Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package bind for openSUSE:Factory checked in 
at 2021-12-28 12:26:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bind (Old)
 and      /work/SRC/openSUSE:Factory/.bind.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "bind"

Tue Dec 28 12:26:09 2021 rev:175 rq:942722 version:9.16.24

Changes:
--------
--- /work/SRC/openSUSE:Factory/bind/bind.changes        2021-12-06 
23:59:38.616508934 +0100
+++ /work/SRC/openSUSE:Factory/.bind.new.2520/bind.changes      2021-12-28 
12:26:21.804472419 +0100
@@ -1,0 +2,19 @@
+Wed Dec 15 14:37:47 UTC 2021 - Josef M??llers <josef.moell...@suse.com>
+
+- Upgrade to release 9.16.24
+  This upgrade fixes the following bugs:
+  * mdig now honors the operating system's preferred ephemeral port
+    range.
+  * Fix a "named" crash related to removing and restoring a
+    `catalog-zone` entry in the configuration file and running
+    `rndc reconfig`.
+  * dns_sdlz_putrr failed to process some valid resource records.
+  * dnssec-dsfromkey failed to omit revoked keys.
+  Functional change:
+  * Change the message when accepting TCP connection has failed to
+    say "Accepting TCP connection failed" and change the log level
+    for ISC_R_NOTCONNECTED, ISC_R_QUOTA and ISC_R_SOFTQUOTA results
+    codes from ERROR to INFO.
+    [bind-9.16.24.tar.xz]
+
+-------------------------------------------------------------------

Old:
----
  bind-9.16.23.tar.xz
  bind-9.16.23.tar.xz.sha512.asc

New:
----
  bind-9.16.24.tar.xz
  bind-9.16.24.tar.xz.sha512.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ bind.spec ++++++
--- /var/tmp/diff_new_pack.AXQ4aN/_old  2021-12-28 12:26:22.412472879 +0100
+++ /var/tmp/diff_new_pack.AXQ4aN/_new  2021-12-28 12:26:22.420472885 +0100
@@ -46,7 +46,7 @@
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 Name:           bind
-Version:        9.16.23
+Version:        9.16.24
 Release:        0
 Summary:        Domain Name System (DNS) Server (named)
 License:        MPL-2.0

++++++ bind-9.16.23.tar.xz -> bind-9.16.24.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/.dir-locals.el 
new/bind-9.16.24/.dir-locals.el
--- old/bind-9.16.23/.dir-locals.el     2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/.dir-locals.el     2021-12-07 13:24:49.000000000 +0100
@@ -77,6 +77,9 @@
               (expand-file-name
                (concat directory-of-current-dir-locals-file 
"bin/rndc/include"))
 
+              (expand-file-name "/usr/include/libxml2")
+              (expand-file-name "/usr/include/json-c")
+              
               (expand-file-name "/usr/local/opt/openssl@1.1/include")
               (expand-file-name "/usr/local/opt/libxml2/include/libxml2")
               (expand-file-name "/usr/local/opt/json-c/include/json-c/")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/.gitlab-ci.yml 
new/bind-9.16.24/.gitlab-ci.yml
--- old/bind-9.16.23/.gitlab-ci.yml     2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/.gitlab-ci.yml     2021-12-07 13:24:49.000000000 +0100
@@ -40,6 +40,13 @@
   BIND_STRESS_TEST_OS: linux
   BIND_STRESS_TEST_ARCH: amd64
 
+# Allow all running CI jobs to be automatically canceled when a new
+# version of a branch is pushed.
+#
+# See: 
https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines
+default:
+  interruptible: true
+
 stages:
   - precheck
   - build
@@ -505,7 +512,9 @@
       artifacts: true
   script:
     - *configure
-    - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE 
'(ans\.py|dangerfile\.py)')
+    - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE 
'(ans\.py|dangerfile\.py|^bin/tests/system/)')
+      # Ignore Flake8 E402 error (module level import not at top of file) in 
system test to enable use of pytest.importorskip
+    - flake8 --max-line-length=80 --extend-ignore=E402 $(git ls-files 
'bin/tests/system/*.py' | grep -vE 'ans\.py')
 
 pylint:
   <<: *default_triggering_rules
@@ -516,8 +525,10 @@
       artifacts: true
   script:
     - *configure
-    - PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python"
-    - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep 
-vE '(ans\.py|dangerfile\.py)')
+    - export PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python"
+    - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep 
-vE '(ans\.py|dangerfile\.py|^bin/tests/system/)')
+      # Ignore Pylint wrong-import-position error in system test to enable use 
of pytest.importorskip
+    - pylint --rcfile $CI_PROJECT_DIR/.pylintrc 
--disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep 
-vE 'ans\.py')
 
 tarball-create:
   stage: precheck
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/CHANGES new/bind-9.16.24/CHANGES
--- old/bind-9.16.23/CHANGES    2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/CHANGES    2021-12-07 13:24:49.000000000 +0100
@@ -1,3 +1,27 @@
+       --- 9.16.24 released ---
+
+5773.  [func]          Change the message when accepting TCP connection has
+                       failed to say "Accepting TCP connection failed" and
+                       change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA
+                       and ISC_R_SOFTQUOTA results codes from ERROR to INFO.
+                       [GL #2700]
+
+5768.  [bug]           dnssec-dsfromkey failed to omit revoked keys. [GL #853]
+
+5764.  [bug]           dns_sdlz_putrr failed to process some valid resource
+                       records. [GL #3021]
+
+5762.  [bug]           Fix a "named" crash related to removing and restoring a
+                       `catalog-zone` entry in the configuration file and
+                       running `rndc reconfig`. [GL #1608]
+
+5758.  [bug]           mdig now honors the operating system's preferred
+                       ephemeral port range. [GL #2374]
+
+5757.  [test]          Replace sed in nsupdate system test with awk to
+                       construct the nsupdate command.  The sed expression
+                       was not reliably changing the ttl. [GL #3003]
+
        --- 9.16.23 released ---
 
 5752.  [bug]           Fix an assertion failure caused by missing member zones
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.c 
new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.c
--- old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.c      2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.c      2021-12-07 
13:24:49.000000000 +0100
@@ -262,6 +262,10 @@
                fatal("can't convert DNSKEY");
        }
 
+       if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
+               return;
+       }
+
        if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
                return;
        }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.rst 
new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.rst
--- old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.rst    2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.rst    2021-12-07 
13:24:49.000000000 +0100
@@ -43,6 +43,10 @@
 The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource 
records
 (RRs), or CDS (Child DS) RRs with the ``-C`` option.
 
