Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package bind9

-4 and -5 have the following changes over -3 currently in testing.

- CVE-2018-5743 (Bug#927923)
  The patch for this have been pulled directly from upstream. There is an
  additional patch needed for platforms without atomic support
- Some additions to the AppArmor policy
  The seldomly used case of bind9 directly serving ActiveDirectory zones from
  Samba through a DLZ (Dynamically Loadable Zone) module was quite broken before
  because Samba in Buster changed some important paths and the AppArmor policy
  only really got enforced in Buster. Thanks to Steven Monai for filing bugs
  (928398, 920530) this should be fixed. I consider it low-risk because it only
  adds paths.
- During Buster EDDSA crypto was temporarily disabled because it added a 
dependency
  on OpenSSL 1.1.1, which was at that point preventing testing migration. In
  our eyes it makes no sense to keep it disabled. Ed448 is currently broken
  upstream (https://gitlab.isc.org/isc-projects/bind9/issues/225) so there is an
  additional patch to keep that disabled.

-4 has been in sid for more than a week without reported regressions, -5 only
adds a single line to the AppArmor policy

unblock bind9/1:9.11.5.P4+dfsg-5
diffstat for bind9-9.11.5.P4+dfsg bind9-9.11.5.P4+dfsg

 changelog                                                               |   20 
 extras/apparmor.d/usr.sbin.named                                        |    2 
 libisc1100.symbols                                                      |    2 
 patches/0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch |  912 
++++++++++
 patches/0013-Replace-atomic-operations-in-bin-named-client.c-with.patch |  128 
+
 patches/0014-Disable-broken-Ed448-support.patch                         |  508 
+++++
 patches/series                                                          |    3 
 rules                                                                   |    2 
 8 files changed, 1575 insertions(+), 2 deletions(-)

diff -Nru bind9-9.11.5.P4+dfsg/debian/changelog 
bind9-9.11.5.P4+dfsg/debian/changelog
--- bind9-9.11.5.P4+dfsg/debian/changelog       2019-04-22 22:31:06.000000000 
+0200
+++ bind9-9.11.5.P4+dfsg/debian/changelog       2019-05-03 19:44:57.000000000 
+0200
@@ -1,3 +1,23 @@
+bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
+
+  * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
+    Thanks to Steven Monai (Closes: 928398)
+
+ -- Bernhard Schmidt <be...@debian.org>  Fri, 03 May 2019 19:44:57 +0200
+
+bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
+
+  [ Bernhard Schmidt ]
+  * AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827)
+
+  [ Ondřej Surý ]
+  * [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective
+    (Closes: #927932)
+  * Update symbols file for new symbol in libisc
+  * Enable EDDSA again, but disable broken Ed448 support (Closes: #927962)
+
+ -- Ondřej Surý <ond...@debian.org>  Fri, 26 Apr 2019 08:33:13 +0000
+
 bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
 
   * More fixes to the AppArmor policy for Samba AD DLZ
diff -Nru bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named 
bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named
--- bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named        
2019-04-22 22:31:06.000000000 +0200
+++ bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named        
2019-05-03 19:44:57.000000000 +0200
@@ -81,11 +81,13 @@
   /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
   /var/lib/samba/bind-dns/dns.keytab rk,
   /var/lib/samba/bind-dns/named.conf r,
+  /var/lib/samba/bind-dns/dns/** rwk,
   /var/lib/samba/private/dns.keytab rk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns/** rwk,
   /etc/samba/smb.conf r,
   /dev/urandom rwmk,
+  owner /var/tmp/krb5_* rwk,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.named>
diff -Nru bind9-9.11.5.P4+dfsg/debian/libisc1100.symbols 
bind9-9.11.5.P4+dfsg/debian/libisc1100.symbols
--- bind9-9.11.5.P4+dfsg/debian/libisc1100.symbols      2019-04-22 
22:31:06.000000000 +0200
+++ bind9-9.11.5.P4+dfsg/debian/libisc1100.symbols      2019-05-03 
19:44:57.000000000 +0200
@@ -580,6 +580,7 @@
  isc_quota_attach@Base 1:9.11.3+dfsg
  isc_quota_destroy@Base 1:9.11.3+dfsg
  isc_quota_detach@Base 1:9.11.3+dfsg
+ isc_quota_force@Base 1:9.11.5.P4+dfsg
  isc_quota_init@Base 1:9.11.3+dfsg
  isc_quota_max@Base 1:9.11.3+dfsg
  isc_quota_release@Base 1:9.11.3+dfsg
@@ -1482,6 +1483,7 @@
  isc_quota_attach@Base 1:9.11.3+dfsg
  isc_quota_destroy@Base 1:9.11.3+dfsg
  isc_quota_detach@Base 1:9.11.3+dfsg
+ isc_quota_force@Base 1:9.11.5.P4+dfsg
  isc_quota_init@Base 1:9.11.3+dfsg
  isc_quota_max@Base 1:9.11.3+dfsg
  isc_quota_release@Base 1:9.11.3+dfsg
diff -Nru 
bind9-9.11.5.P4+dfsg/debian/patches/0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
 
bind9-9.11.5.P4+dfsg/debian/patches/0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
--- 
bind9-9.11.5.P4+dfsg/debian/patches/0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
bind9-9.11.5.P4+dfsg/debian/patches/0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
 2019-05-03 19:44:57.000000000 +0200
@@ -0,0 +1,912 @@
+From: =?utf-8?q?Witold_Kr=C4=99cicki?= <w...@isc.org>
+Date: Thu, 3 Jan 2019 14:17:43 +0100
+Subject: [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective
+
+---
+ bin/named/client.c                     | 427 ++++++++++++++++++++++++++-------
+ bin/named/include/named/client.h       |  23 +-
+ bin/named/include/named/interfacemgr.h |  13 +-
+ bin/named/interfacemgr.c               |   9 +-
+ doc/arm/Bv9ARM-book.xml                |   3 +-
+ lib/isc/include/isc/quota.h            |   7 +
+ lib/isc/quota.c                        |  33 ++-
+ lib/isc/win32/libisc.def.in            |   1 +
+ 8 files changed, 396 insertions(+), 120 deletions(-)
+
+diff --git a/bin/named/client.c b/bin/named/client.c
+index 4d26eff..020603d 100644
+--- a/bin/named/client.c
++++ b/bin/named/client.c
+@@ -246,10 +246,11 @@ static void ns_client_dumpmessage(ns_client_t *client, 
const char *reason);
+ static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
+                              dns_dispatch_t *disp, bool tcp);
+ static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
+-                             isc_socket_t *sock);
++                             isc_socket_t *sock, ns_client_t *oldclient);
+ static inline bool
+-allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
+-      uint8_t ecs_addrlen, uint8_t *ecs_scope, dns_acl_t *acl);
++allowed(isc_netaddr_t *addr, dns_name_t *signer,
++      isc_netaddr_t *ecs_addr, uint8_t ecs_addrlen,
++      uint8_t *ecs_scope, dns_acl_t *acl);
+ static void compute_cookie(ns_client_t *client, uint32_t when,
+                          uint32_t nonce, const unsigned char *secret,
+                          isc_buffer_t *buf);
+@@ -298,6 +299,119 @@ ns_client_settimeout(ns_client_t *client, unsigned int 
seconds) {
+       }
+ }
+ 
++/*%
++ * Allocate a reference-counted object that will maintain a single pointer to
++ * the (also reference-counted) TCP client quota, shared between all the
++ * clients processing queries on a single TCP connection, so that all
++ * clients sharing the one socket will together consume only one slot in
++ * the 'tcp-clients' quota.
++ */
++static isc_result_t
++tcpconn_init(ns_client_t *client, bool force) {
++      isc_result_t result;
++      isc_quota_t *quota = NULL;
++      ns_tcpconn_t *tconn = NULL;
++
++      REQUIRE(client->tcpconn == NULL);
++
++      /*
++       * Try to attach to the quota first, so we won't pointlessly
++       * allocate memory for a tcpconn object if we can't get one.
++       */
++      if (force) {
++              result = isc_quota_force(&ns_g_server->tcpquota, &quota);
++      } else {
++              result = isc_quota_attach(&ns_g_server->tcpquota, &quota);
++      }
++      if (result != ISC_R_SUCCESS) {
++              return (result);
++      }
++
++      /*
++       * A global memory context is used for the allocation as different
++       * client structures may have different memory contexts assigned and a
++       * reference counter allocated here might need to be freed by a
++       * different client.  The performance impact caused by memory context
++       * contention here is expected to be negligible, given that this code
++       * is only executed for TCP connections.
++       */
++      tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
++
++      isc_refcount_init(&tconn->refs, 1);
++      tconn->tcpquota = quota;
++      quota = NULL;
++      tconn->pipelined = false;
++
++      client->tcpconn = tconn;
++
++      return (ISC_R_SUCCESS);
++}
++
++/*%
++ * Increase the count of client structures sharing the TCP connection
++ * that 'source' is associated with; add a pointer to the same tcpconn
++ * to 'target', thus associating it with the same TCP connection.
