c |  9 ++++++++-
- 3 files changed, 24 insertions(+), 7 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index d2e3360..d0a9d12 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,9 @@
-+4406.   [security]      getrrsetbyname with a non absolute name could
-+                        trigger an infinite recursion bug in lwresd
-+                        and named with lwres configured if when combined
-+                        with a search list entry the resulting name is
-+                        too long. (CVE-2016-2775) [RT #42694]
-+
- 4322.  [security]      Duplicate EDNS COOKIE options in a response could
-                        trigger an assertion failure. (CVE-2016-2088)
-                        [RT #41809]
-diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
-index 3e7b15b..e1e9adc 100644
---- a/bin/named/lwdgrbn.c
-+++ b/bin/named/lwdgrbn.c
-@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
- 	INSIST(client->lookup == NULL);
- 
- 	dns_fixedname_init(&absname);
--	result = ns_lwsearchctx_current(&client->searchctx,
--					dns_fixedname_name(&absname));
-+
- 	/*
--	 * This will return failure if relative name + suffix is too long.
--	 * In this case, just go on to the next entry in the search path.
-+         * Perform search across all search domains until success
-+         * is returned. Return in case of failure.
- 	 */
--	if (result != ISC_R_SUCCESS)
--		start_lookup(client);
-+        while (ns_lwsearchctx_current(&client->searchctx,
-+                        dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
-+                if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
-+                        ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-+                        return;
-+                }
-+        }
- 
- 	result = dns_lookup_create(cm->mctx,
- 				   dns_fixedname_name(&absname),
-diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
-index ad9b551..3eb4a66 100644
---- a/bin/tests/system/lwresd/lwtest.c
-+++ b/bin/tests/system/lwresd/lwtest.c
-@@ -768,7 +768,14 @@ main(void) {
- 	test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
- 	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
- 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
--
-+        test_getrrsetbyname("123456789.123456789.123456789.123456789."
-+                            "123456789.123456789.123456789.123456789."
-+                            "123456789.123456789.123456789.123456789."
-+                            "123456789.123456789.123456789.123456789."
-+                            "123456789.123456789.123456789.123456789."
-+                            "123456789.123456789.123456789.123456789."
-+                            "123456789", 1, 1, 0, 0, 0);
-+ 
- 	if (fails == 0)
- 		printf("I:ok\n");
- 	return (fails);
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
deleted file mode 100644
index 738bf60..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka at isc.org>
-Date: Wed, 12 Oct 2016 20:36:52 +0900
-Subject: [PATCH] 
-4467.   [security]      It was possible to trigger an assertion when 
-                        rendering a message. (CVE-2016-2776) [RT #43139]
-
-Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
-v9.11.0_patch branch.
-
-CVE: CVE-2016-2776
-Upstream-Status: Backport
-
-Signed-off-by: zhengruoqin <zhengrq.fnst at cn.fujitsu.com>
-
----
- CHANGES           |  3 +++
- lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
- 2 files changed, 34 insertions(+), 11 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index d0a9d12..5c8c61a 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,6 @@
-+4467.   [security]      It was possible to trigger an assertion when
-+                        rendering a message. (CVE-2016-2776) [RT #43139]
-+
- 4406.   [security]      getrrsetbyname with a non absolute name could
-                         trigger an infinite recursion bug in lwresd
-                         and named with lwres configured if when combined
-diff --git a/lib/dns/message.c b/lib/dns/message.c
-index 6b5b4bb..b74dc81 100644
---- a/lib/dns/message.c
-+++ b/lib/dns/message.c
-@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
- 	if (r.length < DNS_MESSAGE_HEADERLEN)
- 		return (ISC_R_NOSPACE);
- 
--	if (r.length < msg->reserved)
-+        if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
- 		return (ISC_R_NOSPACE);
- 
- 	/*
-@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
- 
- 	return (ISC_TRUE);
- }
--
- #endif
-+
-+static isc_result_t
-+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
-+         dns_compress_t *cctx, isc_buffer_t *target,
-+         unsigned int reserved, unsigned int options, unsigned int *countp)
-+{
-+       isc_result_t result;
-+
-+       /*
-+        * Shrink the space in the buffer by the reserved amount.
-+        */
-+       if (target->length - target->used < reserved)
-+               return (ISC_R_NOSPACE);
-+
-+       target->length -= reserved;
-+       result = dns_rdataset_towire(rdataset, owner_name,
-+                                    cctx, target, options, countp);
-+       target->length += reserved;
-+
-+       return (result);
-+}
-+
- isc_result_t
- dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
- 			  unsigned int options)
-@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
- 	/*
- 	 * Shrink the space in the buffer by the reserved amount.
- 	 */
-+        if (msg->buffer->length - msg->buffer->used < msg->reserved)
-+                return (ISC_R_NOSPACE);
- 	msg->buffer->length -= msg->reserved;
- 
- 	total = 0;
-@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
- 		 * Render.
- 		 */
- 		count = 0;
--		result = dns_rdataset_towire(msg->opt, dns_rootname,
--					     msg->cctx, msg->buffer, 0,
--					     &count);
-+                result = renderset(msg->opt, dns_rootname, msg->cctx,
-+                                   msg->buffer, msg->reserved, 0, &count);
- 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
- 		if (result != ISC_R_SUCCESS)
- 			return (result);
-@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
- 		if (result != ISC_R_SUCCESS)
- 			return (result);
- 		count = 0;
--		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
--					     msg->cctx, msg->buffer, 0,
--					     &count);
-+                result = renderset(msg->tsig, msg->tsigname, msg->cctx,
-+                                   msg->buffer, msg->reserved, 0, &count);
- 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
- 		if (result != ISC_R_SUCCESS)
- 			return (result);
-@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
- 		 * the owner name of a SIG(0) is irrelevant, and will not
- 		 * be set in a message being rendered.