+By default, only KSKs are converted (keys with flags = 257).  The
+``-A`` option includes ZSKs (flags = 256).  Revoked keys are never
+included.
+
 The input keys can be specified in a number of ways:
 
 By default, ``dnssec-dsfromkey`` reads a key file named in the format
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/named/config.c 
new/bind-9.16.24/bin/named/config.c
--- old/bind-9.16.23/bin/named/config.c 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/named/config.c 2021-12-07 13:24:49.000000000 +0100
@@ -281,14 +281,14 @@
                            "#\n\
 #  Default trusted key(s), used if \n\
 # \"dnssec-validation auto;\" is set and\n\
-#  sysconfdir/bind.keys doesn't exist).\n\
+#  " NAMED_SYSCONFDIR "/bind.keys doesn't exist).\n\
 #\n\
-# BEGIN DNSSEC KEYS\n"
+# BEGIN TRUST ANCHORS\n"
 
        /* Imported from bind.keys.h: */
        TRUST_ANCHORS
 
-                           "# END MANAGED KEYS\n\
+                           "# END TRUST ANCHORS\n\
 \n\
 primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\
        2001:500:200::b;        # b.root-servers.net\n\
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/named/server.c 
new/bind-9.16.24/bin/named/server.c
--- old/bind-9.16.23/bin/named/server.c 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/named/server.c 2021-12-07 13:24:49.000000000 +0100
@@ -6523,6 +6523,8 @@
 
        if (zone_is_catz) {
                dns_zone_catz_enable(zone, view->catzs);
+       } else if (dns_zone_catz_is_enabled(zone)) {
+               dns_zone_catz_disable(zone);
        }
 
        /*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/rndc/rndc.rst 
new/bind-9.16.24/bin/rndc/rndc.rst
--- old/bind-9.16.23/bin/rndc/rndc.rst  2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/rndc/rndc.rst  2021-12-07 13:24:49.000000000 +0100
@@ -370,11 +370,24 @@
    avoids the need to examine the modification times of the zone files.
 
 ``recursing``
-   This command dumps the list of queries ``named`` is currently recursing on, 
and the
-   list of domains to which iterative queries are currently being sent.
-   The second list includes the number of fetches currently active for
-   the given domain, and how many have been passed or dropped because of
-   the ``fetches-per-zone`` option.
+   This command dumps the list of queries ``named`` is currently
+   recursing on, and the list of domains to which iterative queries
+   are currently being sent.
+
+   The first list includes all unique clients that are waiting for
+   recursion to complete, including the query that is awaiting a
+   response and the timestamp (seconds since the Unix epoch) of
+   when named started processing this client query.
+
+   The second list comprises of domains for which there are active
+   (or recently active) fetches in progress.  It reports the number
+   of active fetches for each domain and the number of queries that
+   have been passed (allowed) or dropped (spilled) as a result of
+   the ``fetches-per-zone`` limit.  (Note: these counters are not
+   cumulative over time; whenever the number of active fetches for
+   a domain drops to zero, the counter for that domain is deleted,
+   and the next time a fetch is sent to that domain, it is recreated
+   with the counters set to zero).
 