++ */
++static void
++tcpconn_attach(ns_client_t *source, ns_client_t *target) {
++      int refs;
++
++      REQUIRE(source->tcpconn != NULL);
++      REQUIRE(target->tcpconn == NULL);
++      REQUIRE(source->tcpconn->pipelined);
++
++      isc_refcount_increment(&source->tcpconn->refs, &refs);
++      INSIST(refs > 1);
++      target->tcpconn = source->tcpconn;
++}
++
++/*%
++ * Decrease the count of client structures sharing the TCP connection that
++ * 'client' is associated with.  If this is the last client using this TCP
++ * connection, we detach from the TCP quota and free the tcpconn
++ * object. Either way, client->tcpconn is set to NULL.
++ */
++static void
++tcpconn_detach(ns_client_t *client) {
++      ns_tcpconn_t *tconn = NULL;
++      int refs;
++
++      REQUIRE(client->tcpconn != NULL);
++
++      tconn = client->tcpconn;
++      client->tcpconn = NULL;
++
++      isc_refcount_decrement(&tconn->refs, &refs);
++      if (refs == 0) {
++              isc_quota_detach(&tconn->tcpquota);
++              isc_mem_free(ns_g_mctx, tconn);
++      }
++}
++
++/*%
++ * Mark a client as active and increment the interface's 'ntcpactive'
++ * counter, as a signal that there is at least one client servicing
++ * TCP queries for the interface. If we reach the TCP client quota at
++ * some point, this will be used to determine whether a quota overrun
++ * should be permitted.
++ *
++ * Marking the client active with the 'tcpactive' flag ensures proper
++ * accounting, by preventing us from incrementing or decrementing
++ * 'ntcpactive' more than once per client.
++ */
++static void
++mark_tcp_active(ns_client_t *client, bool active) {
++      if (active && !client->tcpactive) {
++              isc_atomic_xadd(&client->interface->ntcpactive, 1);
++              client->tcpactive = active;
++      } else if (!active && client->tcpactive) {
++              uint32_t old =
++                      isc_atomic_xadd(&client->interface->ntcpactive, -1);
++              INSIST(old > 0);
++              client->tcpactive = active;
++      }
++}
++
+ /*%
+  * Check for a deactivation or shutdown request and take appropriate
+  * action.  Returns true if either is in progress; in this case
+@@ -387,7 +501,8 @@ exit_check(ns_client_t *client) {
+               INSIST(client->recursionquota == NULL);
+ 
+               if (NS_CLIENTSTATE_READING == client->newstate) {
+-                      if (!client->pipelined) {
++                      INSIST(client->tcpconn != NULL);
++                      if (!client->tcpconn->pipelined) {
+                               client_read(client);
+                               client->newstate = NS_CLIENTSTATE_MAX;
+                               return (true); /* We're done. */
+@@ -405,10 +520,13 @@ exit_check(ns_client_t *client) {
+                */
+               INSIST(client->recursionquota == NULL);
+               INSIST(client->newstate <= NS_CLIENTSTATE_READY);
+-              if (client->nreads > 0)
++
++              if (client->nreads > 0) {
+                       dns_tcpmsg_cancelread(&client->tcpmsg);
+-              if (client->nreads != 0) {
+-                      /* Still waiting for read cancel completion. */
++              }
++
++              /* Still waiting for read cancel completion. */
++              if (client->nreads > 0) {
+                       return (true);
+               }
+ 
+@@ -416,14 +534,49 @@ exit_check(ns_client_t *client) {
+                       dns_tcpmsg_invalidate(&client->tcpmsg);
+                       client->tcpmsg_valid = false;
+               }
++
++              /*
++               * Soon the client will be ready to accept a new TCP
++               * connection or UDP request, but we may have enough
++               * clients doing that already.  Check whether this client
++               * needs to remain active and allow it go inactive if
++               * not.
++               *
++               * UDP clients always go inactive at this point, but a TCP
++               * client may need to stay active and return to READY
++               * state if no other clients are available to listen
++               * for TCP requests on this interface.
++               *
++               * Regardless, if we're going to FREED state, that means
++               * the system is shutting down and we don't need to
++               * retain clients.
++               */
++              if (client->mortal && TCP_CLIENT(client) &&
++                  client->newstate != NS_CLIENTSTATE_FREED &&
++                  !ns_g_clienttest &&
++                  isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
++              {
++                      /* Nobody else is accepting */
++                      client->mortal = false;
++                      client->newstate = NS_CLIENTSTATE_READY;
++              }
++
++              /*
++               * Detach from TCP connection and TCP client quota,
++               * if appropriate. If this is the last reference to
++               * the TCP connection in our pipeline group, the
++               * TCP quota slot will be released.
++               */
++              if (client->tcpconn) {
++                      tcpconn_detach(client);
++              }
++
+               if (client->tcpsocket != NULL) {
+                       CTRACE("closetcp");
+                       isc_socket_detach(&client->tcpsocket);
++                      mark_tcp_active(client, false);
+               }
+ 
+-              if (client->tcpquota != NULL)
+-                      isc_quota_detach(&client->tcpquota);
+-
+               if (client->timerset) {
+                       (void)isc_timer_reset(client->timer,
+                                             isc_timertype_inactive,
+@@ -431,45 +584,26 @@ exit_check(ns_client_t *client) {
+                       client->timerset = false;
+               }
+ 
+-              client->pipelined = false;
+-
+               client->peeraddr_valid = false;
+ 
+               client->state = NS_CLIENTSTATE_READY;
+-              INSIST(client->recursionquota == NULL);
+-
+-              /*
+-               * Now the client is ready to accept a new TCP connection
+-               * or UDP request, but we may have enough clients doing
+-               * that already.  Check whether this client needs to remain
+-               * active and force it to go inactive if not.
+-               *
+-               * UDP clients go inactive at this point, but TCP clients
+-               * may remain active if we have fewer active TCP client
+-               * objects than desired due to an earlier quota exhaustion.
+-               */
+-              if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
+-                      LOCK(&client->interface->lock);
+-                      if (client->interface->ntcpcurrent <
+-                                  client->interface->ntcptarget)
+-                              client->mortal = false;
+-                      UNLOCK(&client->interface->lock);
+-              }
+ 
+               /*
+                * We don't need the client; send it to the inactive
+                * queue for recycling.
+                */
+               if (client->mortal) {
+-                      if (client->newstate > NS_CLIENTSTATE_INACTIVE)
++                      if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
+                               client->newstate = NS_CLIENTSTATE_INACTIVE;
++                      }
+               }
+ 
+               if (NS_CLIENTSTATE_READY == client->newstate) {
+                       if (TCP_CLIENT(client)) {
+                               client_accept(client);
+-                      } else
++                      } else {
+                               client_udprecv(client);
++                      }
+                       client->newstate = NS_CLIENTSTATE_MAX;
+                       return (true);
+               }
+@@ -481,41 +615,50 @@ exit_check(ns_client_t *client) {
+               /*
+                * We are trying to enter the inactive state.
+                */
+-              if (client->naccepts > 0)
++              if (client->naccepts > 0) {
+                       isc_socket_cancel(client->tcplistener, client->task,
+                                         ISC_SOCKCANCEL_ACCEPT);
++              }
+ 
+               /* Still waiting for accept cancel completion. */
+-              if (! (client->naccepts == 0))
++              if (client->naccepts > 0) {
+                       return (true);
++              }
+ 
+               /* Accept cancel is complete. */
+-              if (client->nrecvs > 0)
++              if (client->nrecvs > 0) {
+                       isc_socket_cancel(client->udpsocket, client->task,
+                                         ISC_SOCKCANCEL_RECV);
++              }
+ 
+               /* Still waiting for recv cancel completion. */
+-              if (! (client->nrecvs == 0))
++              if (client->nrecvs > 0) {
+                       return (true);
++              }
+ 
+               /* Still waiting for control event to be delivered */
+-              if (client->nctls > 0)
++              if (client->nctls > 0) {
+                       return (true);
+-
+-              /* Deactivate the client. */
+-              if (client->interface)
+-                      ns_interface_detach(&client->interface);
++              }
+ 
+               INSIST(client->naccepts == 0);
+               INSIST(client->recursionquota == NULL);
+-              if (client->tcplistener != NULL)
++              if (client->tcplistener != NULL) {
+                       isc_socket_detach(&client->tcplistener);
+-
+-              if (client->udpsocket != NULL)
++                      mark_tcp_active(client, false);
++              }
++              if (client->udpsocket != NULL) {
+                       isc_socket_detach(&client->udpsocket);
++              }
++
++              /* Deactivate the client. */
++              if (client->interface != NULL) {
++                      ns_interface_detach(&client->interface);
++              }
+ 
+-              if (client->dispatch != NULL)
++              if (client->dispatch != NULL) {
+                       dns_dispatch_detach(&client->dispatch);
++              }
+ 
+               client->attributes = 0;
+               client->mortal = false;
+@@ -540,10 +683,13 @@ exit_check(ns_client_t *client) {
+                       client->newstate = NS_CLIENTSTATE_MAX;
+                       if (!ns_g_clienttest && manager != NULL &&
+                           !manager->exiting)
++                      {
+                               ISC_QUEUE_PUSH(manager->inactive, client,
+                                              ilink);
+-                      if (client->needshutdown)
++                      }
++                      if (client->needshutdown) {
+                               isc_task_shutdown(client->task);
++                      }
+                       return (true);
+               }
+       }
+@@ -653,7 +799,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
+               return;
+ 
+       if (TCP_CLIENT(client)) {
+-              if (client->pipelined) {
++              if (client->tcpconn != NULL) {
+                       client_read(client);
+               } else {
+                       client_accept(client);
+@@ -663,7 +809,6 @@ client_start(isc_task_t *task, isc_event_t *event) {
+       }
+ }
+ 
+-
+ /*%
+  * The client's task has received a shutdown event.