- 		 */
--		result = dns_rdataset_towire(msg->sig0, dns_rootname,
--					     msg->cctx, msg->buffer, 0,
--					     &count);
-+                result = renderset(msg->sig0, dns_rootname, msg->cctx,
-+                                   msg->buffer, msg->reserved, 0, &count);
- 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
- 		if (result != ISC_R_SUCCESS)
- 			return (result);
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch
deleted file mode 100644
index 75bc211..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch
+++ /dev/null
@@ -1,1090 +0,0 @@
-From 1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka at isc.org>
-Date: Wed, 2 Nov 2016 17:31:27 +1100
-Subject: [PATCH] 4504. [security] Allow the maximum number of records in a
- zone to be specified. This provides a control for issues raised in
- CVE-2016-6170. [RT #42143]
-
-(cherry picked from commit 5f8412a4cb5ee14a0e8cddd4107854b40ee3291e)
-
-Upstream-Status: Backport
-[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f]
-
-CVE: CVE-2016-6170
-
-Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
----
- CHANGES                                          |   4 +
- bin/named/config.c                               |   1 +
- bin/named/named.conf.docbook                     |   3 +
- bin/named/update.c                               |  16 +++
- bin/named/zoneconf.c                             |   7 ++
- bin/tests/system/nsupdate/clean.sh               |   1 +
- bin/tests/system/nsupdate/ns3/named.conf         |   7 ++
- bin/tests/system/nsupdate/ns3/too-big.test.db.in |  10 ++
- bin/tests/system/nsupdate/setup.sh               |   2 +
- bin/tests/system/nsupdate/tests.sh               |  15 +++
- bin/tests/system/xfer/clean.sh                   |   1 +
- bin/tests/system/xfer/ns1/axfr-too-big.db        |  10 ++
- bin/tests/system/xfer/ns1/ixfr-too-big.db.in     |  13 +++
- bin/tests/system/xfer/ns1/named.conf             |  11 ++
- bin/tests/system/xfer/ns6/named.conf             |  14 +++
- bin/tests/system/xfer/setup.sh                   |   2 +
- bin/tests/system/xfer/tests.sh                   |  26 +++++
- doc/arm/Bv9ARM-book.xml                          |  21 ++++
- doc/arm/notes.xml                                |   9 ++
- lib/bind9/check.c                                |   2 +
- lib/dns/db.c                                     |  13 +++
- lib/dns/ecdb.c                                   |   3 +-
- lib/dns/include/dns/db.h                         |  20 ++++
- lib/dns/include/dns/rdataslab.h                  |  13 +++
- lib/dns/include/dns/result.h                     |   6 +-
- lib/dns/include/dns/zone.h                       |  28 ++++-
- lib/dns/rbtdb.c                                  | 127 +++++++++++++++++++++--
- lib/dns/rdataslab.c                              |  13 +++
- lib/dns/result.c                                 |   9 +-
- lib/dns/sdb.c                                    |   3 +-
- lib/dns/sdlz.c                                   |   3 +-
- lib/dns/xfrin.c                                  |  22 +++-
- lib/dns/zone.c                                   |  23 +++-
- lib/isccfg/namedconf.c                           |   1 +
- 34 files changed, 444 insertions(+), 15 deletions(-)
- create mode 100644 bin/tests/system/nsupdate/ns3/too-big.test.db.in
- create mode 100644 bin/tests/system/xfer/ns1/axfr-too-big.db
- create mode 100644 bin/tests/system/xfer/ns1/ixfr-too-big.db.in
-
-diff --git a/CHANGES b/CHANGES
-index 41cfce5..97d2e60 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,7 @@
-+4504.	[security]	Allow the maximum number of records in a zone to
-+			be specified.  This provides a control for issues
-+			raised in CVE-2016-6170. [RT #42143]
-+
- 4489.	[security]	It was possible to trigger assertions when processing
- 			a response. (CVE-2016-8864) [RT #43465]
- 
-diff --git a/bin/named/config.c b/bin/named/config.c
-index f06348c..c24e334 100644
---- a/bin/named/config.c
-+++ b/bin/named/config.c
-@@ -209,6 +209,7 @@ options {\n\
- 	max-transfer-time-out 120;\n\
- 	max-transfer-idle-in 60;\n\
- 	max-transfer-idle-out 60;\n\
-+	max-records 0;\n\
- 	max-retry-time 1209600; /* 2 weeks */\n\
- 	min-retry-time 500;\n\
- 	max-refresh-time 2419200; /* 4 weeks */\n\
-diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
-index 4c99a61..c2d173a 100644
---- a/bin/named/named.conf.docbook
-+++ b/bin/named/named.conf.docbook
-@@ -338,6 +338,7 @@ options {
- 	};
- 
- 	max-journal-size <replaceable>size_no_default</replaceable>;
-+	max-records <replaceable>integer</replaceable>;
- 	max-transfer-time-in <replaceable>integer</replaceable>;
- 	max-transfer-time-out <replaceable>integer</replaceable>;
- 	max-transfer-idle-in <replaceable>integer</replaceable>;
-@@ -527,6 +528,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
- 	};
- 
- 	max-journal-size <replaceable>size_no_default</replaceable>;
-+	max-records <replaceable>integer</replaceable>;
- 	max-transfer-time-in <replaceable>integer</replaceable>;
- 	max-transfer-time-out <replaceable>integer</replaceable>;
- 	max-transfer-idle-in <replaceable>integer</replaceable>;
-@@ -624,6 +626,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
- 	};
- 
- 	max-journal-size <replaceable>size_no_default</replaceable>;
-+	max-records <replaceable>integer</replaceable>;
- 	max-transfer-time-in <replaceable>integer</replaceable>;
- 	max-transfer-time-out <replaceable>integer</replaceable>;
- 	max-transfer-idle-in <replaceable>integer</replaceable>;
-diff --git a/bin/named/update.c b/bin/named/update.c
-index 83b1a05..cc2a611 100644
---- a/bin/named/update.c
-+++ b/bin/named/update.c
-@@ -2455,6 +2455,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
- 	isc_boolean_t had_dnskey;
- 	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
- 	dns_ttl_t maxttl = 0;
-+	isc_uint32_t maxrecords;
-+	isc_uint64_t records;
- 
- 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
- 
-@@ -3138,6 +3140,20 @@ update_action(isc_task_t *task, isc_event_t *event) {
- 			}
- 		}
- 
-+		maxrecords = dns_zone_getmaxrecords(zone);
-+		if (maxrecords != 0U) {
-+			result = dns_db_getsize(db, ver, &records, NULL);
-+			if (result == ISC_R_SUCCESS && records > maxrecords) {
-+				update_log(client, zone, ISC_LOG_ERROR,
-+					   "records in zone (%"
-+					   ISC_PRINT_QUADFORMAT
-+					   "u) exceeds max-records (%u)",
-+					   records, maxrecords);
-+				result = DNS_R_TOOMANYRECORDS;
-+				goto failure;
-+			}
-+		}
-+
- 		journalfile = dns_zone_getjournal(zone);
- 		if (journalfile != NULL) {
- 			update_log(client, zone, LOGLEVEL_DEBUG,
-diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
-index 4ee3dfe..14dd8ce 100644
---- a/bin/named/zoneconf.c
-+++ b/bin/named/zoneconf.c
-@@ -978,6 +978,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
- 			dns_zone_setmaxttl(raw, maxttl);
- 	}
- 
-+	obj = NULL;
-+	result = ns_config_get(maps, "max-records", &obj);
-+	INSIST(result == ISC_R_SUCCESS && obj != NULL);
-+	dns_zone_setmaxrecords(mayberaw, cfg_obj_asuint32(obj));
-+	if (zone != mayberaw)
-+		dns_zone_setmaxrecords(zone, 0);
-+
- 	if (raw != NULL && filename != NULL) {
- #define SIGNED ".signed"
- 		size_t signedlen = strlen(filename) + sizeof(SIGNED);
-diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
-index aaefc02..ea25545 100644
---- a/bin/tests/system/nsupdate/clean.sh
-+++ b/bin/tests/system/nsupdate/clean.sh
-@@ -32,6 +32,7 @@ rm -f ns3/example.db.jnl ns3/example.db
- rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test.
- rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed ns3/dsset-dnskey.test.
- rm -f ns3/K*
-+rm -f ns3/too-big.test.db
- rm -f dig.out.*
- rm -f jp.out.ns3.*
- rm -f Kxxx.*
-diff --git a/bin/tests/system/nsupdate/ns3/named.conf b/bin/tests/system/nsupdate/ns3/named.conf
-index 2abd522..68ff27a 100644
---- a/bin/tests/system/nsupdate/ns3/named.conf
-+++ b/bin/tests/system/nsupdate/ns3/named.conf
-@@ -60,3 +60,10 @@ zone "dnskey.test" {
- 	allow-update { any; };
- 	file "dnskey.test.db.signed";
- };
-+
-+zone "too-big.test" {
-+	type master;
-+	allow-update { any; };
-+	max-records 3;
-+	file "too-big.test.db";
-+};
-diff --git a/bin/tests/system/nsupdate/ns3/too-big.test.db.in b/bin/tests/system/nsupdate/ns3/too-big.test.db.in
-new file mode 100644
-index 0000000..7ff1e4a
---- /dev/null
-+++ b/bin/tests/system/nsupdate/ns3/too-big.test.db.in
-@@ -0,0 +1,10 @@
-+; Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-+
-+$TTL 10
-+too-big.test. IN SOA too-big.test. hostmaster.too-big.test. 1 3600 900 2419200 3600
-+too-big.test. IN NS too-big.test.
-+too-big.test. IN A 10.53.0.3
-diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
-index 828255e..43c4094 100644
---- a/bin/tests/system/nsupdate/setup.sh
-+++ b/bin/tests/system/nsupdate/setup.sh
-@@ -27,12 +27,14 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
- rm -f ns1/*.jnl ns1/example.db ns2/*.jnl ns2/example.bk
- rm -f ns2/update.bk ns2/update.alt.bk
- rm -f ns3/example.db.jnl
-+rm -f ns3/too-big.test.db.jnl
- 
- cp -f ns1/example1.db ns1/example.db
- sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db
- sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db
- sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db
- cp -f ns3/example.db.in ns3/example.db
-+cp -f ns3/too-big.test.db.in ns3/too-big.test.db
- 
- # update_test.pl has its own zone file because it
- # requires a specific NS record set.
-diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
-index 78d501e..0a6bbd3 100755
---- a/bin/tests/system/nsupdate/tests.sh
-+++ b/bin/tests/system/nsupdate/tests.sh
-@@ -581,5 +581,20 @@ if [ $ret -ne 0 ]; then
-     status=1
- fi
- 
-+n=`expr $n + 1`
-+echo "I:check that adding too many records is blocked ($n)"
-+ret=0
-+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1
-+server 10.53.0.3 5300
-+zone too-big.test.
-+update add r1.too-big.test 3600 IN TXT r1.too-big.test
-+send
-+EOF
-+grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1
-+DIG +tcp @10.53.0.3 -p 5300 r1.too-big.test TXT > dig.out.ns3.test$n
-+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
-+grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1
-+[ $ret = 0 ] || { echo I:failed; status=1; }
-+
- echo "I:exit status: $status"
- exit $status
-diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh
-index 48aa159..da62a33 100644
---- a/bin/tests/system/xfer/clean.sh
-+++ b/bin/tests/system/xfer/clean.sh
-@@ -36,3 +36,4 @@ rm -f ns7/*.db ns7/*.bk ns7/*.jnl
- rm -f */named.memstats
- rm -f */named.run
- rm -f */ans.run
-+rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl
-diff --git a/bin/tests/system/xfer/ns1/axfr-too-big.db b/bin/tests/system/xfer/ns1/axfr-too-big.db
-new file mode 100644
-index 0000000..d43760d
---- /dev/null
-+++ b/bin/tests/system/xfer/ns1/axfr-too-big.db
-@@ -0,0 +1,10 @@
-+; Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-+
-+$TTL	3600
-+@	IN	SOA	. . 0 0 0 0 0
-+@	IN	NS	.
-+$GENERATE 1-29	host$	A	1.2.3.$
-diff --git a/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
-new file mode 100644
-index 0000000..318bb77
---- /dev/null
-+++ b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
-@@ -0,0 +1,13 @@
-+; Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
-+;
-+; This Source Code Form is subject to the terms of the Mozilla Public
-+; License, v. 2.0. If a copy of the MPL was not distributed with this
-+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-+
-+$TTL	3600
-+@	IN	SOA	. . 0 0 0 0 0
-+@	IN	NS	ns1
-+@	IN	NS	ns6
-+ns1	IN	A	10.53.0.1
-+ns6	IN	A	10.53.0.6
-+$GENERATE 1-25	host$	A	1.2.3.$
-diff --git a/bin/tests/system/xfer/ns1/named.conf b/bin/tests/system/xfer/ns1/named.conf
-index 07dad85..1d29292 100644
---- a/bin/tests/system/xfer/ns1/named.conf
-+++ b/bin/tests/system/xfer/ns1/named.conf
-@@ -44,3 +44,14 @@ zone "slave" {
- 	type master;
- 	file "slave.db";
- };
-+
-+zone "axfr-too-big" {
-+        type master;
-+        file "axfr-too-big.db";
-+};
-+
-+zone "ixfr-too-big" {
-+        type master;
-+	allow-update { any; };
-+        file "ixfr-too-big.db";
-+};
-diff --git a/bin/tests/system/xfer/ns6/named.conf b/bin/tests/system/xfer/ns6/named.conf
-index c9421b1..a12a92c 100644
---- a/bin/tests/system/xfer/ns6/named.conf
-+++ b/bin/tests/system/xfer/ns6/named.conf
-@@ -52,3 +52,17 @@ zone "slave" {
- 	masters { 10.53.0.1; };
- 	file "slave.bk";
- };
-+
-+zone "axfr-too-big" {
-+	type slave;
-+	max-records 30;
-+	masters { 10.53.0.1; };
-+	file "axfr-too-big.bk";
-+};
-+
-+zone "ixfr-too-big" {
-+	type slave;
-+	max-records 30;
-+	masters { 10.53.0.1; };
-+	file "ixfr-too-big.bk";
-+};
-diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh
-index 56ca901..c55abf8 100644
---- a/bin/tests/system/xfer/setup.sh
-+++ b/bin/tests/system/xfer/setup.sh
-@@ -33,3 +33,5 @@ cp -f ns4/named.conf.base ns4/named.conf
- 
- cp ns2/slave.db.in ns2/slave.db
- touch -t 200101010000 ns2/slave.db
-+
-+cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db
-diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
-index 67b2a1a..fe33f0a 100644
---- a/bin/tests/system/xfer/tests.sh
-+++ b/bin/tests/system/xfer/tests.sh
-@@ -368,5 +368,31 @@ $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
-     status=1
- }
- 
-+n=`expr $n + 1`
-+echo "I:test that a zone with too many records is rejected (AXFR) ($n)"
-+tmp=0
-+grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
-+if test $tmp != 0 ; then echo "I:failed"; fi
-+status=`expr $status + $tmp`
-+
-+n=`expr $n + 1`
-+echo "I:test that a zone with too many records is rejected (IXFR) ($n)"
-+tmp=0
-+grep "'ixfr-too-big./IN.*: too many records" ns6/named.run >/dev/null && tmp=1
-+$NSUPDATE << EOF
-+zone ixfr-too-big
-+server 10.53.0.1 5300
-+update add the-31st-record.ixfr-too-big 0 TXT this is it
-+send
-+EOF
-+for i in 1 2 3 4 5 6 7 8
-+do
-+    grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null && break
-+    sleep 1
-+done
-+grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
-+if test $tmp != 0 ; then echo "I:failed"; fi
-+status=`expr $status + $tmp`
-+
- echo "I:exit status: $status"
- exit $status
-diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index 848b582..0369505 100644
---- a/doc/arm/Bv9ARM-book.xml
-+++ b/doc/arm/Bv9ARM-book.xml
-@@ -4858,6 +4858,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
-     <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
-     <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
-     <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
-+    <optional> max-records <replaceable>number</replaceable>; </optional>
-     <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
-     <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
-     <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
-@@ -8164,6 +8165,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- 	    </varlistentry>
- 
- 	    <varlistentry>
-+	      <term><command>max-records</command></term>
-+	      <listitem>
-+		<para>
-+		  The maximum number of records permitted in a zone.
-+		  The default is zero which means unlimited.
-+	 	</para>
-+	      </listitem>
-+	    </varlistentry>
-+
-+	    <varlistentry>
- 	      <term><command>host-statistics-max</command></term>
- 	      <listitem>
- 		<para>
-@@ -12056,6 +12067,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
- 	      </varlistentry>
- 
- 	      <varlistentry>
-+		<term><command>max-records</command></term>
-+		<listitem>
-+		  <para>
-+		    See the description of
-+		    <command>max-records</command> in <xref linkend="server_resource_limits"/>.
-+		  </para>
-+		</listitem>
-+	      </varlistentry>
-+
-+	      <varlistentry>
- 		<term><command>max-transfer-time-in</command></term>
- 		<listitem>
- 		  <para>
-diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
-index 095eb5b..36495e7 100644
---- a/doc/arm/notes.xml
-+++ b/doc/arm/notes.xml
-@@ -52,6 +52,15 @@
-     <itemizedlist>
-       <listitem>
-        <para>
-+	  Added the ability to specify the maximum number of records
-+	  permitted in a zone (max-records #;).  This provides a mechanism
-+	  to block overly large zone transfers, which is a potential risk
-+	  with slave zones from other parties, as described in CVE-2016-6170.
-+	  [RT #42143]
-+	</para>
-+      </listitem>
-+      <listitem>
-+	<para>
-          Duplicate EDNS COOKIE options in a response could trigger
-          an assertion failure. This flaw is disclosed in CVE-2016-2088.