 ``refresh`` *zone* [*class* [*view*]]
    This command schedules zone maintenance for the given zone.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/ns2/named.conf.in 
new/bind-9.16.24/bin/tests/system/catz/ns2/named.conf.in
--- old/bind-9.16.23/bin/tests/system/catz/ns2/named.conf.in    2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/ns2/named.conf.in    1970-01-01 
01:00:00.000000000 +0100
@@ -1,74 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-include "../../common/rndc.key";
-
-controls {
-       inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-options {
-       query-source address 10.53.0.2;
-       notify-source 10.53.0.2;
-       transfer-source 10.53.0.2;
-       port @PORT@;
-       pid-file "named.pid";
-       listen-on { 10.53.0.2; };
-       listen-on-v6 { fd92:7065:b8e:ffff::2; };
-       notify no;
-       recursion no;
-       serial-query-rate 100;
-       catalog-zones {
-               zone "catalog1.example"
-                       default-masters { 10.53.0.1; }
-                       in-memory no
-                       zone-directory "zonedir";
-               zone "catalog2.example"
-                       default-masters { 10.53.0.1 port @EXTRAPORT1@; }
-                       in-memory yes;
-               zone "catalog3.example"
-                       default-masters { 10.53.0.1; }
-                       zone-directory "nonexistent";
-#T1            zone "catalog4.example"
-#T1                    default-masters { 10.53.0.1; };
-#T2            zone "catalog5.example"
-#T2                    default-masters { 10.53.0.1; };
-       };
-};
-
-zone "catalog1.example" {
-       type secondary;
-       file "catalog1.example.db";
-       primaries { 10.53.0.1; };
-};
-
-zone "catalog2.example" {
-       type secondary;
-       file "catalog2.example.db";
-       primaries { 10.53.0.3; };
-};
-
-zone "catalog3.example" {
-       type secondary;
-       file "catalog3.example.db";
-       primaries { 10.53.0.1; };
-};
-
-zone "catalog4.example" {
-       type secondary;
-       file "catalog4.example.db";
-       primaries { 10.53.0.1; };
-};
-
-key tsig_key. {
-       secret "LSAnCU+Z";
-       algorithm hmac-md5;
-};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/bind-9.16.23/bin/tests/system/catz/ns2/named1.conf.in 
new/bind-9.16.24/bin/tests/system/catz/ns2/named1.conf.in
--- old/bind-9.16.23/bin/tests/system/catz/ns2/named1.conf.in   1970-01-01 
01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/ns2/named1.conf.in   2021-12-07 
13:24:49.000000000 +0100
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+       inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+       query-source address 10.53.0.2;
+       notify-source 10.53.0.2;
+       transfer-source 10.53.0.2;
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.2; };
+       listen-on-v6 { fd92:7065:b8e:ffff::2; };
+       notify no;
+       recursion no;
+       serial-query-rate 100;
+       catalog-zones {
+               zone "catalog1.example"
+                       default-masters { 10.53.0.1; }
+                       in-memory no
+                       zone-directory "zonedir";
+               zone "catalog2.example"
+                       default-masters { 10.53.0.1 port @EXTRAPORT1@; }
+                       in-memory yes;
+               zone "catalog3.example"
+                       default-masters { 10.53.0.1; }
+                       zone-directory "nonexistent";
+#T1            zone "catalog4.example"
+#T1                    default-masters { 10.53.0.1; };
+#T2            zone "catalog5.example"
+#T2                    default-masters { 10.53.0.1; };
+       };
+};
+
+zone "catalog1.example" {
+       type secondary;
+       file "catalog1.example.db";
+       primaries { 10.53.0.1; };
+};
+
+zone "catalog2.example" {
+       type secondary;
+       file "catalog2.example.db";
+       primaries { 10.53.0.3; };
+};
+
+zone "catalog3.example" {
+       type secondary;
+       file "catalog3.example.db";
+       primaries { 10.53.0.1; };
+};
+
+zone "catalog4.example" {
+       type secondary;
+       file "catalog4.example.db";
+       primaries { 10.53.0.1; };
+};
+
+key tsig_key. {
+       secret "LSAnCU+Z";
+       algorithm hmac-md5;
+};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/bind-9.16.23/bin/tests/system/catz/ns2/named2.conf.in 
new/bind-9.16.24/bin/tests/system/catz/ns2/named2.conf.in
--- old/bind-9.16.23/bin/tests/system/catz/ns2/named2.conf.in   1970-01-01 
01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/ns2/named2.conf.in   2021-12-07 
13:24:49.000000000 +0100
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+       inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+       query-source address 10.53.0.2;
+       notify-source 10.53.0.2;
+       transfer-source 10.53.0.2;
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.2; };
+       listen-on-v6 { fd92:7065:b8e:ffff::2; };
+       notify no;
+       recursion no;
+       serial-query-rate 100;
+       # removed catalog-zone option, otherwise this is
+       # identical to named1.conf.in
+};
+
+zone "catalog1.example" {
+       type secondary;
+       file "catalog1.example.db";
+       primaries { 10.53.0.1; };
+};
+
+zone "catalog2.example" {
+       type secondary;
+       file "catalog2.example.db";
+       primaries { 10.53.0.3; };
+};
+
+zone "catalog3.example" {
+       type secondary;
+       file "catalog3.example.db";
+       primaries { 10.53.0.1; };
+};
+
+zone "catalog4.example" {
+       type secondary;
+       file "catalog4.example.db";
+       primaries { 10.53.0.1; };
+};
+
+key tsig_key. {
+       secret "LSAnCU+Z";
+       algorithm hmac-md5;
+};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/setup.sh 
new/bind-9.16.24/bin/tests/system/catz/setup.sh
--- old/bind-9.16.23/bin/tests/system/catz/setup.sh     2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/setup.sh     2021-12-07 
13:24:49.000000000 +0100
@@ -15,7 +15,7 @@
 $SHELL clean.sh
 
 copy_setports ns1/named.conf.in ns1/named.conf
-copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns2/named1.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 
 cp -f ns1/catalog.example.db.in ns1/catalog1.example.db
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/tests.sh 
new/bind-9.16.24/bin/tests/system/catz/tests.sh
--- old/bind-9.16.23/bin/tests/system/catz/tests.sh     2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/tests.sh     2021-12-07 
13:24:49.000000000 +0100
@@ -1179,7 +1179,7 @@
 n=$((n+1))
 echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)"
 ret=0
-sed -e "s/^#T1//g" <  ns2/named.conf.in > ns2/named.conf.tmp
+sed -e "s/^#T1//g" <  ns2/named1.conf.in > ns2/named.conf.tmp
 copy_setports ns2/named.conf.tmp ns2/named.conf
 rndccmd 10.53.0.2 reconfig || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
@@ -1210,7 +1210,7 @@
 n=$((n+1))
 echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding 
non-existent catalog5 catalog zone ($n)"
 ret=0
-sed -e "s/^#T2//" < ns2/named.conf.in > ns2/named.conf.tmp
+sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp
 copy_setports ns2/named.conf.tmp ns2/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > /dev/null 2>&1 && 
ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
@@ -1219,7 +1219,7 @@
 n=$((n+1))
 echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone 
($n)"
 ret=0
-copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns2/named1.conf.in ns2/named.conf
 rndccmd 10.53.0.2 reconfig || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
@@ -1730,5 +1730,15 @@
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "checking that reconfig can delete and restore catalog zone 
configuration ($n)"
+ret=0
+copy_setports ns2/named2.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+copy_setports ns2/named1.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/checkds/clean.sh 
new/bind-9.16.24/bin/tests/system/checkds/clean.sh
--- old/bind-9.16.23/bin/tests/system/checkds/clean.sh  2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/checkds/clean.sh  2021-12-07 
13:24:49.000000000 +0100
@@ -21,5 +21,4 @@
 rm -f ns*/managed-keys.bind*
 rm -f ns*/*.mkeys
 rm -f ns*/zones
-rm -f tests-checkds.py.status
 rm -f *.checkds.out
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/dlzexternal/driver.c 
new/bind-9.16.24/bin/tests/system/dlzexternal/driver.c
--- old/bind-9.16.23/bin/tests/system/dlzexternal/driver.c      2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/dlzexternal/driver.c      2021-12-07 
13:24:49.000000000 +0100
@@ -238,10 +238,9 @@
        struct dlz_example_data *state;
        const char *helper_name;
        va_list ap;
-       char soa_data[1024];
-       const char *extra;
+       char soa_data[sizeof("@ hostmaster.root 123 900 600 86400 3600")];
        isc_result_t result;
-       int n;
+       size_t n;
 