+  */
+@@ -2304,6 +2449,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
+               client->nrecvs--;
+       } else {
+               INSIST(TCP_CLIENT(client));
++              INSIST(client->tcpconn != NULL);
+               REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
+               REQUIRE(event->ev_sender == &client->tcpmsg);
+               buffer = &client->tcpmsg.buffer;
+@@ -2487,18 +2633,27 @@ client_request(isc_task_t *task, isc_event_t *event) {
+       /*
+        * Pipeline TCP query processing.
+        */
+-      if (client->message->opcode != dns_opcode_query)
+-              client->pipelined = false;
+-      if (TCP_CLIENT(client) && client->pipelined) {
+-              result = isc_quota_reserve(&ns_g_server->tcpquota);
+-              if (result == ISC_R_SUCCESS)
+-                      result = ns_client_replace(client);
++      if (TCP_CLIENT(client) &&
++          client->message->opcode != dns_opcode_query)
++      {
++              client->tcpconn->pipelined = false;
++      }
++      if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
++              /*
++               * We're pipelining. Replace the client; the
++               * replacement can read the TCP socket looking
++               * for new messages and this one can process the
++               * current message asynchronously.
++               *
++               * There will now be at least three clients using this
++               * TCP socket - one accepting new connections,
++               * one reading an existing connection to get new
++               * messages, and one answering the message already
++               * received.
++               */
++              result = ns_client_replace(client);
+               if (result != ISC_R_SUCCESS) {
+-                      ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+-                                    NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+-                                    "no more TCP clients(read): %s",
+-                                    isc_result_totext(result));
+-                      client->pipelined = false;
++                      client->tcpconn->pipelined = false;
+               }
+       }
+ 
+@@ -3054,8 +3209,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t 
**clientp) {
+       client->signer = NULL;
+       dns_name_init(&client->signername, NULL);
+       client->mortal = false;
+-      client->pipelined = false;
+-      client->tcpquota = NULL;
++      client->tcpconn = NULL;
+       client->recursionquota = NULL;
+       client->interface = NULL;
+       client->peeraddr_valid = false;
+@@ -3065,6 +3219,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t 
**clientp) {
+       client->filter_aaaa = dns_aaaa_ok;
+ #endif
+       client->needshutdown = ns_g_clienttest;
++      client->tcpactive = false;
+ 
+       ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
+                      NS_EVENT_CLIENTCONTROL, client_start, client, client,
+@@ -3159,9 +3314,10 @@ client_read(ns_client_t *client) {
+ 
+ static void
+ client_newconn(isc_task_t *task, isc_event_t *event) {
++      isc_result_t result;
+       ns_client_t *client = event->ev_arg;
+       isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+-      isc_result_t result;
++      uint32_t old;
+ 
+       REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
+       REQUIRE(NS_CLIENT_VALID(client));
+@@ -3171,13 +3327,18 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+ 
+       INSIST(client->state == NS_CLIENTSTATE_READY);
+ 
++      /*
++       * The accept() was successful and we're now establishing a new
++       * connection. We need to make note of it in the client and
++       * interface objects so client objects can do the right thing
++       * when going inactive in exit_check() (see comments in
++       * client_accept() for details).
++       */
+       INSIST(client->naccepts == 1);
+       client->naccepts--;
+ 
+-      LOCK(&client->interface->lock);
+-      INSIST(client->interface->ntcpcurrent > 0);
+-      client->interface->ntcpcurrent--;
+-      UNLOCK(&client->interface->lock);
++      old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
++      INSIST(old > 0);
+ 
+       /*
+        * We must take ownership of the new socket before the exit
+@@ -3210,6 +3371,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+                             NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+                             "accept failed: %s",
+                             isc_result_totext(nevent->result));
++              tcpconn_detach(client);
+       }
+ 
+       if (exit_check(client))
+@@ -3247,20 +3409,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+                * telnetting to port 53 (once per CPU) will
+                * deny service to legitimate TCP clients.
+                */
+-              client->pipelined = false;
+-              result = isc_quota_attach(&ns_g_server->tcpquota,
+-                                        &client->tcpquota);
+-              if (result == ISC_R_SUCCESS)
+-                      result = ns_client_replace(client);
+-              if (result != ISC_R_SUCCESS) {
+-                      ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+-                                    NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+-                                    "no more TCP clients(accept): %s",
+-                                    isc_result_totext(result));
+-              } else if (ns_g_server->keepresporder == NULL ||
+-                         !allowed(&netaddr, NULL, NULL, 0, NULL,
+-                                  ns_g_server->keepresporder)) {
+-                      client->pipelined = true;
++              result = ns_client_replace(client);
++              if (result == ISC_R_SUCCESS &&
++                  (ns_g_server->keepresporder == NULL ||
++                   !allowed(&netaddr, NULL, NULL, 0, NULL,
++                            ns_g_server->keepresporder)))
++              {
++                      client->tcpconn->pipelined = true;
+               }
+ 
+               client_read(client);
+@@ -3276,12 +3431,66 @@ client_accept(ns_client_t *client) {
+ 
+       CTRACE("accept");
+ 
++      /*
++       * Set up a new TCP connection. This means try to attach to the
++       * TCP client quota (tcp-clients), but fail if we're over quota.
++       */
++      result = tcpconn_init(client, false);
++      if (result != ISC_R_SUCCESS) {
++              bool exit;
++
++              ns_client_log(client, NS_LOGCATEGORY_CLIENT,
++                            NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
++                            "TCP client quota reached: %s",
++                            isc_result_totext(result));
++
++              /*
++               * We have exceeded the system-wide TCP client quota.  But,
++               * we can't just block this accept in all cases, because if
++               * we did, a heavy TCP load on other interfaces might cause
++               * this interface to be starved, with no clients able to
++               * accept new connections.
++               *
++               * So, we check here to see if any other clients are
++               * already servicing TCP queries on this interface (whether
++               * accepting, reading, or processing). If we find that at
++               * least one client other than this one is active, then
++               * it's okay *not* to call accept - we can let this
++               * client go inactive and another will take over when it's
++               * done.
++               *
++               * If there aren't enough active clients on the interface,
++               * then we can be a little bit flexible about the quota.
++               * We'll allow *one* extra client through to ensure we're
++               * listening on every interface; we do this by setting the
++               * 'force' option to tcpconn_init().
++               *
++               * (Note: In practice this means that the real TCP client
++               * quota is tcp-clients plus the number of listening
++               * interfaces plus 1.)
++               */
++              exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
++                      (client->tcpactive ? 1 : 0));
++              if (exit) {
++                      client->newstate = NS_CLIENTSTATE_INACTIVE;
++                      (void)exit_check(client);
++                      return;
++              }
++
++              result = tcpconn_init(client, true);
++              RUNTIME_CHECK(result == ISC_R_SUCCESS);
++      }
++
++      /*
++       * If this client was set up using get_client() or get_worker(),
++       * then TCP is already marked active. However, if it was restarted
++       * from exit_check(), it might not be, so we take care of it now.
++       */
++      mark_tcp_active(client, true);
++
+       result = isc_socket_accept(client->tcplistener, client->task,
+                                  client_newconn, client);
+       if (result != ISC_R_SUCCESS) {
+-              UNEXPECTED_ERROR(__FILE__, __LINE__,
+-                               "isc_socket_accept() failed: %s",
+-                               isc_result_totext(result));
+               /*
+                * XXXRTH  What should we do?  We're trying to accept but
+                *         it didn't work.  If we just give up, then TCP
+@@ -3289,13 +3498,37 @@ client_accept(ns_client_t *client) {
+                *
+                *         For now, we just go idle.
+                */
++              UNEXPECTED_ERROR(__FILE__, __LINE__,
++                               "isc_socket_accept() failed: %s",
++                               isc_result_totext(result));
++
++              tcpconn_detach(client);
++              mark_tcp_active(client, false);
+               return;
+       }
++
++      /*
++       * The client's 'naccepts' counter indicates that this client has
++       * called accept() and is waiting for a new connection. It should
++       * never exceed 1.
++       */
+       INSIST(client->naccepts == 0);
+       client->naccepts++;
+-      LOCK(&client->interface->lock);
+-      client->interface->ntcpcurrent++;
+-      UNLOCK(&client->interface->lock);
++
++      /*
++       * The interface's 'ntcpaccepting' counter is incremented when
++       * any client calls accept(), and decremented in client_newconn()
++       * once the connection is established.