-          [RT #41809]
-diff --git a/lib/bind9/check.c b/lib/bind9/check.c
-index b8c05dd..edb7534 100644
---- a/lib/bind9/check.c
-+++ b/lib/bind9/check.c
-@@ -1510,6 +1510,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
- 	  REDIRECTZONE },
- 	{ "masters", SLAVEZONE | STUBZONE | REDIRECTZONE },
- 	{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
-+	{ "max-records", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE |
-+          STATICSTUBZONE | REDIRECTZONE },
- 	{ "max-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
- 	{ "max-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
- 	{ "max-transfer-idle-in", SLAVEZONE | STUBZONE | STREDIRECTZONE },
-diff --git a/lib/dns/db.c b/lib/dns/db.c
-index 7e4f357..ced94a5 100644
---- a/lib/dns/db.c
-+++ b/lib/dns/db.c
-@@ -999,6 +999,19 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
- }
- 
- isc_result_t
-+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
-+	       isc_uint64_t *bytes)
-+{
-+	REQUIRE(DNS_DB_VALID(db));
-+	REQUIRE(dns_db_iszone(db) == ISC_TRUE);
-+
-+	if (db->methods->getsize != NULL)
-+		return ((db->methods->getsize)(db, version, records, bytes));
-+
-+	return (ISC_R_NOTFOUND);
-+}
-+
-+isc_result_t
- dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
- 		      isc_stdtime_t resign)
- {
-diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
-index 553a339..b5d04d2 100644
---- a/lib/dns/ecdb.c
-+++ b/lib/dns/ecdb.c
-@@ -587,7 +587,8 @@ static dns_dbmethods_t ecdb_methods = {
- 	NULL,			/* findnodeext */
- 	NULL,			/* findext */
- 	NULL,			/* setcachestats */
--	NULL			/* hashsize */
-+	NULL,			/* hashsize */
-+	NULL			/* getsize */
- };
- 
- static isc_result_t
-diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
-index a4a4482..aff42d6 100644
---- a/lib/dns/include/dns/db.h
-+++ b/lib/dns/include/dns/db.h
-@@ -195,6 +195,8 @@ typedef struct dns_dbmethods {
- 				   dns_rdataset_t *sigrdataset);
- 	isc_result_t	(*setcachestats)(dns_db_t *db, isc_stats_t *stats);
- 	unsigned int	(*hashsize)(dns_db_t *db);
-+	isc_result_t	(*getsize)(dns_db_t *db, dns_dbversion_t *version,
-+				   isc_uint64_t *records, isc_uint64_t *bytes);
- } dns_dbmethods_t;
- 
- typedef isc_result_t
-@@ -1485,6 +1487,24 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
-  */
- 
- isc_result_t
-+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
-+               isc_uint64_t *bytes);
-+/*%<
-+ * Get the number of records in the given version of the database as well
-+ * as the number bytes used to store those records.
-+ *
-+ * Requires:
-+ * \li	'db' is a valid zone database.
-+ * \li	'version' is NULL or a valid version.
-+ * \li	'records' is NULL or a pointer to return the record count in.
-+ * \li	'bytes' is NULL or a pointer to return the byte count in.
-+ *
-+ * Returns:
-+ * \li	#ISC_R_SUCCESS
-+ * \li	#ISC_R_NOTIMPLEMENTED
-+ */
-+
-+isc_result_t
- dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
- 		     isc_boolean_t create, dns_dbnode_t **nodep);
- /*%<
-diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
-index 3ac44b8..2e1e759 100644
---- a/lib/dns/include/dns/rdataslab.h
-+++ b/lib/dns/include/dns/rdataslab.h
-@@ -104,6 +104,7 @@ dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
-  * Ensures:
-  *\li	'rdataset' is associated and points to a valid rdataest.
-  */
-+
- unsigned int
- dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
- /*%<
-@@ -116,6 +117,18 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
-  *\li	The number of bytes in the slab, including the reservelen.
-  */
- 
-+unsigned int
-+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen);
-+/*%<
-+ * Return the number of records in the rdataslab
-+ *
-+ * Requires:
-+ *\li	'slab' points to a slab.
-+ *
-+ * Returns:
-+ *\li	The number of records in the slab.
-+ */
-+
- isc_result_t
- dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
- 		    unsigned int reservelen, isc_mem_t *mctx,
-diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
-index 7d11c2b..93d1fd5 100644
---- a/lib/dns/include/dns/result.h
-+++ b/lib/dns/include/dns/result.h
-@@ -157,8 +157,12 @@
- #define DNS_R_BADCDS			(ISC_RESULTCLASS_DNS + 111)
- #define DNS_R_BADCDNSKEY		(ISC_RESULTCLASS_DNS + 112)
- #define DNS_R_OPTERR			(ISC_RESULTCLASS_DNS + 113)
-+#define DNS_R_BADDNSTAP			(ISC_RESULTCLASS_DNS + 114)
-+#define DNS_R_BADTSIG			(ISC_RESULTCLASS_DNS + 115)
-+#define DNS_R_BADSIG0			(ISC_RESULTCLASS_DNS + 116)
-+#define DNS_R_TOOMANYRECORDS		(ISC_RESULTCLASS_DNS + 117)
- 
--#define DNS_R_NRESULTS			114	/*%< Number of results */
-+#define DNS_R_NRESULTS			118	/*%< Number of results */
- 
- /*
-  * DNS wire format rcodes.
-diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
-index a9367f1..227540b 100644
---- a/lib/dns/include/dns/zone.h
-+++ b/lib/dns/include/dns/zone.h
-@@ -296,6 +296,32 @@ dns_zone_getfile(dns_zone_t *zone);
-  */
- 
- void
-+dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t records);
-+/*%<
-+ * 	Sets the maximim number of records permitted in a zone.
-+ *	0 implies unlimited.
-+ *
-+ * Requires:
-+ *\li	'zone' to be valid initialised zone.
-+ *
-+ * Returns:
-+ *\li	void
-+ */
-+
-+isc_uint32_t
-+dns_zone_getmaxrecords(dns_zone_t *zone);
-+/*%<
-+ * 	Gets the maximim number of records permitted in a zone.
-+ *	0 implies unlimited.
-+ *
-+ * Requires:
-+ *\li	'zone' to be valid initialised zone.
-+ *
-+ * Returns:
-+ *\li	isc_uint32_t maxrecords.
-+ */
-+
-+void
- dns_zone_setmaxttl(dns_zone_t *zone, isc_uint32_t maxttl);
- /*%<
-  * 	Sets the max ttl of the zone.
-@@ -316,7 +342,7 @@ dns_zone_getmaxttl(dns_zone_t *zone);
-  *\li	'zone' to be valid initialised zone.
-  *
-  * Returns:
-- *\li	isc_uint32_t maxttl.
-+ *\li	dns_ttl_t maxttl.
-  */
- 
- isc_result_t
-diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
-index 62becfc..72d722f 100644
---- a/lib/dns/rbtdb.c
-+++ b/lib/dns/rbtdb.c
-@@ -209,6 +209,7 @@ typedef isc_uint64_t                    rbtdb_serial_t;
- #define free_rbtdb_callback free_rbtdb_callback64
- #define free_rdataset free_rdataset64
- #define getnsec3parameters getnsec3parameters64
-+#define getsize getsize64
- #define getoriginnode getoriginnode64
- #define getrrsetstats getrrsetstats64
- #define getsigningtime getsigningtime64
-@@ -589,6 +590,13 @@ typedef struct rbtdb_version {
- 	isc_uint16_t			iterations;
- 	isc_uint8_t			salt_length;
- 	unsigned char			salt[DNS_NSEC3_SALTSIZE];
-+
-+	/*
-+	 * records and bytes are covered by rwlock.