        UNUSED(dlzname);
 
@@ -275,19 +274,19 @@
                sprintf(state->zone_name, "%s.", argv[1]);
        }
 
+       /*
+        * Use relative names to trigger ISC_R_NOSPACE in dns_sdlz_putrr.
+        */
        if (strcmp(state->zone_name, ".") == 0) {
-               extra = ".root";
+               n = strlcpy(soa_data,
+                           "@ hostmaster.root 123 900 600 86400 3600",
+                           sizeof(soa_data));
        } else {
-               extra = ".";
+               n = strlcpy(soa_data, "@ hostmaster 123 900 600 86400 3600",
+                           sizeof(soa_data));
        }
 
-       n = sprintf(soa_data, "%s hostmaster%s%s 123 900 600 86400 3600",
-                   state->zone_name, extra, state->zone_name);
-
-       if (n < 0) {
-               CHECK(ISC_R_FAILURE);
-       }
-       if ((unsigned)n >= sizeof(soa_data)) {
+       if (n >= sizeof(soa_data)) {
                CHECK(ISC_R_NOSPACE);
        }
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/bind-9.16.23/bin/tests/system/dlzexternal/ns1/dlzs.conf.in 
new/bind-9.16.24/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
--- old/bind-9.16.23/bin/tests/system/dlzexternal/ns1/dlzs.conf.in      
2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/dlzexternal/ns1/dlzs.conf.in      
2021-12-07 13:24:49.000000000 +0100
@@ -21,6 +21,11 @@
        database "dlopen ../driver.@SO@ example.org";
 };
 
+dlz "example four" {
+        // Long zone name to trigger ISC_R_NOSPACE in dns_sdlz_putrr.
+        database "dlopen ../driver.@SO@ 
123456789.123456789.123456789.123456789.123456789.example.foo";
+};
+
 dlz "unsearched1" {
        database "dlopen ../driver.@SO@ other.nil";
        search no;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/dnssec/tests.sh 
new/bind-9.16.24/bin/tests/system/dnssec/tests.sh
--- old/bind-9.16.23/bin/tests/system/dnssec/tests.sh   2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/dnssec/tests.sh   2021-12-07 
13:24:49.000000000 +0100
@@ -2881,6 +2881,18 @@
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+echo_i "check dnssec-dsfromkey with revoked key ($n)"
+ret=0
+dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK
+grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK
+grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK
+test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || 
ret=1
+$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || 
ret=1
+test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+
 echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)"
 ret=0
 dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > 
dig.out.ns3.test$n 2>&1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/nsupdate/clean.sh 
new/bind-9.16.24/bin/tests/system/nsupdate/clean.sh
--- old/bind-9.16.23/bin/tests/system/nsupdate/clean.sh 2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/nsupdate/clean.sh 2021-12-07 
13:24:49.000000000 +0100
@@ -63,4 +63,5 @@
 rm -f nsupdate.out*
 rm -f typelist.out.*
 rm -f update.out.*
+rm -f update.in.*
 rm -f verylarge
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/nsupdate/tests.sh 
new/bind-9.16.24/bin/tests/system/nsupdate/tests.sh
--- old/bind-9.16.23/bin/tests/system/nsupdate/tests.sh 2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/nsupdate/tests.sh 2021-12-07 
13:24:49.000000000 +0100
@@ -751,9 +751,10 @@
 echo_i "check that changes to the DNSKEY RRset TTL do not have side effects 
($n)"
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
         @10.53.0.3 dnskey | \
-       sed -n 's/\(.*\)10.IN/update add \1600 IN/p' |
-       (echo server 10.53.0.3 ${PORT}; cat - ; echo send ) |
-$NSUPDATE
+       awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; }
+       $2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update 
add", $0 }
+       END { print "send" }' > update.in.$n
+$NSUPDATE update.in.$n
 
 $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
        @10.53.0.3 any > dig.out.ns3.$n
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/run.sh 
new/bind-9.16.24/bin/tests/system/run.sh
--- old/bind-9.16.23/bin/tests/system/run.sh    2021-11-05 10:03:26.000000000 
+0100
+++ new/bind-9.16.24/bin/tests/system/run.sh    2021-12-07 13:24:49.000000000 
+0100
@@ -228,6 +228,7 @@
     if [ -n "$PYTEST" ]; then
         run=$((run+1))
         for test in $(cd "${systest}" && find . -name "tests*.py"); do
+            rm -f "$systest/$test.status"
             if start_servers; then
                 rm -f "$systest/$test.status"
                 test_status=0
@@ -243,6 +244,7 @@
                 break
             fi
         done
+        rm -f "$systest/$test.status"
     else
         echoinfo "I:$systest:pytest not installed, skipping python tests"
     fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/shutdown/clean.sh 
new/bind-9.16.24/bin/tests/system/shutdown/clean.sh
--- old/bind-9.16.23/bin/tests/system/shutdown/clean.sh 2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/shutdown/clean.sh 2021-12-07 
13:24:49.000000000 +0100
@@ -14,4 +14,3 @@
 rm -f */named.conf
 rm -f */named.run
 rm -rf __pycache__
-rm -f *.status
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/conftest.py 
new/bind-9.16.24/bin/tests/system/wildcard/conftest.py
--- old/bind-9.16.23/bin/tests/system/wildcard/conftest.py      1970-01-01 
01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/conftest.py      2021-12-07 
13:24:49.000000000 +0100
@@ -0,0 +1,18 @@
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+import os
+import pytest
+
+
+@pytest.fixture(scope='module')
+def named_port():
+    return int(os.environ.get("PORT", default=5300))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/bind-9.16.23/bin/tests/system/wildcard/ns1/allwild.db.in 
new/bind-9.16.24/bin/tests/system/wildcard/ns1/allwild.db.in
--- old/bind-9.16.23/bin/tests/system/wildcard/ns1/allwild.db.in        
1970-01-01 01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/allwild.db.in        
2021-12-07 13:24:49.000000000 +0100
@@ -0,0 +1,4 @@
+$ORIGIN allwild.test.
+allwild.test.                 3600 IN  SOA   . . 0 0 0 0 0
+allwild.test.                 3600     NS    ns.example.test.
+*.allwild.test.           3600     A     192.0.2.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/bind-9.16.23/bin/tests/system/wildcard/ns1/named.conf.in 
new/bind-9.16.24/bin/tests/system/wildcard/ns1/named.conf.in
--- old/bind-9.16.23/bin/tests/system/wildcard/ns1/named.conf.in        
2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/named.conf.in        
2021-12-07 13:24:49.000000000 +0100
@@ -27,6 +27,7 @@
 /*
  * RFC 4592 example zone.
  */
+zone "allwild.test" { type primary; file "allwild.db"; };
 zone "example" { type primary; file "example.db"; };
 zone "nsec" { type primary; file "nsec.db.signed"; };
 zone "private.nsec" { type primary; file "private.nsec.db.signed"; };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/ns1/sign.sh 
new/bind-9.16.24/bin/tests/system/wildcard/ns1/sign.sh
--- old/bind-9.16.23/bin/tests/system/wildcard/ns1/sign.sh      2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/sign.sh      2021-12-07 
13:24:49.000000000 +0100
@@ -17,6 +17,7 @@
 dssets=
 