++       *
++       * When the client object is shutting down after handling a TCP
++       * request (see exit_check()), if this value is at least one, that
++       * means another client has called accept() and is waiting to
++       * establish the next connection. That means the client may be
++       * be free to become inactive; otherwise it may need to start
++       * listening for connections itself to prevent the interface
++       * going dead.
++       */
++      isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
+ }
+ 
+ static void
+@@ -3366,15 +3599,17 @@ ns_client_replace(ns_client_t *client) {
+       REQUIRE(client->manager != NULL);
+ 
+       tcp = TCP_CLIENT(client);
+-      if (tcp && client->pipelined) {
++      if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
+               result = get_worker(client->manager, client->interface,
+-                                  client->tcpsocket);
++                                  client->tcpsocket, client);
+       } else {
+               result = get_client(client->manager, client->interface,
+                                   client->dispatch, tcp);
++
+       }
+-      if (result != ISC_R_SUCCESS)
++      if (result != ISC_R_SUCCESS) {
+               return (result);
++      }
+ 
+       /*
+        * The responsibility for listening for new requests is hereby
+@@ -3560,9 +3795,12 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
+       client->dscp = ifp->dscp;
+ 
+       if (tcp) {
++              mark_tcp_active(client, true);
++
+               client->attributes |= NS_CLIENTATTR_TCP;
+               isc_socket_attach(ifp->tcpsocket,
+                                 &client->tcplistener);
++
+       } else {
+               isc_socket_t *sock;
+ 
+@@ -3580,7 +3818,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
+ }
+ 
+ static isc_result_t
+-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
++get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
++         ns_client_t *oldclient)
+ {
+       isc_result_t result = ISC_R_SUCCESS;
+       isc_event_t *ev;
+@@ -3588,6 +3827,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, 
isc_socket_t *sock)
+       MTRACE("get worker");
+ 
+       REQUIRE(manager != NULL);
++      REQUIRE(oldclient != NULL);
+ 
+       if (manager->exiting)
+               return (ISC_R_SHUTTINGDOWN);
+@@ -3620,14 +3860,15 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t 
*ifp, isc_socket_t *sock)
+       ns_interface_attach(ifp, &client->interface);
+       client->newstate = client->state = NS_CLIENTSTATE_WORKING;
+       INSIST(client->recursionquota == NULL);
+-      client->tcpquota = &ns_g_server->tcpquota;
+ 
+       client->dscp = ifp->dscp;
+ 
+       client->attributes |= NS_CLIENTATTR_TCP;
+-      client->pipelined = true;
+       client->mortal = true;
+ 
++      tcpconn_attach(oldclient, client);
++      mark_tcp_active(client, true);
++
+       isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
+       isc_socket_attach(sock, &client->tcpsocket);
+       isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
+diff --git a/bin/named/include/named/client.h 
b/bin/named/include/named/client.h
+index b23a7b1..969ee4c 100644
+--- a/bin/named/include/named/client.h
++++ b/bin/named/include/named/client.h
+@@ -9,8 +9,6 @@
+  * information regarding copyright ownership.
+  */
+ 
+-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
+-
+ #ifndef NAMED_CLIENT_H
+ #define NAMED_CLIENT_H 1
+ 
+@@ -80,6 +78,13 @@
+  *** Types
+  ***/
+ 
++/*% reference-counted TCP connection object */
++typedef struct ns_tcpconn {
++      isc_refcount_t          refs;
++      isc_quota_t             *tcpquota;
++      bool                    pipelined;
++} ns_tcpconn_t;
++
+ /*% nameserver client structure */
+ struct ns_client {
+       unsigned int            magic;
+@@ -94,7 +99,8 @@ struct ns_client {
+       int                     nupdates;
+       int                     nctls;
+       int                     references;
+-      bool            needshutdown;   /*
++      bool                    tcpactive;
++      bool                    needshutdown;   /*
+                                                * Used by clienttest to get
+                                                * the client to go from
+                                                * inactive to free state
+@@ -130,10 +136,9 @@ struct ns_client {
+       isc_stdtime_t           now;
+       isc_time_t              tnow;
+       dns_name_t              signername;   /*%< [T]SIG key name */
+-      dns_name_t *            signer;       /*%< NULL if not valid sig */
+-      bool            mortal;       /*%< Die after handling request */
+-      bool            pipelined;   /*%< TCP queries not in sequence */
+-      isc_quota_t             *tcpquota;
++      dns_name_t              *signer;      /*%< NULL if not valid sig */
++      bool                    mortal;       /*%< Die after handling request */
++      ns_tcpconn_t            *tcpconn;
+       isc_quota_t             *recursionquota;
+       ns_interface_t          *interface;
+ 
+@@ -143,8 +148,8 @@ struct ns_client {
+       isc_sockaddr_t          destsockaddr;
+ 
+       isc_netaddr_t           ecs_addr;       /*%< EDNS client subnet */
+-      uint8_t         ecs_addrlen;
+-      uint8_t         ecs_scope;
++      uint8_t                 ecs_addrlen;
++      uint8_t                 ecs_scope;
+ 
+       struct in6_pktinfo      pktinfo;
+       isc_dscp_t              dscp;
+diff --git a/bin/named/include/named/interfacemgr.h 
b/bin/named/include/named/interfacemgr.h
+index 7d1883e..3535ef2 100644
+--- a/bin/named/include/named/interfacemgr.h
++++ b/bin/named/include/named/interfacemgr.h
+@@ -9,8 +9,6 @@
+  * information regarding copyright ownership.
+  */
+ 
+-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
+-
+ #ifndef NAMED_INTERFACEMGR_H
+ #define NAMED_INTERFACEMGR_H 1
+ 
+@@ -77,9 +75,14 @@ struct ns_interface {
+                                               /*%< UDP dispatchers. */
+       isc_socket_t *          tcpsocket;      /*%< TCP socket. */
+       isc_dscp_t              dscp;           /*%< "listen-on" DSCP value */
+-      int                     ntcptarget;     /*%< Desired number of 
concurrent
+-                                                   TCP accepts */
+-      int                     ntcpcurrent;    /*%< Current ditto, locked */
++      int32_t                 ntcpaccepting;  /*%< Number of clients
++                                                   ready to accept new
++                                                   TCP connections on this
++                                                   interface */
++      int32_t                 ntcpactive;     /*%< Number of clients
++                                                   servicing TCP queries
++                                                   (whether accepting or
++                                                   connected) */
+       int                     nudpdispatch;   /*%< Number of UDP dispatches */
+       ns_clientmgr_t *        clientmgr;      /*%< Client manager. */
+       ISC_LINK(ns_interface_t) link;
+diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
+index 419927b..d9f6df5 100644
+--- a/bin/named/interfacemgr.c
++++ b/bin/named/interfacemgr.c
+@@ -386,8 +386,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t 
*addr,
+        * connections will be handled in parallel even though there is
+        * only one client initially.
+        */
+-      ifp->ntcptarget = 1;
+-      ifp->ntcpcurrent = 0;
++      ifp->ntcpaccepting = 0;
++      ifp->ntcpactive = 0;
++
+       ifp->nudpdispatch = 0;
+ 
+       ifp->dscp = -1;
+@@ -522,9 +523,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
+        */
+       (void)isc_socket_filter(ifp->tcpsocket, "dataready");
+ 
+-      result = ns_clientmgr_createclients(ifp->clientmgr,
+-                                          ifp->ntcptarget, ifp,
+-                                          true);
++      result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, true);
+       if (result != ISC_R_SUCCESS) {
+               UNEXPECTED_ERROR(__FILE__, __LINE__,
+                                "TCP ns_clientmgr_createclients(): %s",
+diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
+index 719b074..4b36bd0 100644
+--- a/doc/arm/Bv9ARM-book.xml
++++ b/doc/arm/Bv9ARM-book.xml
+@@ -8487,7 +8487,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
+               <para>
+                 The number of file descriptors reserved for TCP, stdio,
+                 etc.  This needs to be big enough to cover the number of
+-                interfaces <command>named</command> listens on, 
<command>tcp-clients</command> as well as
++                interfaces <command>named</command> listens on plus
++                <command>tcp-clients</command>, as well as
+                 to provide room for outgoing TCP queries and incoming zone
+                 transfers.  The default is <literal>512</literal>.
+                 The minimum value is <literal>128</literal> and the
+diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
+index b9bf598..36c5830 100644
+--- a/lib/isc/include/isc/quota.h
++++ b/lib/isc/include/isc/quota.h
+@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
+  * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
+  */
+ 
++isc_result_t
++isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
++/*%<
++ * Like isc_quota_attach, but will attach '*p' to the quota
++ * even if the hard quota has been exceeded.