-+	 */
-+	isc_rwlock_t                    rwlock;
-+	isc_uint64_t			records;
-+	isc_uint64_t			bytes;
- } rbtdb_version_t;
- 
- typedef ISC_LIST(rbtdb_version_t)       rbtdb_versionlist_t;
-@@ -1130,6 +1138,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
- 		INSIST(refs == 0);
- 		UNLINK(rbtdb->open_versions, rbtdb->current_version, link);
- 		isc_refcount_destroy(&rbtdb->current_version->references);
-+		isc_rwlock_destroy(&rbtdb->current_version->rwlock);
- 		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
- 			    sizeof(rbtdb_version_t));
- 	}
-@@ -1383,6 +1392,7 @@ allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
- 
- static isc_result_t
- newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-+	isc_result_t result;
- 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
- 	rbtdb_version_t *version;
- 
-@@ -1415,13 +1425,28 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) {
- 			version->salt_length = 0;
- 			memset(version->salt, 0, sizeof(version->salt));
- 		}
--		rbtdb->next_serial++;
--		rbtdb->future_version = version;
--	}
-+		result = isc_rwlock_init(&version->rwlock, 0, 0);
-+		if (result != ISC_R_SUCCESS) {
-+			isc_refcount_destroy(&version->references);
-+			isc_mem_put(rbtdb->common.mctx, version,
-+				    sizeof(*version));
-+			version = NULL;
-+		} else {
-+			RWLOCK(&rbtdb->current_version->rwlock,
-+			       isc_rwlocktype_read);
-+			version->records = rbtdb->current_version->records;
-+			version->bytes = rbtdb->current_version->bytes;
-+			RWUNLOCK(&rbtdb->current_version->rwlock,
-+				 isc_rwlocktype_read);
-+			rbtdb->next_serial++;
-+			rbtdb->future_version = version;
-+		}
-+	} else
-+		result = ISC_R_NOMEMORY;
- 	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
- 
- 	if (version == NULL)
--		return (ISC_R_NOMEMORY);
-+		return (result);
- 
- 	*versionp = version;
- 
-@@ -2681,6 +2706,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
- 
- 	if (cleanup_version != NULL) {
- 		INSIST(EMPTY(cleanup_version->changed_list));
-+		isc_rwlock_destroy(&cleanup_version->rwlock);
- 		isc_mem_put(rbtdb->common.mctx, cleanup_version,
- 			    sizeof(*cleanup_version));
- 	}
-@@ -6254,6 +6280,26 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
- 		else
- 			rbtnode->data = newheader;
- 		newheader->next = topheader->next;
-+		if (rbtversion != NULL)
-+			RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
-+		if (rbtversion != NULL && !header_nx) {
-+			rbtversion->records -=
-+				dns_rdataslab_count((unsigned char *)header,
-+						    sizeof(*header));
-+			rbtversion->bytes -=
-+				dns_rdataslab_size((unsigned char *)header,
-+						   sizeof(*header));
-+		}
-+		if (rbtversion != NULL && !newheader_nx) {
-+			rbtversion->records +=
-+				dns_rdataslab_count((unsigned char *)newheader,
-+						    sizeof(*newheader));
-+			rbtversion->bytes +=
-+				dns_rdataslab_size((unsigned char *)newheader,
-+						   sizeof(*newheader));
-+		}
-+		if (rbtversion != NULL)
-+			RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
- 		if (loading) {
- 			/*
- 			 * There are no other references to 'header' when
-@@ -6355,6 +6401,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
- 			newheader->down = NULL;
- 			rbtnode->data = newheader;
- 		}
-+		if (rbtversion != NULL && !newheader_nx) {
-+			RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
-+			rbtversion->records +=
-+				dns_rdataslab_count((unsigned char *)newheader,
-+						    sizeof(*newheader));
-+			rbtversion->bytes +=
-+				dns_rdataslab_size((unsigned char *)newheader,
-+						   sizeof(*newheader));
-+			RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
-+		}
- 		idx = newheader->node->locknum;
- 		if (IS_CACHE(rbtdb)) {
- 			ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
-@@ -6811,6 +6867,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
- 			 */
- 			newheader->additional_auth = NULL;
- 			newheader->additional_glue = NULL;
-+			rbtversion->records +=
-+				dns_rdataslab_count((unsigned char *)newheader,
-+						    sizeof(*newheader));
-+			rbtversion->bytes +=
-+				dns_rdataslab_size((unsigned char *)newheader,
-+						   sizeof(*newheader));
- 		} else if (result == DNS_R_NXRRSET) {
- 			/*
- 			 * This subtraction would remove all of the rdata;
-@@ -6846,6 +6908,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
- 		 * topheader.
- 		 */
- 		INSIST(rbtversion->serial >= topheader->serial);
-+		rbtversion->records -=
-+				dns_rdataslab_count((unsigned char *)header,
-+						    sizeof(*header));
-+		rbtversion->bytes -=
-+				dns_rdataslab_size((unsigned char *)header,
-+						   sizeof(*header));
- 		if (topheader_prev != NULL)
- 			topheader_prev->next = newheader;
- 		else
-@@ -7172,6 +7240,7 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
- 	unsigned char *limit = ((unsigned char *) base) + filesize;
- 	unsigned char *p;
- 	size_t size;
-+	unsigned int count;
- 
- 	REQUIRE(rbtnode != NULL);
- 
-@@ -7179,6 +7248,9 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
- 		p = (unsigned char *) header;
- 
- 		size = dns_rdataslab_size(p, sizeof(*header));
-+		count = dns_rdataslab_count(p, sizeof(*header));;
-+		rbtdb->current_version->records += count;
-+		rbtdb->current_version->bytes += size;
- 		isc_crc64_update(crc, p, size);
- #ifdef DEBUG
- 		hexdump("hashing header", p, sizeof(rdatasetheader_t));
-@@ -7777,6 +7849,33 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
- }
- 
- static isc_result_t
-+getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
-+        isc_uint64_t *bytes)
-+{
-+	dns_rbtdb_t *rbtdb;
-+	isc_result_t result = ISC_R_SUCCESS;
-+	rbtdb_version_t *rbtversion = version;
-+
-+	rbtdb = (dns_rbtdb_t *)db;
-+
-+	REQUIRE(VALID_RBTDB(rbtdb));
-+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
-+
-+	if (rbtversion == NULL)
-+		rbtversion = rbtdb->current_version;
-+
-+	RWLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
-+	if (records != NULL)
-+		*records = rbtversion->records;
-+
-+	if (bytes != NULL)
-+		*bytes = rbtversion->bytes;
-+	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
-+
-+	return (result);
-+}
-+
-+static isc_result_t
- setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
- 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
- 	isc_stdtime_t oldresign;
-@@ -7972,7 +8071,8 @@ static dns_dbmethods_t zone_methods = {
- 	NULL,
- 	NULL,
- 	NULL,
--	hashsize
-+	hashsize,
-+	getsize
- };
- 
- static dns_dbmethods_t cache_methods = {
-@@ -8018,7 +8118,8 @@ static dns_dbmethods_t cache_methods = {
- 	NULL,
- 	NULL,
- 	setcachestats,
--	hashsize
-+	hashsize,
-+	NULL
- };
- 
- isc_result_t
-@@ -8310,6 +8411,20 @@ dns_rbtdb_create
- 	rbtdb->current_version->salt_length = 0;
- 	memset(rbtdb->current_version->salt, 0,
- 	       sizeof(rbtdb->current_version->salt));
-+	result = isc_rwlock_init(&rbtdb->current_version->rwlock, 0, 0);
-+	if (result != ISC_R_SUCCESS) {
-+		isc_refcount_destroy(&rbtdb->current_version->references);
-+		isc_mem_put(mctx, rbtdb->current_version,
-+			    sizeof(*rbtdb->current_version));
-+		rbtdb->current_version = NULL;
-+		isc_refcount_decrement(&rbtdb->references, NULL);
-+		isc_refcount_destroy(&rbtdb->references);
-+		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-+		return (result);
-+	}
-+
-+	rbtdb->current_version->records = 0;
-+	rbtdb->current_version->bytes = 0;
- 	rbtdb->future_version = NULL;
- 	ISC_LIST_INIT(rbtdb->open_versions);
- 	/*
-diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
-index e29dc84..63e3728 100644
---- a/lib/dns/rdataslab.c
-+++ b/lib/dns/rdataslab.c
-@@ -523,6 +523,19 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
- 	return ((unsigned int)(current - slab));
- }
- 
-+unsigned int
-+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen) {
-+	unsigned int count;
-+	unsigned char *current;
-+
-+	REQUIRE(slab != NULL);
-+
-+	current = slab + reservelen;
-+	count = *current++ * 256;
-+	count += *current++;
-+	return (count);
-+}
-+
- /*
-  * Make the dns_rdata_t 'rdata' refer to the slab item