 # RFC 4592 example zone.
+cp allwild.db.in allwild.db
 cp example.db.in example.db
 
 zone=nsec
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/bind-9.16.23/bin/tests/system/wildcard/tests-wildcard.py 
new/bind-9.16.24/bin/tests/system/wildcard/tests-wildcard.py
--- old/bind-9.16.23/bin/tests/system/wildcard/tests-wildcard.py        
1970-01-01 01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/tests-wildcard.py        
2021-12-07 13:24:49.000000000 +0100
@@ -0,0 +1,103 @@
+#!/usr/bin/python3
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+"""
+Example property-based test for wildcard synthesis.
+Verifies that otherwise-empty zone with single wildcard record * A 192.0.2.1
+produces synthesized answers for <random_label>.test. A, and returns NODATA for
+<random_label>.test. when rdtype is not A.
+
+Limitations - untested properties:
+    - expansion works with multiple labels
+    - asterisk in qname does not cause expansion
+    - empty non-terminals prevent expansion
+    - or more generally any existing node prevents expansion
+    - DNSSEC record inclusion
+    - possibly others, see RFC 4592 and company
+    - content of authority & additional sections
+    - flags beyond RCODE
+    - special behavior of rdtypes like CNAME
+"""
+import pytest
+
+pytest.importorskip("dns")
+import dns.message
+import dns.name
+import dns.query
+import dns.rcode
+import dns.rdatatype
+
+pytest.importorskip("hypothesis")
+from hypothesis import given
+from hypothesis.strategies import binary, integers
+
+
+# labels of a zone with * A 192.0.2.1 wildcard
+WILDCARD_ZONE = ('allwild', 'test', '')
+WILDCARD_RDTYPE = dns.rdatatype.A
+WILDCARD_RDATA = '192.0.2.1'
+IPADDR = '10.53.0.1'
+TIMEOUT = 5  # seconds, just a sanity check
+
+
+# Helpers
+def is_nonexpanding_rdtype(rdtype):
+    """skip meta types to avoid weird rcodes caused by AXFR etc.; RFC 6895"""
+    return not(rdtype == WILDCARD_RDTYPE
+               or dns.rdatatype.is_metatype(rdtype)  # known metatypes: OPT ...
+               or 128 <= rdtype <= 255)  # unknown meta types
+
+
+def tcp_query(where, port, qname, qtype):
+    querymsg = dns.message.make_query(qname, qtype)
+    assert len(querymsg.question) == 1
+    return querymsg, dns.query.tcp(querymsg, where, port=port, timeout=TIMEOUT)
+
+
+def query(where, port, label, rdtype):
+    labels = (label, ) + WILDCARD_ZONE
+    qname = dns.name.Name(labels)
+    return tcp_query(where, port, qname, rdtype)
+
+
+# Tests
+@given(label=binary(min_size=1, max_size=63),
+       rdtype=integers(min_value=0, max_value=65535).filter(
+           is_nonexpanding_rdtype))
+def test_wildcard_rdtype_mismatch(label, rdtype, named_port):
+    """any label non-matching rdtype must result in to NODATA"""
+    check_answer_nodata(*query(IPADDR, named_port, label, rdtype))
+
+
+def check_answer_nodata(querymsg, answer):
+    assert querymsg.is_response(answer), str(answer)
+    assert answer.rcode() == dns.rcode.NOERROR, str(answer)
+    assert answer.answer == [], str(answer)
+
+
+@given(label=binary(min_size=1, max_size=63))
+def test_wildcard_match(label, named_port):
+    """any label with maching rdtype must result in wildcard data in answer"""
+    check_answer_noerror(*query(IPADDR, named_port, label, WILDCARD_RDTYPE))
+
+
+def check_answer_noerror(querymsg, answer):
+    assert querymsg.is_response(answer), str(answer)
+    assert answer.rcode() == dns.rcode.NOERROR, str(answer)
+    assert len(querymsg.question) == 1, str(answer)
+    expected_answer = [dns.rrset.from_text(
+                            querymsg.question[0].name,
+                            300,  # TTL, ignored by dnspython comparison
+                            dns.rdataclass.IN,
+                            WILDCARD_RDTYPE,
+                            WILDCARD_RDATA)]
+    assert answer.answer == expected_answer, str(answer)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/bin/tools/mdig.c 
new/bind-9.16.24/bin/tools/mdig.c
--- old/bind-9.16.23/bin/tools/mdig.c   2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tools/mdig.c   2021-12-07 13:24:49.000000000 +0100
@@ -25,6 +25,7 @@
 #include <isc/net.h>
 #include <isc/nonce.h>
 #include <isc/parseint.h>
+#include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/random.h>
 #include <isc/sockaddr.h>
@@ -2057,6 +2058,47 @@
        }
 }
 