++ */
++
+ void
+ isc_quota_detach(isc_quota_t **p);
+ /*%<
+diff --git a/lib/isc/quota.c b/lib/isc/quota.c
+index 3ddff0d..556a61f 100644
+--- a/lib/isc/quota.c
++++ b/lib/isc/quota.c
+@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
+       UNLOCK(&quota->lock);
+ }
+ 
+-isc_result_t
+-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
+-{
++static isc_result_t
++doattach(isc_quota_t *quota, isc_quota_t **p, bool force) {
+       isc_result_t result;
+-      INSIST(p != NULL && *p == NULL);
++      REQUIRE(p != NULL && *p == NULL);
++
+       result = isc_quota_reserve(quota);
+-      if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
++      if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
++              *p = quota;
++      } else if (result == ISC_R_QUOTA && force) {
++              /* attach anyway */
++              LOCK(&quota->lock);
++              quota->used++;
++              UNLOCK(&quota->lock);
++
+               *p = quota;
++              result = ISC_R_SUCCESS;
++      }
++
+       return (result);
+ }
+ 
++isc_result_t
++isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
++      return (doattach(quota, p, false));
++}
++
++isc_result_t
++isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
++      return (doattach(quota, p, true));
++}
++
+ void
+-isc_quota_detach(isc_quota_t **p)
+-{
++isc_quota_detach(isc_quota_t **p) {
+       INSIST(p != NULL && *p != NULL);
+       isc_quota_release(*p);
+       *p = NULL;
+diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in
+index a82face..7b9f23d 100644
+--- a/lib/isc/win32/libisc.def.in
++++ b/lib/isc/win32/libisc.def.in
+@@ -519,6 +519,7 @@ isc_portset_removerange
+ isc_quota_attach
+ isc_quota_destroy
+ isc_quota_detach
++isc_quota_force
+ isc_quota_init
+ isc_quota_max
+ isc_quota_release
diff -Nru 
bind9-9.11.5.P4+dfsg/debian/patches/0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
 
bind9-9.11.5.P4+dfsg/debian/patches/0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
--- 
bind9-9.11.5.P4+dfsg/debian/patches/0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
bind9-9.11.5.P4+dfsg/debian/patches/0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
 2019-05-03 19:44:57.000000000 +0200
@@ -0,0 +1,128 @@
+From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ond...@sury.org>
+Date: Wed, 17 Apr 2019 15:22:27 +0200
+Subject: Replace atomic operations in bin/named/client.c with isc_refcount
+ reference counting
+
+---
+ bin/named/client.c                     | 18 +++++++-----------
+ bin/named/include/named/interfacemgr.h |  5 +++--
+ bin/named/interfacemgr.c               |  7 +++++--
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/bin/named/client.c b/bin/named/client.c
+index 020603d..8155c6b 100644
+--- a/bin/named/client.c
++++ b/bin/named/client.c
+@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) {
+ static void
+ mark_tcp_active(ns_client_t *client, bool active) {
+       if (active && !client->tcpactive) {
+-              isc_atomic_xadd(&client->interface->ntcpactive, 1);
++              isc_refcount_increment0(&client->interface->ntcpactive, NULL);
+               client->tcpactive = active;
+       } else if (!active && client->tcpactive) {
+-              uint32_t old =
+-                      isc_atomic_xadd(&client->interface->ntcpactive, -1);
+-              INSIST(old > 0);
++              isc_refcount_decrement(&client->interface->ntcpactive, NULL);
+               client->tcpactive = active;
+       }
+ }
+@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) {
+               if (client->mortal && TCP_CLIENT(client) &&
+                   client->newstate != NS_CLIENTSTATE_FREED &&
+                   !ns_g_clienttest &&
+-                  isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
++                  isc_refcount_current(&client->interface->ntcpaccepting) == 
0)
+               {
+                       /* Nobody else is accepting */
+                       client->mortal = false;
+@@ -3317,7 +3315,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+       isc_result_t result;
+       ns_client_t *client = event->ev_arg;
+       isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+-      uint32_t old;
+ 
+       REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
+       REQUIRE(NS_CLIENT_VALID(client));
+@@ -3337,8 +3334,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
+       INSIST(client->naccepts == 1);
+       client->naccepts--;
+ 
+-      old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
+-      INSIST(old > 0);
++      isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
+ 
+       /*
+        * We must take ownership of the new socket before the exit
+@@ -3469,8 +3465,8 @@ client_accept(ns_client_t *client) {
+                * quota is tcp-clients plus the number of listening
+                * interfaces plus 1.)
+                */
+-              exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
+-                      (client->tcpactive ? 1 : 0));
++              exit = (isc_refcount_current(&client->interface->ntcpactive) >
++                      (client->tcpactive ? 1U : 0U));
+               if (exit) {
+                       client->newstate = NS_CLIENTSTATE_INACTIVE;
+                       (void)exit_check(client);
+@@ -3528,7 +3524,7 @@ client_accept(ns_client_t *client) {
+        * listening for connections itself to prevent the interface
+        * going dead.
+        */
+-      isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
++      isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
+ }
+ 
+ static void
+diff --git a/bin/named/include/named/interfacemgr.h 
b/bin/named/include/named/interfacemgr.h
+index 3535ef2..6e10f21 100644
+--- a/bin/named/include/named/interfacemgr.h
++++ b/bin/named/include/named/interfacemgr.h
+@@ -45,6 +45,7 @@
+ #include <isc/magic.h>
+ #include <isc/mem.h>
+ #include <isc/socket.h>
++#include <isc/refcount.h>
+ 
+ #include <dns/result.h>
+ 
+@@ -75,11 +76,11 @@ struct ns_interface {
+                                               /*%< UDP dispatchers. */
+       isc_socket_t *          tcpsocket;      /*%< TCP socket. */
+       isc_dscp_t              dscp;           /*%< "listen-on" DSCP value */
+-      int32_t                 ntcpaccepting;  /*%< Number of clients
++      isc_refcount_t          ntcpaccepting;  /*%< Number of clients
+                                                    ready to accept new
+                                                    TCP connections on this
+                                                    interface */
+-      int32_t                 ntcpactive;     /*%< Number of clients
++      isc_refcount_t          ntcpactive;     /*%< Number of clients
+                                                    servicing TCP queries
+                                                    (whether accepting or
+                                                    connected) */
+diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
+index d9f6df5..135533b 100644
+--- a/bin/named/interfacemgr.c
++++ b/bin/named/interfacemgr.c
+@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t 
*addr,
+        * connections will be handled in parallel even though there is
+        * only one client initially.
+        */
+-      ifp->ntcpaccepting = 0;
+-      ifp->ntcpactive = 0;
++      isc_refcount_init(&ifp->ntcpaccepting, 0);
++      isc_refcount_init(&ifp->ntcpactive, 0);
+ 
+       ifp->nudpdispatch = 0;
+ 
+@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
+ 
+       ns_interfacemgr_detach(&ifp->mgr);
+ 
++      isc_refcount_destroy(&ifp->ntcpactive);
++      isc_refcount_destroy(&ifp->ntcpaccepting);
++
+       ifp->magic = 0;
+       isc_mem_put(mctx, ifp, sizeof(*ifp));
+ }
diff -Nru 
bind9-9.11.5.P4+dfsg/debian/patches/0014-Disable-broken-Ed448-support.patch 
bind9-9.11.5.P4+dfsg/debian/patches/0014-Disable-broken-Ed448-support.patch
--- bind9-9.11.5.P4+dfsg/debian/patches/0014-Disable-broken-Ed448-support.patch 
1970-01-01 01:00:00.000000000 +0100
+++ bind9-9.11.5.P4+dfsg/debian/patches/0014-Disable-broken-Ed448-support.patch 
2019-05-03 19:44:57.000000000 +0200
@@ -0,0 +1,508 @@
+From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ond...@debian.org>
+Date: Fri, 26 Apr 2019 07:58:26 +0000
+Subject: Disable broken Ed448 support
+
+---
+ config.h.in  |   3 -
+ configure    | 201 ++++++++++++++++++++++-------------------------------------
+ configure.in |  33 ----------
+ 3 files changed, 75 insertions(+), 162 deletions(-)
+
+diff --git a/config.h.in b/config.h.in
+index b6f1a28..8268259 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -387,9 +387,6 @@ int sigwait(const unsigned int *set, int *sig);
+ /* Define if your OpenSSL version supports Ed25519. */
+ #undef HAVE_OPENSSL_ED25519
+ 
+-/* Define if your OpenSSL version supports Ed448. */
+-#undef HAVE_OPENSSL_ED448
+-
+ /* Define if your OpenSSL version supports EVP AES */
+ #undef HAVE_OPENSSL_EVP_AES
+ 
+diff --git a/configure b/configure
+index 80b8eca..160e996 100755
+--- a/configure
++++ b/configure
+@@ -827,6 +827,7 @@ PKCS11_TEST
+ PKCS11_ED25519
+ PKCS11_GOST
+ PKCS11_ECDSA
++CRYPTO_PK11
+ CRYPTO
+ PKCS11LINKSRCS
+ PKCS11LINKOBJS
+@@ -865,6 +866,7 @@ THREADOPTOBJS
+ ISC_PLATFORM_USETHREADS
+ ALWAYS_DEFINES
+ CHECK_DSA
++DNS_CRYPTO_PK11_LIBS
+ DNS_CRYPTO_LIBS
+ DNS_GSSAPI_LIBS
+ DST_GSSAPI_INC
+@@ -968,6 +970,7 @@ infodir
+ docdir
+ oldincludedir
+ includedir
++runstatedir
+ localstatedir
+ sharedstatedir
+ sysconfdir
+@@ -1129,6 +1132,7 @@ datadir='${datarootdir}'
+ sysconfdir='${prefix}/etc'
+ sharedstatedir='${prefix}/com'
+ localstatedir='${prefix}/var'
++runstatedir='${localstatedir}/run'
+ includedir='${prefix}/include'
+ oldincludedir='/usr/include'
+ docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+@@ -1381,6 +1385,15 @@ do
+   | -silent | --silent | --silen | --sile | --sil)
+     silent=yes ;;
+ 
++  -runstatedir | --runstatedir | --runstatedi | --runstated \
++  | --runstate | --runstat | --runsta | --runst | --runs \
++  | --run | --ru | --r)
++    ac_prev=runstatedir ;;
++  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
++  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
++  | --run=* | --ru=* | --r=*)
++    runstatedir=$ac_optarg ;;
++
+   -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+     ac_prev=sbindir ;;
+   -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+@@ -1518,7 +1531,7 @@ fi
+ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
+               datadir sysconfdir sharedstatedir localstatedir includedir \
+               oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+-              libdir localedir mandir
++              libdir localedir mandir runstatedir
+ do
+   eval ac_val=\$$ac_var
+   # Remove trailing slashes.