-  * beginning at '*current', which is part of a slab of type
-diff --git a/lib/dns/result.c b/lib/dns/result.c
-index 7be4f57..a621909 100644
---- a/lib/dns/result.c
-+++ b/lib/dns/result.c
-@@ -167,11 +167,16 @@ static const char *text[DNS_R_NRESULTS] = {
- 	"covered by negative trust anchor",    /*%< 110 DNS_R_NTACOVERED */
- 	"bad CDS",			       /*%< 111 DNS_R_BADCSD */
- 	"bad CDNSKEY",			       /*%< 112 DNS_R_BADCDNSKEY */
--	"malformed OPT option"		       /*%< 113 DNS_R_OPTERR */
-+	"malformed OPT option",		       /*%< 113 DNS_R_OPTERR */
-+	"malformed DNSTAP data",	       /*%< 114 DNS_R_BADDNSTAP */
-+
-+	"TSIG in wrong location",	       /*%< 115 DNS_R_BADTSIG */
-+	"SIG(0) in wrong location",	       /*%< 116 DNS_R_BADSIG0 */
-+	"too many records",	               /*%< 117 DNS_R_TOOMANYRECORDS */
- };
- 
- static const char *rcode_text[DNS_R_NRCODERESULTS] = {
--	"NOERROR",				/*%< 0 DNS_R_NOEROR */
-+	"NOERROR",				/*%< 0 DNS_R_NOERROR */
- 	"FORMERR",				/*%< 1 DNS_R_FORMERR */
- 	"SERVFAIL",				/*%< 2 DNS_R_SERVFAIL */
- 	"NXDOMAIN",				/*%< 3 DNS_R_NXDOMAIN */
-diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
-index abfeeb0..19397e0 100644
---- a/lib/dns/sdb.c
-+++ b/lib/dns/sdb.c
-@@ -1298,7 +1298,8 @@ static dns_dbmethods_t sdb_methods = {
- 	findnodeext,
- 	findext,
- 	NULL,			/* setcachestats */
--	NULL			/* hashsize */
-+	NULL,			/* hashsize */
-+	NULL			/* getsize */
- };
- 
- static isc_result_t
-diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
-index b1198a4..0e3163d 100644
---- a/lib/dns/sdlz.c
-+++ b/lib/dns/sdlz.c
-@@ -1269,7 +1269,8 @@ static dns_dbmethods_t sdlzdb_methods = {
- 	findnodeext,
- 	findext,
- 	NULL,			/* setcachestats */
--	NULL			/* hashsize */
-+	NULL,			/* hashsize */
-+	NULL			/* getsize */
- };
- 
- /*
-diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
-index 2a6c1b4..ac566e1 100644
---- a/lib/dns/xfrin.c
-+++ b/lib/dns/xfrin.c
-@@ -149,6 +149,9 @@ struct dns_xfrin_ctx {
- 	unsigned int		nrecs;		/*%< Number of records recvd */
- 	isc_uint64_t		nbytes;		/*%< Number of bytes received */
- 
-+	unsigned int		maxrecords;	/*%< The maximum number of
-+						     records set for the zone */
-+
- 	isc_time_t		start;		/*%< Start time of the transfer */
- 	isc_time_t		end;		/*%< End time of the transfer */
- 
-@@ -309,10 +312,18 @@ axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
- static isc_result_t
- axfr_apply(dns_xfrin_ctx_t *xfr) {
- 	isc_result_t result;
-+	isc_uint64_t records;
- 
- 	CHECK(dns_diff_load(&xfr->diff, xfr->axfr.add, xfr->axfr.add_private));
- 	xfr->difflen = 0;
- 	dns_diff_clear(&xfr->diff);
-+	if (xfr->maxrecords != 0U) {
-+		result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
-+		if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
-+			result = DNS_R_TOOMANYRECORDS;
-+			goto failure;
-+		}
-+	}
- 	result = ISC_R_SUCCESS;
-  failure:
- 	return (result);
-@@ -396,6 +407,7 @@ ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
- static isc_result_t
- ixfr_apply(dns_xfrin_ctx_t *xfr) {
- 	isc_result_t result;
-+	isc_uint64_t records;
- 
- 	if (xfr->ver == NULL) {
- 		CHECK(dns_db_newversion(xfr->db, &xfr->ver));
-@@ -403,6 +415,13 @@ ixfr_apply(dns_xfrin_ctx_t *xfr) {
- 			CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
- 	}
- 	CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
-+	if (xfr->maxrecords != 0U) {
-+		result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
-+		if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
-+			result = DNS_R_TOOMANYRECORDS;
-+			goto failure;
-+		}
-+	}
- 	if (xfr->ixfr.journal != NULL) {
- 		result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
- 		if (result != ISC_R_SUCCESS)
-@@ -759,7 +778,7 @@ xfrin_reset(dns_xfrin_ctx_t *xfr) {
- 
- static void
- xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
--	if (result != DNS_R_UPTODATE) {
-+	if (result != DNS_R_UPTODATE && result != DNS_R_TOOMANYRECORDS) {
- 		xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s",
- 			  msg, isc_result_totext(result));
- 		if (xfr->is_ixfr)
-@@ -852,6 +871,7 @@ xfrin_create(isc_mem_t *mctx,
- 	xfr->nmsg = 0;
- 	xfr->nrecs = 0;
- 	xfr->nbytes = 0;
-+	xfr->maxrecords = dns_zone_getmaxrecords(zone);
- 	isc_time_now(&xfr->start);
- 
- 	xfr->tsigkey = NULL;
-diff --git a/lib/dns/zone.c b/lib/dns/zone.c
-index 90e558d..2b0d8e4 100644
---- a/lib/dns/zone.c
-+++ b/lib/dns/zone.c
-@@ -253,6 +253,8 @@ struct dns_zone {
- 	isc_uint32_t		maxretry;
- 	isc_uint32_t		minretry;
- 
-+	isc_uint32_t		maxrecords;
-+
- 	isc_sockaddr_t		*masters;
- 	isc_dscp_t		*masterdscps;
- 	dns_name_t		**masterkeynames;
-@@ -10088,6 +10090,20 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) {
- 	zone->maxretry = val;
- }
- 
-+isc_uint32_t
-+dns_zone_getmaxrecords(dns_zone_t *zone) {
-+        REQUIRE(DNS_ZONE_VALID(zone));
-+
-+	return (zone->maxrecords);
-+}
-+
-+void
-+dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t val) {
-+        REQUIRE(DNS_ZONE_VALID(zone));
-+
-+	zone->maxrecords = val;
-+}
-+
- static isc_boolean_t
- notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
- 		isc_sockaddr_t *addr, dns_tsigkey_t *key)
-@@ -14431,7 +14447,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
- 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
- 
- 	TIME_NOW(&now);
--	switch (result) {
-+	switch (xfrresult) {
- 	case ISC_R_SUCCESS:
- 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
- 		/*FALLTHROUGH*/
-@@ -14558,6 +14574,11 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
- 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
- 		goto same_master;
- 
-+	case DNS_R_TOOMANYRECORDS:
-+		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
-+		inc_stats(zone, dns_zonestatscounter_xfrfail);
-+		break;
-+
- 	default:
- 	next_master:
- 		/*
-diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
-index 780ab46..e7ff1cc 100644
---- a/lib/isccfg/namedconf.c
-+++ b/lib/isccfg/namedconf.c
-@@ -1679,6 +1679,7 @@ zone_clauses[] = {
- 	{ "masterfile-format", &cfg_type_masterformat, 0 },
- 	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
- 	{ "max-journal-size", &cfg_type_sizenodefault, 0 },
-+	{ "max-records", &cfg_type_uint32, 0 },
- 	{ "max-refresh-time", &cfg_type_uint32, 0 },
- 	{ "max-retry-time", &cfg_type_uint32, 0 },
- 	{ "max-transfer-idle-in", &cfg_type_uint32, 0 },
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
deleted file mode 100644
index b52d680..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka at isc.org>
-Date: Fri, 21 Oct 2016 14:55:10 +1100
-Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
- processing a response. (CVE-2016-8864) [RT #43465]
-
-(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
-
-Upstream-Status: Backport
-[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
-
-CVE: CVE-2016-8864
-
-Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
----
- CHANGES            |  3 +++
- lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++-----------------
- 2 files changed, 50 insertions(+), 22 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index 5c8c61a..41cfce5 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,6 @@
-+4489.	[security]	It was possible to trigger assertions when processing
-+			a response. (CVE-2016-8864) [RT #43465]
-+
- 4467.   [security]      It was possible to trigger an assertion when
-                         rendering a message. (CVE-2016-2776) [RT #43139]
- 
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index ba1ae23..13c8b44 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
- 	valarg->addrinfo = addrinfo;
- 
- 	if (!ISC_LIST_EMPTY(fctx->validators))
--		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
-+		valoptions |= DNS_VALIDATOR_DEFER;
-+	else
-+		valoptions &= ~DNS_VALIDATOR_DEFER;
- 
- 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
- 				      sigrdataset, fctx->rmessage,
-@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
- 							   rdataset,
- 							   sigrdataset,
- 							   valoptions, task);
--					/*
--					 * Defer any further validations.