+/*
+ * Try honoring the operating system's preferred ephemeral port range.
+ */
+static void
+set_source_ports(dns_dispatchmgr_t *manager) {
+       isc_portset_t *v4portset = NULL, *v6portset = NULL;
+       in_port_t udpport_low, udpport_high;
+       isc_result_t result;
+
+       result = isc_portset_create(mctx, &v4portset);
+       if (result != ISC_R_SUCCESS) {
+               fatal("isc_portset_create (v4) failed");
+       }
+
+       result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high);
+       if (result != ISC_R_SUCCESS) {
+               fatal("isc_net_getudpportrange (v4) failed");
+       }
+
+       isc_portset_addrange(v4portset, udpport_low, udpport_high);
+
+       result = isc_portset_create(mctx, &v6portset);
+       if (result != ISC_R_SUCCESS) {
+               fatal("isc_portset_create (v6) failed");
+       }
+       result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high);
+       if (result != ISC_R_SUCCESS) {
+               fatal("isc_net_getudpportrange (v6) failed");
+       }
+
+       isc_portset_addrange(v6portset, udpport_low, udpport_high);
+
+       result = dns_dispatchmgr_setavailports(manager, v4portset, v6portset);
+       if (result != ISC_R_SUCCESS) {
+               fatal("dns_dispatchmgr_setavailports failed");
+       }
+
+       isc_portset_destroy(mctx, &v4portset);
+       isc_portset_destroy(mctx, &v6portset);
+}
+
 /*% Main processing routine for mdig */
 int
 main(int argc, char *argv[]) {
@@ -2126,12 +2168,14 @@
 
        RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr));
        RUNCHECK(isc_task_create(taskmgr, 0, &task));
-
        RUNCHECK(isc_timermgr_create(mctx, &timermgr));
        RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
        RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr));
 
+       set_source_ports(dispatchmgr);
+
        attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY;
+
        if (have_ipv4) {
                isc_sockaddr_any(&bind_any);
                attrs |= DNS_DISPATCHATTR_IPV4;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/configure new/bind-9.16.24/configure
--- old/bind-9.16.23/configure  2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/configure  2021-12-07 13:24:49.000000000 +0100
@@ -16849,6 +16849,14 @@
 
 
 
+#
+# This maintenance branch of BIND 9 does not support new OpenSSL APIs
+# introduced in version 3.0.0.  Suppress compiler warnings about using
+# functions deprecated in newer OpenSSL versions as they will not be
+# addressed in BIND 9.16.
+#
+OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+
 CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
 LIBS="$LIBS $OPENSSL_LIBS"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/configure.ac 
new/bind-9.16.24/configure.ac
--- old/bind-9.16.23/configure.ac       2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/configure.ac       2021-12-07 13:24:49.000000000 +0100
@@ -806,6 +806,14 @@
 
 AX_SAVE_FLAGS([openssl])
 
+#
+# This maintenance branch of BIND 9 does not support new OpenSSL APIs
+# introduced in version 3.0.0.  Suppress compiler warnings about using
+# functions deprecated in newer OpenSSL versions as they will not be
+# addressed in BIND 9.16.
+#
+OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+
 CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
 LIBS="$LIBS $OPENSSL_LIBS"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/doc/arm/notes.rst 
new/bind-9.16.24/doc/arm/notes.rst
--- old/bind-9.16.23/doc/arm/notes.rst  2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/doc/arm/notes.rst  2021-12-07 13:24:49.000000000 +0100
@@ -59,6 +59,7 @@
 information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
+.. include:: ../notes/notes-9.16.24.rst
 .. include:: ../notes/notes-9.16.23.rst
 .. include:: ../notes/notes-9.16.22.rst
 .. include:: ../notes/notes-9.16.21.rst
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/doc/arm/reference.rst 
new/bind-9.16.24/doc/arm/reference.rst
--- old/bind-9.16.23/doc/arm/reference.rst      2021-11-05 10:03:26.000000000 
+0100
+++ new/bind-9.16.24/doc/arm/reference.rst      2021-12-07 13:24:49.000000000 
+0100
@@ -1909,8 +1909,8 @@
 
 ``cookie-algorithm``
    This sets the algorithm to be used when generating the server cookie; the 
options are
-   "aes", "sha1", or "sha256". The default is "aes" if supported by
-   the cryptographic library; otherwise, "sha256".
+   "aes" or "siphash24". The default is "siphash24". The "aes" option remains 
for legacy
+   purposes.
 
 ``cookie-secret``
    If set, this is a shared secret used for generating and verifying
@@ -2961,12 +2961,13 @@
 
    The current list of active fetches can be dumped by running
    ``rndc recursing``. The list includes the number of active fetches
-   for each domain and the number of queries that have been passed or
-   dropped as a result of the ``fetches-per-zone`` limit. (Note: these
-   counters are not cumulative over time; whenever the number of active
-   fetches for a domain drops to zero, the counter for that domain is
-   deleted, and the next time a fetch is sent to that domain, it is
-   recreated with the counters set to zero.)
+   for each domain and the number of queries that have been passed
+   (allowed) or dropped (spilled) as a result of the ``fetches-per-zone``
+   limit. (Note: these counters are not cumulative over time;
+   whenever the number of active fetches for a domain drops to zero,
+   the counter for that domain is deleted, and the next time a fetch
+   is sent to that domain, it is recreated with the counters set
+   to zero.)
 