+@@ -1671,6 +1684,7 @@ Fine tuning of the installation directories:
+   --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
+   --sharedstatedir=DIR    modifiable architecture-independent data 
[PREFIX/com]
+   --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
++  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
+   --libdir=DIR            object code libraries [EPREFIX/lib]
+   --includedir=DIR        C header files [PREFIX/include]
+   --oldincludedir=DIR     C header files for non-gcc [/usr/include]
+@@ -5037,7 +5051,7 @@ linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*)
+   lt_cv_deplibs_check_method=pass_all
+   ;;
+ 
+-netbsd*)
++netbsd* | netbsdelf*-gnu)
+   if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
+     lt_cv_deplibs_check_method='match_pattern 
/lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+   else
+@@ -5943,11 +5957,8 @@ _LT_EOF
+   test $ac_status = 0; }; then
+     # Now try to grab the symbols.
+     nlist=conftest.nm
+-    if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM 
conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5
+-  (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 
2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; } && test -s "$nlist"; then
++    $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | 
$lt_cv_sys_global_symbol_pipe > $nlist" >&5
++    if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> 
$nlist 2>&5 && test -s "$nlist"; then
+       # Try sorting and uniquifying the output.
+       if sort "$nlist" | uniq > "$nlist"T; then
+       mv -f "$nlist"T "$nlist"
+@@ -8772,6 +8783,9 @@ $as_echo_n "checking whether the $compiler linker ($LD) 
supports shared librarie
+   openbsd* | bitrig*)
+     with_gnu_ld=no
+     ;;
++  linux* | k*bsd*-gnu | gnu*)
++    link_all_deplibs=no
++    ;;
+   esac
+ 
+   ld_shlibs=yes
+@@ -9026,7 +9040,7 @@ _LT_EOF
+       fi
+       ;;
+ 
+-    netbsd*)
++    netbsd* | netbsdelf*-gnu)
+       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+       archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+       wlarc=
+@@ -9696,6 +9710,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
+       if test yes = "$lt_cv_irix_exported_symbol"; then
+           archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs 
$compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all 
"$wl-set_version $wl$verstring"` $wl-update_registry 
$wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib'
+       fi
++      link_all_deplibs=no
+       else
+       archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname 
$soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` 
-update_registry $output_objdir/so_locations -o $lib'
+       archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags 
-soname $soname `test -n "$verstring" && func_echo_all "-set_version 
$verstring"` -update_registry $output_objdir/so_locations -exports_file 
$export_symbols -o $lib'
+@@ -9717,7 +9732,7 @@ $as_echo "$lt_cv_irix_exported_symbol" >&6; }
+       esac
+       ;;
+ 
+-    netbsd*)
++    netbsd* | netbsdelf*-gnu)
+       if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
+       archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  
# a.out
+       else
+@@ -10832,6 +10847,18 @@ fi
+   dynamic_linker='GNU/Linux ld.so'
+   ;;
+ 
++netbsdelf*-gnu)
++  version_type=linux
++  need_lib_prefix=no
++  need_version=no
++  library_names_spec='${libname}${release}${shared_ext}$versuffix 
${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
++  soname_spec='${libname}${release}${shared_ext}$major'
++  shlibpath_var=LD_LIBRARY_PATH
++  shlibpath_overrides_runpath=no
++  hardcode_into_libs=yes
++  dynamic_linker='NetBSD ld.elf_so'
++  ;;
++
+ netbsd*)
+   version_type=sunos
+   need_lib_prefix=no
+@@ -13427,7 +13454,7 @@ case "$host" in
+       # as it breaks how the two halves (Basic and Advanced) of the IPv6
+       # Socket API were designed to be used but we have to live with it.
+       # Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API.
+-      *-linux* | *-kfreebsd*-gnu*)
++      *-linux* | *-kfreebsd*-gnu* | *-gnu*)
+               STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE"
+               CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE"
+               ;;
+@@ -15227,6 +15254,7 @@ esac
+ 
+ 
+ DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
+ 
+ #
+ # Applications linking with libdns also need to link with these libraries.
+@@ -15234,6 +15262,7 @@ DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+ 
+ 
+ 
++
+ #
+ # was --with-randomdev specified?
+ #
+@@ -16330,7 +16359,7 @@ fi
+               # LinuxThreads requires some changes to the way we
+               # deal with signals.
+               #
+-              *-linux*)
++              *-linux*|*-kfreebsd*-gnu)
+                       $as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h
+ 
+                       ;;
+@@ -16585,12 +16614,6 @@ fi
+ $as_echo_n "checking for OpenSSL library... " >&6; }
+ OPENSSL_WARNING=
+ openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+-if test "yes" = "$want_native_pkcs11"
+-then
+-      use_openssl="native_pkcs11"
+-      { $as_echo "$as_me:${as_lineno-$LINENO}: result: use of native PKCS11 
instead" >&5
+-$as_echo "use of native PKCS11 instead" >&6; }
+-fi
+ 
+ if test "auto" = "$use_openssl"
+ then
+@@ -16603,6 +16626,7 @@ then
+               fi
+       done
+ fi
++CRYPTO_PK11=""
+ OPENSSL_ECDSA=""
+ OPENSSL_GOST=""
+ OPENSSL_ED25519=""
+@@ -16625,12 +16649,10 @@ $as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h
+               ;;
+ esac
+ 
+-case "$use_openssl" in
+-      native_pkcs11)
+-              { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled 
because of native PKCS11" >&5
+-$as_echo "disabled because of native PKCS11" >&6; }
++if test "$want_native_pkcs11" = "yes"
++then
+               DST_OPENSSL_INC=""
+-              CRYPTO="-DPKCS11CRYPTO"
++              CRYPTO_PK11="-DPKCS11CRYPTO"
+               OPENSSLECDSALINKOBJS=""
+               OPENSSLECDSALINKSRCS=""
+               OPENSSLEDDSALINKOBJS=""
+@@ -16639,7 +16661,9 @@ $as_echo "disabled because of native PKCS11" >&6; }
+               OPENSSLGOSTLINKSRCS=""
+               OPENSSLLINKOBJS=""
+               OPENSSLLINKSRCS=""
+-              ;;
++fi
++
++case "$use_openssl" in
+       no)
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+@@ -16669,12 +16693,6 @@ $as_echo "no" >&6; }
+ If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
+               ;;
+       *)
+-              if test "yes" = "$want_native_pkcs11"
+-              then
+-                      { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
+-$as_echo "" >&6; }
+-                      as_fn_error $? "OpenSSL and native PKCS11 cannot be 
used together." "$LINENO" 5
+-              fi
+               if test "yes" = "$use_openssl"
+               then
+                       # User did not specify a path - guess it
+@@ -17126,60 +17144,10 @@ fi
+ 
+ $as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h
+ 
+-              { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL 
Ed448 support" >&5
+-$as_echo_n "checking for OpenSSL Ed448 support... " >&6; }
+-              if test "$cross_compiling" = yes; then :
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
+-$as_echo "using --with-eddsa" >&6; }
+-else
+-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+-/* end confdefs.h.  */
+-
+-#include <openssl/evp.h>
+-#include <openssl/objects.h>
+-int main() {
+-      EVP_PKEY_CTX *ctx;
+-
+-      ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
+-      if (ctx == NULL)
+-              return (2);
+-      return (0);
+-}
+-
+-_ACEOF
+-if ac_fn_c_try_run "$LINENO"; then :
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+-$as_echo "yes" >&6; }
+-              have_ed448="yes"
+-else
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-              have_ed448="no"
+-fi
+-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+-  conftest.$ac_objext conftest.beam conftest.$ac_ext
+-fi
+-
+-              case $with_eddsa in
+-              all)
+-                      have_ed448=yes ;;
+-              *)
+-                      ;;
+-              esac
+-              case $have_ed448 in
+-              yes)
+-
+-$as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h
+-
+-                      ;;
+-              *)
+-                      ;;
+-              esac
+               ;;
+       *)
+               ;;
+       esac
+-
+       have_aes="no"
+       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL AES 
support" >&5
+ $as_echo_n "checking for OpenSSL AES support... " >&6; }
+@@ -17278,6 +17246,7 @@ esac
+ 
+ 
+ DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
++DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
+ 
+ ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
+ if test "yes" = "$with_aes"
+@@ -17667,6 +17636,7 @@ esac
+ 
+ 
+ 
++
+ # for PKCS11 benchmarks
+ 
+ have_clock_gt=no
+@@ -18526,51 +18496,6 @@ _ACEOF
+ 
+   LIBS="-lsocket $LIBS"
+ 
+-fi
+-
+-              { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inet_addr 
in -lnsl" >&5
+-$as_echo_n "checking for inet_addr in -lnsl... " >&6; }
+-if ${ac_cv_lib_nsl_inet_addr+:} false; then :
+-  $as_echo_n "(cached) " >&6
+-else
+-  ac_check_lib_save_LIBS=$LIBS
+-LIBS="-lnsl  $LIBS"
+-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+-/* end confdefs.h.  */
+-
+-/* Override any GCC internal prototype to avoid an error.