--					 * This prevents multiple validators
--					 * from manipulating fctx->rmessage
--					 * simultaneously.
--					 */
--					valoptions |= DNS_VALIDATOR_DEFER;
- 				}
- 			} else if (CHAINING(rdataset)) {
- 				if (rdataset->type == dns_rdatatype_cname)
-@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
- 				       eresult == DNS_R_NCACHENXRRSET);
- 			}
- 			event->result = eresult;
-+			if (adbp != NULL && *adbp != NULL) {
-+				if (anodep != NULL && *anodep != NULL)
-+					dns_db_detachnode(*adbp, anodep);
-+				dns_db_detach(adbp);
-+			}
- 			dns_db_attach(fctx->cache, adbp);
- 			dns_db_transfernode(fctx->cache, &node, anodep);
- 			clone_results(fctx);
-@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
- 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
- 		if (event != NULL) {
- 			event->result = eresult;
-+			if (adbp != NULL && *adbp != NULL) {
-+				if (anodep != NULL && *anodep != NULL)
-+					dns_db_detachnode(*adbp, anodep);
-+				dns_db_detach(adbp);
-+			}
- 			dns_db_attach(fctx->cache, adbp);
- 			dns_db_transfernode(fctx->cache, &node, anodep);
- 			clone_results(fctx);
-@@ -6718,13 +6723,15 @@ static isc_result_t
- answer_response(fetchctx_t *fctx) {
- 	isc_result_t result;
- 	dns_message_t *message;
--	dns_name_t *name, *dname, *qname, tname, *ns_name;
-+	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
-+	dns_name_t *cname = NULL;
- 	dns_rdataset_t *rdataset, *ns_rdataset;
- 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
--	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
-+	isc_boolean_t have_answer, found_cname, found_dname, found_type;
-+	isc_boolean_t wanted_chaining;
- 	unsigned int aflag;
- 	dns_rdatatype_t type;
--	dns_fixedname_t fdname, fqname;
-+	dns_fixedname_t fdname, fqname, fqdname;
- 	dns_view_t *view;
- 
- 	FCTXTRACE("answer_response");
-@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
- 
- 	done = ISC_FALSE;
- 	found_cname = ISC_FALSE;
-+	found_dname = ISC_FALSE;
- 	found_type = ISC_FALSE;
- 	chaining = ISC_FALSE;
- 	have_answer = ISC_FALSE;
-@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
- 		aa = ISC_TRUE;
- 	else
- 		aa = ISC_FALSE;
--	qname = &fctx->name;
-+	dqname = qname = &fctx->name;
- 	type = fctx->type;
- 	view = fctx->res->view;
-+	dns_fixedname_init(&fqdname);
- 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
- 	while (!done && result == ISC_R_SUCCESS) {
--		dns_namereln_t namereln;
-+		dns_namereln_t namereln, dnamereln;
- 		int order;
- 		unsigned int nlabels;
- 
-@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
- 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
- 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
- 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
-+		dnamereln = dns_name_fullcompare(dqname, name, &order,
-+						 &nlabels);
- 		if (namereln == dns_namereln_equal) {
- 			wanted_chaining = ISC_FALSE;
- 			for (rdataset = ISC_LIST_HEAD(name->list);
-@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
- 					}
- 				} else if (rdataset->type == dns_rdatatype_rrsig
- 					   && rdataset->covers ==
--					   dns_rdatatype_cname
-+					      dns_rdatatype_cname
- 					   && !found_type) {
- 					/*
- 					 * We're looking for something else,
-@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
- 						 * a CNAME or DNAME).
- 						 */
- 						INSIST(!external);
--						if (aflag ==
--						    DNS_RDATASETATTR_ANSWER) {
-+						if ((rdataset->type !=
-+						     dns_rdatatype_cname) ||
-+						    !found_dname ||
-+						    (aflag ==
-+						     DNS_RDATASETATTR_ANSWER))
-+						{
- 							have_answer = ISC_TRUE;
-+							if (rdataset->type ==
-+							    dns_rdatatype_cname)
-+								cname = name;
- 							name->attributes |=
--								DNS_NAMEATTR_ANSWER;
-+							    DNS_NAMEATTR_ANSWER;
- 						}
- 						rdataset->attributes |= aflag;
- 						if (aa)
-@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
- 					return (DNS_R_FORMERR);
- 				}
- 
--				if (namereln != dns_namereln_subdomain) {
-+				if (dnamereln != dns_namereln_subdomain) {
- 					char qbuf[DNS_NAME_FORMATSIZE];
- 					char obuf[DNS_NAME_FORMATSIZE];
- 
--					dns_name_format(qname, qbuf,
-+					dns_name_format(dqname, qbuf,
- 							sizeof(qbuf));
- 					dns_name_format(name, obuf,
- 							sizeof(obuf));
-@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
- 					want_chaining = ISC_TRUE;
- 					POST(want_chaining);
- 					aflag = DNS_RDATASETATTR_ANSWER;
--					result = dname_target(rdataset, qname,
-+					result = dname_target(rdataset, dqname,
- 							      nlabels, &fdname);
- 					if (result == ISC_R_NOSPACE) {
- 						/*
-@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
- 
- 					dname = dns_fixedname_name(&fdname);
- 					if (!is_answertarget_allowed(view,
--							qname, rdataset->type,
--							dname, &fctx->domain)) {
-+						     dqname, rdataset->type,
-+						     dname, &fctx->domain))
-+					{
- 						return (DNS_R_SERVFAIL);
- 					}
-+					dqname = dns_fixedname_name(&fqdname);
-+					dns_name_copy(dname, dqname, NULL);
- 				} else {
- 					/*
- 					 * We've found a signature that
-@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
- 					INSIST(!external);
- 					if (aflag == DNS_RDATASETATTR_ANSWER) {
- 						have_answer = ISC_TRUE;
-+						found_dname = ISC_TRUE;
-+						if (cname != NULL)
-+							cname->attributes &=
-+							   ~DNS_NAMEATTR_ANSWER;
- 						name->attributes |=
- 							DNS_NAMEATTR_ANSWER;
- 					}
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
index 096d5d8..8bc4ea3 100644
--- a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
@@ -17,24 +17,28 @@ problem.
 Upstream-Status: Pending
 
 Signed-off-by: Robert Yang <liezhi.yang at windriver.com>
+
+Update context(trailing whitespace) for version 9.10.5-P3.