 ``fetches-per-server``
    This sets the maximum number of simultaneous iterative queries that the 
server
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/doc/man/dnssec-dsfromkey.8in 
new/bind-9.16.24/doc/man/dnssec-dsfromkey.8in
--- old/bind-9.16.23/doc/man/dnssec-dsfromkey.8in       2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/doc/man/dnssec-dsfromkey.8in       2021-12-07 
13:24:49.000000000 +0100
@@ -44,6 +44,10 @@
 The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource 
records
 (RRs), or CDS (Child DS) RRs with the \fB\-C\fP option.
 .sp
+By default, only KSKs are converted (keys with flags = 257).  The
+\fB\-A\fP option includes ZSKs (flags = 256).  Revoked keys are never
+included.
+.sp
 The input keys can be specified in a number of ways:
 .sp
 By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/doc/man/rndc.8in 
new/bind-9.16.24/doc/man/rndc.8in
--- old/bind-9.16.23/doc/man/rndc.8in   2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/doc/man/rndc.8in   2021-12-07 13:24:49.000000000 +0100
@@ -372,11 +372,24 @@
 avoids the need to examine the modification times of the zone files.
 .TP
 .B \fBrecursing\fP
-This command dumps the list of queries \fBnamed\fP is currently recursing on, 
and the
-list of domains to which iterative queries are currently being sent.
-The second list includes the number of fetches currently active for
-the given domain, and how many have been passed or dropped because of
-the \fBfetches\-per\-zone\fP option.
+This command dumps the list of queries \fBnamed\fP is currently
+recursing on, and the list of domains to which iterative queries
+are currently being sent.
+.sp
+The first list includes all unique clients that are waiting for
+recursion to complete, including the query that is awaiting a
+response and the timestamp (seconds since the Unix epoch) of
+when named started processing this client query.
+.sp
+The second list comprises of domains for which there are active
+(or recently active) fetches in progress.  It reports the number
+of active fetches for each domain and the number of queries that
+have been passed (allowed) or dropped (spilled) as a result of
+the \fBfetches\-per\-zone\fP limit.  (Note: these counters are not
+cumulative over time; whenever the number of active fetches for
+a domain drops to zero, the counter for that domain is deleted,
+and the next time a fetch is sent to that domain, it is recreated
+with the counters set to zero).
 .TP
 .B \fBrefresh\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
 This command schedules zone maintenance for the given zone.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/doc/notes/notes-9.16.24.rst 
new/bind-9.16.24/doc/notes/notes-9.16.24.rst
--- old/bind-9.16.23/doc/notes/notes-9.16.24.rst        1970-01-01 
01:00:00.000000000 +0100
+++ new/bind-9.16.24/doc/notes/notes-9.16.24.rst        2021-12-07 
13:24:49.000000000 +0100
@@ -0,0 +1,35 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.16.24
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Previously, when an incoming TCP connection could not be accepted
+  because the client closed the connection early, an error message of
+  ``TCP connection failed: socket is not connected`` was logged. This
+  message has been changed to ``Accepting TCP connection failed: socket
+  is not connected``. The severity level at which this type of message
+  is logged has also been changed from ``error`` to ``info`` for the
+  following triggering events: ``socket is not connected``, ``quota
+  reached``, and ``soft quota reached``. :gl:`#2700`
+
+- ``dnssec-dsfromkey`` no longer generates DS records from revoked keys.
+  :gl:`#853`
+
+Bug Fixes
+~~~~~~~~~
+
+- Removing a configured ``catalog-zone`` clause from the configuration,
+  running ``rndc reconfig``, then bringing back the removed
+  ``catalog-zone`` clause and running ``rndc reconfig`` again caused
+  ``named`` to crash. This has been fixed. :gl:`#1608`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/include/dns/zone.h 
new/bind-9.16.24/lib/dns/include/dns/zone.h
--- old/bind-9.16.23/lib/dns/include/dns/zone.h 2021-11-05 10:03:26.000000000 
+0100
+++ new/bind-9.16.24/lib/dns/include/dns/zone.h 2021-12-07 13:24:49.000000000 
+0100
@@ -2606,6 +2606,26 @@
  */
 
 void
+dns_zone_catz_disable(dns_zone_t *zone);
+/*%<
+ * Disable zone as catalog zone, if it is one.
+ *
+ * Requires:
+ *
+ * \li 'zone' is a valid zone object
+ */
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone);
+/*%<
+ * Return a boolean indicating whether the zone is enabled as catalog zone.
+ *
+ * Requires:
+ *
+ * \li 'zone' is a valid zone object
+ */
+
+void
 dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db);
 /*%<
  * If 'zone' is a catalog zone, then set up a notify-on-update trigger
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/rdata/in_1/svcb_64.c 
new/bind-9.16.24/lib/dns/rdata/in_1/svcb_64.c
--- old/bind-9.16.23/lib/dns/rdata/in_1/svcb_64.c       2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/dns/rdata/in_1/svcb_64.c       2021-12-07 
13:24:49.000000000 +0100
@@ -260,7 +260,7 @@
                        RETERR(alpn_fromtxt(region, target));
                        break;
                case sbpr_port:
-                       if (!isdigit(*region->base)) {
+                       if (!isdigit((unsigned char)*region->base)) {
                                return (DNS_R_SYNTAX);
                        }
                        ul = strtoul(region->base, &e, 10);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/sdlz.c 
new/bind-9.16.24/lib/dns/sdlz.c
--- old/bind-9.16.23/lib/dns/sdlz.c     2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/dns/sdlz.c     2021-12-07 13:24:49.000000000 +0100
@@ -1875,7 +1875,6 @@
                                            mctx, rdatabuf, &lookup->callbacks);
                if (result != ISC_R_SUCCESS) {
                        isc_buffer_free(&rdatabuf);
-                       result = DNS_R_SERVFAIL;
                }
                if (size >= 65535) {
                        break;
@@ -1887,6 +1886,7 @@
        } while (result == ISC_R_NOSPACE);
 
        if (result != ISC_R_SUCCESS) {
+               result = DNS_R_SERVFAIL;
                goto failure;
        }
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/win32/libdns.def.in 
new/bind-9.16.24/lib/dns/win32/libdns.def.in
--- old/bind-9.16.23/lib/dns/win32/libdns.def.in        2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/dns/win32/libdns.def.in        2021-12-07 
13:24:49.000000000 +0100
@@ -1173,8 +1173,10 @@
 dns_zone_addnsec3chain
 dns_zone_asyncload
 dns_zone_attach
+dns_zone_catz_disable
 dns_zone_catz_enable
 dns_zone_catz_enable_db
+dns_zone_catz_is_enabled
 dns_zone_cdscheck
 dns_zone_checknames
 dns_zone_clearforwardacl
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/zone.c 
new/bind-9.16.24/lib/dns/zone.c
--- old/bind-9.16.23/lib/dns/zone.c     2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/dns/zone.c     2021-12-07 13:24:49.000000000 +0100
@@ -1942,6 +1942,24 @@
        UNLOCK_ZONE(zone);
 }
 