+-   Use char because int might match the return type of a GCC
+-   builtin and then its argument prototype would still apply.  */
+-#ifdef __cplusplus
+-extern "C"
+-#endif
+-char inet_addr ();
+-int
+-main ()
+-{
+-return inet_addr ();
+-  ;
+-  return 0;
+-}
+-_ACEOF
+-if ac_fn_c_try_link "$LINENO"; then :
+-  ac_cv_lib_nsl_inet_addr=yes
+-else
+-  ac_cv_lib_nsl_inet_addr=no
+-fi
+-rm -f core conftest.err conftest.$ac_objext \
+-    conftest$ac_exeext conftest.$ac_ext
+-LIBS=$ac_check_lib_save_LIBS
+-fi
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_inet_addr" >&5
+-$as_echo "$ac_cv_lib_nsl_inet_addr" >&6; }
+-if test "x$ac_cv_lib_nsl_inet_addr" = xyes; then :
+-  cat >>confdefs.h <<_ACEOF
+-#define HAVE_LIBNSL 1
+-_ACEOF
+-
+-  LIBS="-lnsl $LIBS"
+-
+ fi
+ 
+               ;;
+@@ -24555,7 +24480,7 @@ ac_config_commands="$ac_config_commands chmod"
+ # elsewhere if there's a good reason for doing so.
+ #
+ 
+-ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile 
bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile 
bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile 
bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile 
bin/python/Makefile bin/python/isc/Makefile bin/python/isc/utils.py 
bin/python/isc/tests/Makefile bin/python/dnssec-checkds.py 
bin/python/dnssec-coverage.py bin/python/dnssec-keymgr.py 
bin/python/isc/__init__.py bin/python/isc/checkds.py bin/python/isc/coverage.py 
bin/python/isc/dnskey.py bin/python/isc/eventlist.py bin/python/isc/keydict.py 
bin/python/isc/keyevent.py bin/python/isc/keymgr.py bin/python/isc/keyseries.py 
bin/python/isc/keyzone.py bin/python/isc/policy.py bin/python/isc/rndc.py 
bin/python/isc/tests/dnskey_test.py bin/python/isc/tests/policy_test.py 
bin/rndc/Makefile bin/tests/Makefile bin/tests/headerdep_test.sh 
bin/tests/optional/Makefile bin/tests/pkcs11/Makefile 
bin/tests/pkcs11/benchmarks/Makefile bin/tests/system/Makefile 
bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh 
bin/tests/system/dlzexternal/Makefile 
bin/tests/system/dlzexternal/ns1/dlzs.conf bin/tests/system/dyndb/Makefile 
bin/tests/system/dyndb/driver/Makefile bin/tests/system/inline/checkdsa.sh 
bin/tests/system/lwresd/Makefile bin/tests/system/pipelined/Makefile 
bin/tests/system/rndc/Makefile bin/tests/system/rsabigexponent/Makefile 
bin/tests/system/tkey/Makefile bin/tests/virtual-time/Makefile 
bin/tests/virtual-time/conf.sh bin/tools/Makefile 
contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh 
doc/Makefile doc/arm/Makefile doc/arm/noteversion.xml doc/arm/pkgversion.xml 
doc/arm/releaseinfo.xml doc/doxygen/Doxyfile doc/doxygen/Makefile 
doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/tex/Makefile 
doc/tex/armstyle.sty doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl 
doc/xsl/isc-docbook-html.xsl doc/xsl/isc-manpage.xsl doc/xsl/isc-notes-html.xsl 
isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile 
lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile 
lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile 
lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile 
lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h 
lib/irs/include/irs/platform.h lib/irs/tests/Makefile lib/isc/$arch/Makefile 
lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile 
lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile 
lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile 
lib/isc/include/Makefile lib/isc/include/isc/Makefile 
lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile 
lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile 
lib/isc/unix/Makefile lib/isc/unix/include/Makefile 
lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile 
lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile 
lib/isccfg/Makefile lib/isccfg/include/Makefile 
lib/isccfg/include/isccfg/Makefile lib/isccfg/tests/Makefile lib/lwres/Makefile 
lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile 
lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h 
lib/lwres/man/Makefile lib/lwres/tests/Makefile lib/lwres/unix/Makefile 
lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile 
lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile 
unit/unittest.sh"
++ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile 
bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile 
bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile 
bin/dnssec-pkcs11/Makefile bin/named/Makefile bin/named/unix/Makefile 
bin/named-pkcs11/Makefile bin/named-pkcs11/unix/Makefile bin/nsupdate/Makefile 
bin/pkcs11/Makefile bin/python/Makefile bin/python/isc/Makefile 
bin/python/isc/utils.py bin/python/isc/tests/Makefile 
bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py 
bin/python/dnssec-keymgr.py bin/python/isc/__init__.py 
bin/python/isc/checkds.py bin/python/isc/coverage.py bin/python/isc/dnskey.py 
bin/python/isc/eventlist.py bin/python/isc/keydict.py 
bin/python/isc/keyevent.py bin/python/isc/keymgr.py bin/python/isc/keyseries.py 
bin/python/isc/keyzone.py bin/python/isc/policy.py bin/python/isc/rndc.py 
bin/python/isc/tests/dnskey_test.py bin/python/isc/tests/policy_test.py 
bin/rndc/Makefile bin/tests/Makefile bin/tests/headerdep_test.sh 
bin/tests/optional/Makefile bin/tests/pkcs11/Makefile 
bin/tests/pkcs11/benchmarks/Makefile bin/tests/system/Makefile 
bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh 
bin/tests/system/dlzexternal/Makefile 
bin/tests/system/dlzexternal/ns1/dlzs.conf bin/tests/system/dyndb/Makefile 
bin/tests/system/dyndb/driver/Makefile bin/tests/system/inline/checkdsa.sh 
bin/tests/system/lwresd/Makefile bin/tests/system/pipelined/Makefile 
bin/tests/system/rndc/Makefile bin/tests/system/rsabigexponent/Makefile 
bin/tests/system/tkey/Makefile bin/tests/virtual-time/Makefile 
bin/tests/virtual-time/conf.sh bin/tools/Makefile 
contrib/scripts/check-secure-delegation.pl contrib/scripts/zone-edit.sh 
doc/Makefile doc/arm/Makefile doc/arm/noteversion.xml doc/arm/pkgversion.xml 
doc/arm/releaseinfo.xml doc/doxygen/Doxyfile doc/doxygen/Makefile 
doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/tex/Makefile 
doc/tex/armstyle.sty doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl 
doc/xsl/isc-docbook-html.xsl doc/xsl/isc-manpage.xsl doc/xsl/isc-notes-html.xsl 
isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile 
lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile 
lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile 
lib/dns/tests/Makefile lib/dns-pkcs11/Makefile lib/dns-pkcs11/include/Makefile 
lib/dns-pkcs11/include/dns/Makefile lib/dns-pkcs11/include/dst/Makefile 
lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile 
lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h 
lib/irs/tests/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile 
lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile 
lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile 
lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile 
lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile 
lib/isc/include/pkcs11/Makefile lib/isc/tests/Makefile lib/isc/nls/Makefile 
lib/isc/unix/Makefile lib/isc/unix/include/Makefile 
lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile 
lib/isc-pkcs11/$arch/Makefile lib/isc-pkcs11/$arch/include/Makefile 
lib/isc-pkcs11/$arch/include/isc/Makefile lib/isc-pkcs11/$thread_dir/Makefile 
lib/isc-pkcs11/$thread_dir/include/Makefile 
lib/isc-pkcs11/$thread_dir/include/isc/Makefile lib/isc-pkcs11/Makefile 
lib/isc-pkcs11/include/Makefile lib/isc-pkcs11/include/isc/Makefile 
lib/isc-pkcs11/include/isc/platform.h lib/isc-pkcs11/include/pk11/Makefile 
lib/isc-pkcs11/include/pkcs11/Makefile lib/isc-pkcs11/tests/Makefile 
lib/isc-pkcs11/nls/Makefile lib/isc-pkcs11/unix/Makefile 
lib/isc-pkcs11/unix/include/Makefile lib/isc-pkcs11/unix/include/isc/Makefile 
lib/isc-pkcs11/unix/include/pkcs11/Makefile lib/isccc/Makefile 
lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile 
lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile 
lib/isccfg/tests/Makefile lib/lwres/Makefile lib/lwres/include/Makefile 
lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h 
lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile 