+
+Signed-off-by: Kai Kang <kai.kang at windriver.com>
 ---
  bin/confgen/Makefile.in |    4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
-index 8b3e5aa..4868a24 100644
+index dca272f..02becce 100644
 --- a/bin/confgen/Makefile.in
 +++ b/bin/confgen/Makefile.in
 @@ -74,11 +74,11 @@ rndc-confgen. at O@: rndc-confgen.c
  ddns-confgen. at O@: ddns-confgen.c
  	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
  
--rndc-confgen at EXEEXT@: rndc-confgen. at O@ util. at O@ keygen. at O@ ${UOBJS} ${CONFDEPLIBS} 
+-rndc-confgen at EXEEXT@: rndc-confgen. at O@ util. at O@ keygen. at O@ ${UOBJS} ${CONFDEPLIBS}
 +rndc-confgen at EXEEXT@: rndc-confgen. at O@ util. at O@ keygen. at O@ ${CONFDEPLIBS} $(SUBDIRS)
  	export BASEOBJS="rndc-confgen. at O@ util. at O@ keygen. at O@ ${UOBJS}"; \
  	${FINALBUILDCMD}
  
--ddns-confgen at EXEEXT@: ddns-confgen. at O@ util. at O@ keygen. at O@ ${UOBJS} ${CONFDEPLIBS} 
+-ddns-confgen at EXEEXT@: ddns-confgen. at O@ util. at O@ keygen. at O@ ${UOBJS} ${CONFDEPLIBS}
 +ddns-confgen at EXEEXT@: ddns-confgen. at O@ util. at O@ keygen. at O@ ${CONFDEPLIBS} $(SUBDIRS)
  	export BASEOBJS="ddns-confgen. at O@ util. at O@ keygen. at O@ ${UOBJS}"; \
  	${FINALBUILDCMD}
diff --git a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
deleted file mode 100644
index 2930796..0000000
--- a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
+++ /dev/null
@@ -1,104 +0,0 @@
-bind: port a patch to fix a build failure
-
-mips1 does not support ll and sc instructions, and lead to below error, now
-we port a patch from debian to fix it
-[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz]
-
-| {standard input}: Assembler messages:
-| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)'
-| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)'
-
-Upstream-Status: Pending
-
-Signed-off-by: Roy Li <rongqing.li at windriver.com>
-
---- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h
-+++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h
-@@ -31,18 +31,20 @@
- isc_atomic_xadd(isc_int32_t *p, int val) {
- 	isc_int32_t orig;
- 
--	/* add is a cheat, since MIPS has no mov instruction */
--	__asm__ volatile (
--	    "1:"
--	    "ll $3, %1\n"
--	    "add %0, $0, $3\n"
--	    "add $3, $3, %2\n"
--	    "sc $3, %1\n"
--	    "beq $3, 0, 1b"
--	    : "=&r"(orig)
--	    : "m"(*p), "r"(val)
--	    : "memory", "$3"
--		);
-+	__asm__ __volatile__ (
-+	"	.set	push		\n"
-+	"	.set	mips2		\n"
-+	"	.set	noreorder	\n"
-+	"	.set	noat		\n"
-+	"1:	ll	$1, %1		\n"
-+	"	addu	%0, $1, %2	\n"
-+	"	sc	%0, %1		\n"
-+	"	beqz	%0, 1b		\n"
-+	"	move	%0, $1		\n"
-+	"	.set	pop		\n"
-+	: "=&r" (orig), "+R" (*p)
-+	: "r" (val)
-+	: "memory");
- 
- 	return (orig);
- }
-@@ -52,16 +54,7 @@
-  */
- static inline void
- isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
--	__asm__ volatile (
--	    "1:"
--	    "ll $3, %0\n"
--	    "add $3, $0, %1\n"
--	    "sc $3, %0\n"
--	    "beq $3, 0, 1b"
--	    :
--	    : "m"(*p), "r"(val)
--	    : "memory", "$3"
--		);
-+	*p = val;
- }
- 
- /*
-@@ -72,20 +65,23 @@
- static inline isc_int32_t
- isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
- 	isc_int32_t orig;
-+	isc_int32_t tmp;
- 
--	__asm__ volatile(
--	    "1:"
--	    "ll $3, %1\n"
--	    "add %0, $0, $3\n"
--	    "bne $3, %2, 2f\n"
--	    "add $3, $0, %3\n"
--	    "sc $3, %1\n"
--	    "beq $3, 0, 1b\n"
--	    "2:"
--	    : "=&r"(orig)
--	    : "m"(*p), "r"(cmpval), "r"(val)
--	    : "memory", "$3"
--		);
-+	__asm__ __volatile__ (
-+	"	.set	push		\n"
-+	"	.set	mips2		\n"
-+	"	.set	noreorder	\n"
-+	"	.set	noat		\n"
-+	"1:	ll	$1, %1		\n"
-+	"	bne	$1, %3, 2f	\n"
-+	"	move	%2, %4		\n"
-+	"	sc	%2, %1		\n"
-+	"	beqz	%2, 1b		\n"
-+	"2:	move	%0, $1		\n"
-+	"	.set	pop		\n"
-+	: "=&r"(orig), "+R" (*p), "=r" (tmp)
-+	: "r"(cmpval), "r"(val)
-+	: "memory");
- 
- 	return (orig);
- }
diff --git a/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch b/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch
new file mode 100644
index 0000000..9829f15
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch
@@ -0,0 +1,36 @@
+Use python3 rather default python which maybe links to python2 for oe. And add
+option for setup.py to install files to right directory.
+
+Upstream-Status: Inappropriate [OE specific]
+
+Signed-off-by: Kai Kang <kai.kang at windriver.com>
+---
+diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
+index a43a3c1..2e727f2 100644
+--- a/bin/python/Makefile.in
++++ b/bin/python/Makefile.in
+@@ -55,9 +55,9 @@ install:: ${TARGETS} installdirs
+ 	${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
+ 	if test -n "${PYTHON}" ; then \
+ 		if test -n "${DESTDIR}" ; then \
+-			${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} ; \
++			${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \
+ 		else \
+-			${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} ; \
++			${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \
+ 		fi \
+ 	fi
+ 
+diff --git a/configure.in b/configure.in
+index 314bb90..867923e 100644
+--- a/configure.in
++++ b/configure.in
+@@ -227,7 +227,7 @@ AC_ARG_WITH(python,
+ [  --with-python=PATH      specify path to python interpreter],
+     use_python="$withval", use_python="unspec")
+ 
+-python="python python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
++python="python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
+ 
+ testargparse='try: import argparse
+ except: exit(1)'
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb
similarity index 85%
rename from meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
rename to meta/recipes-connectivity/bind/bind_9.10.5-P3.bb
index 7eb79b0..e6e1e8d 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb
@@ -3,14 +3,13 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
 SECTION = "console/network"
 
 LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=dba46507446198119bcde32a4feaab43"
 
 DEPENDS = "openssl libcap"
 
 SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://conf.patch \
            file://make-etc-initd-bind-stop-work.patch \
-           file://mips1-not-support-opcode.diff \
            file://dont-test-on-host.patch \
            file://generate-rndc-key.sh \
            file://named.service \
@@ -21,21 +20,14 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
            file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
            file://0001-lib-dns-gen.c-fix-too-long-error.patch \
-           file://CVE-2016-1285.patch \
-           file://CVE-2016-1286_1.patch \
-           file://CVE-2016-1286_2.patch \
-           file://CVE-2016-2088.patch \
-           file://CVE-2016-2775.patch \
-           file://CVE-2016-2776.patch \
-           file://CVE-2016-8864.patch \
-           file://CVE-2016-6170.patch \
+           file://use-python3-and-fix-install-lib-path.patch \
            "
 
 UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
 
-SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"
-SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83"
+SRC_URI[md5sum] = "d79cafbd9ac76239ee532dd89d05cc83"
+SRC_URI[sha256sum] = "8d7e96b5b0bbac7b900d4c4bbb82e0956b4e509433c5fa392bb72a929b96606a"
 
 ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
 EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
@@ -44,7 +36,10 @@ EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
                  --sysconfdir=${sysconfdir}/bind \
                  --with-openssl=${STAGING_LIBDIR}/.. \
                "
-inherit autotools update-rc.d systemd useradd pkgconfig
+
+inherit autotools update-rc.d systemd useradd pkgconfig python3-dir
+
+export PYTHON_SITEPACKAGES_DIR
 
 # PACKAGECONFIGs readline and libedit should NOT be set at same time
 PACKAGECONFIG ?= "readline"
@@ -70,7 +65,7 @@ RDEPENDS_${PN}-dev = ""
 PACKAGE_BEFORE_PN += "${PN}-utils"
 FILES_${PN}-utils = "${bindir}/host ${bindir}/dig"
 FILES_${PN}-dev += "${bindir}/isc-config.h"
-FILES_${PN} += "${sbindir}/generate-rndc-key.sh"
+FILES_${PN} += "${sbindir}/generate-rndc-key.sh ${PYTHON_SITEPACKAGES_DIR}"
 
 do_install_prepend() {
 	# clean host path in isc-config.sh before the hardlink created
@@ -107,6 +102,8 @@ do_install_append() {
 		install -d ${D}${sysconfdir}/tmpfiles.d
 		echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf
 	fi
+
+    rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/isc/*.pyc
 }
 
 CONFFILES_${PN} = " \
-- 
2.10.1




More information about the Openembedded-core mailing list