+void
+dns_zone_catz_disable(dns_zone_t *zone) {
+       REQUIRE(DNS_ZONE_VALID(zone));
+
+       LOCK_ZONE(zone);
+       if (zone->catzs != NULL) {
+               dns_catz_catzs_detach(&zone->catzs);
+       }
+       UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone) {
+       REQUIRE(DNS_ZONE_VALID(zone));
+
+       return (zone->catzs != NULL);
+}
+
 /*
  * If a zone is a catalog zone, attach it to update notification in database.
  */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/netmgr-int.h 
new/bind-9.16.24/lib/isc/netmgr/netmgr-int.h
--- old/bind-9.16.23/lib/isc/netmgr/netmgr-int.h        2021-11-05 
10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/isc/netmgr/netmgr-int.h        2021-12-07 
13:24:49.000000000 +0100
@@ -1576,4 +1576,7 @@
 void
 isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
 
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
+
 #define STREAM_CLIENTS_PER_CONN 23
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/netmgr.c 
new/bind-9.16.24/lib/isc/netmgr/netmgr.c
--- old/bind-9.16.23/lib/isc/netmgr/netmgr.c    2021-11-05 10:03:26.000000000 
+0100
+++ new/bind-9.16.24/lib/isc/netmgr/netmgr.c    2021-12-07 13:24:49.000000000 
+0100
@@ -1967,6 +1967,33 @@
        }
 }
 
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
+       int level;
+
+       switch (result) {
+       case ISC_R_SUCCESS:
+       case ISC_R_NOCONN:
+               return;
+       case ISC_R_QUOTA:
+       case ISC_R_SOFTQUOTA:
+               if (!can_log_quota) {
+                       return;
+               }
+               level = ISC_LOG_INFO;
+               break;
+       case ISC_R_NOTCONNECTED:
+               level = ISC_LOG_INFO;
+               break;
+       default:
+               level = ISC_LOG_ERROR;
+       }
+
+       isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
+                     level, "Accepting TCP connection failed: %s",
+                     isc_result_totext(result));
+}
+
 static void
 isc__nmsocket_readtimeout_cb(uv_timer_t *timer) {
        isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/tcp.c 
new/bind-9.16.24/lib/isc/netmgr/tcp.c
--- old/bind-9.16.23/lib/isc/netmgr/tcp.c       2021-11-05 10:03:26.000000000 
+0100
+++ new/bind-9.16.24/lib/isc/netmgr/tcp.c       2021-12-07 13:24:49.000000000 
+0100
@@ -631,15 +631,7 @@
 
        result = accept_connection(ssock, quota);
 done:
-       if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
-               if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
-                   can_log_tcp_quota()) {
-                       isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-                                     ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
-                                     "TCP connection failed: %s",
-                                     isc_result_totext(result));
-               }
-       }
+       isc__nm_accept_connection_log(result, can_log_tcp_quota());
 }
 
 void
@@ -934,15 +926,7 @@
        REQUIRE(sock->tid == isc_nm_tid());
 
        result = accept_connection(sock, ievent->quota);
-       if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
-               if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
-                   can_log_tcp_quota()) {
-                       isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-                                     ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
-                                     "TCP connection failed: %s",
-                                     isc_result_totext(result));
-               }
-       }
+       isc__nm_accept_connection_log(result, can_log_tcp_quota());
 }
 
 static isc_result_t
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/tcpdns.c 
new/bind-9.16.24/lib/isc/netmgr/tcpdns.c
--- old/bind-9.16.23/lib/isc/netmgr/tcpdns.c    2021-11-05 10:03:26.000000000 
+0100
+++ new/bind-9.16.24/lib/isc/netmgr/tcpdns.c    2021-12-07 13:24:49.000000000 
+0100
@@ -600,16 +600,7 @@
 
        result = accept_connection(ssock, quota);
 done:
-       if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
-               if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
-                   can_log_tcpdns_quota())
-               {
-                       isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-                                     ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
-                                     "TCP connection failed: %s",
-                                     isc_result_totext(result));
-               }
-       }
+       isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
 }
 
 void
@@ -905,16 +896,7 @@
        REQUIRE(ievent->sock->tid == isc_nm_tid());
 
        result = accept_connection(ievent->sock, ievent->quota);
-       if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
-               if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
-                   can_log_tcpdns_quota())
-               {
-                       isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-                                     ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
-                                     "TCP connection failed: %s",
-                                     isc_result_totext(result));
-               }
-       }
+       isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
 }
 
 static isc_result_t
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/srcid new/bind-9.16.24/srcid
--- old/bind-9.16.23/srcid      2021-11-05 10:07:16.000000000 +0100
+++ new/bind-9.16.24/srcid      2021-12-07 13:27:02.000000000 +0100
@@ -1 +1 @@
-SRCID=fde3b1f
+SRCID=93e3098
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/bind-9.16.23/version new/bind-9.16.24/version
--- old/bind-9.16.23/version    2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/version    2021-12-07 13:24:49.000000000 +0100
@@ -5,7 +5,7 @@
 DESCRIPTION="(Extended Support Version)"
 MAJORVER=9
 MINORVER=16
-PATCHVER=23
+PATCHVER=24
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=

Reply via email to