lib/lwres/tests/Makefile lib/lwres/unix/Makefile 
lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile 
lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile 
unit/unittest.sh"
+ 
+ 
+ #
+@@ -25567,8 +25492,11 @@ do
+     "bin/delv/Makefile") CONFIG_FILES="$CONFIG_FILES bin/delv/Makefile" ;;
+     "bin/dig/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dig/Makefile" ;;
+     "bin/dnssec/Makefile") CONFIG_FILES="$CONFIG_FILES bin/dnssec/Makefile" ;;
++    "bin/dnssec-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES 
bin/dnssec-pkcs11/Makefile" ;;
+     "bin/named/Makefile") CONFIG_FILES="$CONFIG_FILES bin/named/Makefile" ;;
+     "bin/named/unix/Makefile") CONFIG_FILES="$CONFIG_FILES 
bin/named/unix/Makefile" ;;
++    "bin/named-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES 
bin/named-pkcs11/Makefile" ;;
++    "bin/named-pkcs11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES 
bin/named-pkcs11/unix/Makefile" ;;
+     "bin/nsupdate/Makefile") CONFIG_FILES="$CONFIG_FILES 
bin/nsupdate/Makefile" ;;
+     "bin/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/pkcs11/Makefile" ;;
+     "bin/python/Makefile") CONFIG_FILES="$CONFIG_FILES bin/python/Makefile" ;;
+@@ -25642,6 +25570,10 @@ do
+     "lib/dns/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/dns/include/dns/Makefile" ;;
+     "lib/dns/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/dns/include/dst/Makefile" ;;
+     "lib/dns/tests/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/dns/tests/Makefile" ;;
++    "lib/dns-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/dns-pkcs11/Makefile" ;;
++    "lib/dns-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/dns-pkcs11/include/Makefile" ;;
++    "lib/dns-pkcs11/include/dns/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/dns-pkcs11/include/dns/Makefile" ;;
++    "lib/dns-pkcs11/include/dst/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/dns-pkcs11/include/dst/Makefile" ;;
+     "lib/irs/Makefile") CONFIG_FILES="$CONFIG_FILES lib/irs/Makefile" ;;
+     "lib/irs/include/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/irs/include/Makefile" ;;
+     "lib/irs/include/irs/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/irs/include/irs/Makefile" ;;
+@@ -25666,6 +25598,24 @@ do
+     "lib/isc/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc/unix/include/Makefile" ;;
+     "lib/isc/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc/unix/include/isc/Makefile" ;;
+     "lib/isc/unix/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc/unix/include/pkcs11/Makefile" ;;
++    "lib/isc-pkcs11/$arch/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/$arch/Makefile" ;;
++    "lib/isc-pkcs11/$arch/include/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/$arch/include/Makefile" ;;
++    "lib/isc-pkcs11/$arch/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/$arch/include/isc/Makefile" ;;
++    "lib/isc-pkcs11/$thread_dir/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/$thread_dir/Makefile" ;;
++    "lib/isc-pkcs11/$thread_dir/include/Makefile") 
CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$thread_dir/include/Makefile" ;;
++    "lib/isc-pkcs11/$thread_dir/include/isc/Makefile") 
CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/$thread_dir/include/isc/Makefile" ;;
++    "lib/isc-pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/Makefile" ;;
++    "lib/isc-pkcs11/include/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/include/Makefile" ;;
++    "lib/isc-pkcs11/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/include/isc/Makefile" ;;
++    "lib/isc-pkcs11/include/isc/platform.h") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/include/isc/platform.h" ;;
++    "lib/isc-pkcs11/include/pk11/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/include/pk11/Makefile" ;;
++    "lib/isc-pkcs11/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/include/pkcs11/Makefile" ;;
++    "lib/isc-pkcs11/tests/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/tests/Makefile" ;;
++    "lib/isc-pkcs11/nls/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/nls/Makefile" ;;
++    "lib/isc-pkcs11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/unix/Makefile" ;;
++    "lib/isc-pkcs11/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/unix/include/Makefile" ;;
++    "lib/isc-pkcs11/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isc-pkcs11/unix/include/isc/Makefile" ;;
++    "lib/isc-pkcs11/unix/include/pkcs11/Makefile") 
CONFIG_FILES="$CONFIG_FILES lib/isc-pkcs11/unix/include/pkcs11/Makefile" ;;
+     "lib/isccc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccc/Makefile" ;;
+     "lib/isccc/include/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isccc/include/Makefile" ;;
+     "lib/isccc/include/isccc/Makefile") CONFIG_FILES="$CONFIG_FILES 
lib/isccc/include/isccc/Makefile" ;;
+@@ -26296,7 +26246,6 @@ $as_echo "$as_me: executing $ac_file commands" >&6;}
+     cat <<_LT_EOF >> "$cfgfile"
+ #! $SHELL
+ # Generated automatically by $as_me ($PACKAGE) $VERSION
+-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 
1q`:
+ # NOTE: Changes made to this file will be lost: look at ltmain.sh.
+ 
+ # Provide generalized library-building support services.
+diff --git a/configure.in b/configure.in
+index f8603b8..324ac97 100644
+--- a/configure.in
++++ b/configure.in
+@@ -1889,43 +1889,10 @@ int main() {
+               OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
+               AC_DEFINE(HAVE_OPENSSL_ED25519, 1,
+                         [Define if your OpenSSL version supports Ed25519.])
+-              AC_MSG_CHECKING(for OpenSSL Ed448 support)
+-              AC_TRY_RUN([
+-#include <openssl/evp.h>
+-#include <openssl/objects.h>
+-int main() {
+-      EVP_PKEY_CTX *ctx;
+-
+-      ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
+-      if (ctx == NULL)
+-              return (2);
+-      return (0);
+-}
+-],
+-              [AC_MSG_RESULT(yes)
+-              have_ed448="yes"],
+-              [AC_MSG_RESULT(no)
+-              have_ed448="no"],
+-              [AC_MSG_RESULT(using --with-eddsa)])
+-              case $with_eddsa in
+-              all)
+-                      have_ed448=yes ;;
+-              *)
+-                      ;;
+-              esac
+-              case $have_ed448 in
+-              yes)
+-                      AC_DEFINE(HAVE_OPENSSL_ED448, 1,
+-                                [Define if your OpenSSL version supports 
Ed448.])
+-                      ;;
+-              *)
+-                      ;;
+-              esac
+               ;;
+       *)
+               ;;
+       esac
+-
+       have_aes="no"
+       AC_MSG_CHECKING(for OpenSSL AES support)
+       AC_TRY_RUN([
diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/series 
bind9-9.11.5.P4+dfsg/debian/patches/series
--- bind9-9.11.5.P4+dfsg/debian/patches/series  2019-04-22 22:31:06.000000000 
+0200
+++ bind9-9.11.5.P4+dfsg/debian/patches/series  2019-05-03 19:44:57.000000000 
+0200
@@ -9,3 +9,6 @@
 Add_--install-layout=deb_to_setup.py_call.patch
 skip-rtld-deepbind-for-dyndb.diff
 keymgr-dont-immediately-delete.diff
+0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
+0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
+0014-Disable-broken-Ed448-support.patch
diff -Nru bind9-9.11.5.P4+dfsg/debian/rules bind9-9.11.5.P4+dfsg/debian/rules
--- bind9-9.11.5.P4+dfsg/debian/rules   2019-04-22 22:31:06.000000000 +0200
+++ bind9-9.11.5.P4+dfsg/debian/rules   2019-05-03 19:44:57.000000000 +0200
@@ -102,7 +102,6 @@
                --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
                --with-randomdev=/dev/urandom \
                --enable-dnstap \
-               --with-eddsa=no \
                $(EXTRA_FEATURES)
        dh_auto_configure -B build-udeb -- \
                --sysconfdir=/etc/bind \
@@ -121,7 +120,6 @@
                --enable-shared \
                --with-libtool \
                --with-gssapi=no \
-               --with-eddsa=no \
                --libdir=/lib/$(DEB_HOST_MULTIARCH) \
                --includedir=/usr/include/bind-export
        sh debian/apply-export-patch

Reply via email to