summaryrefslogtreecommitdiffstats
path: root/import-layers/yocto-poky/meta/recipes-connectivity/bind
diff options
context:
space:
mode:
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-connectivity/bind')
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch50
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch25
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch34
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch154
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch79
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch314
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch247
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch44
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch49
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind92
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/conf.patch330
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch17
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh7
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch65
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch42
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff104
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/named.service22
-rw-r--r--import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb109
18 files changed, 1694 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
new file mode 100644
index 000000000..805cbb331
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
@@ -0,0 +1,50 @@
+xml2-config is disabled, so change the configure script to use pkgconfig to find
+libxml2.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+Update context for version 9.10.3-P2.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ configure.in | 23 +++--------------------
+ 1 file changed, 3 insertions(+), 20 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index 0db826d..75819eb 100644
+--- a/configure.in
++++ b/configure.in
+@@ -2107,26 +2107,9 @@ case "$use_libxml2" in
+ DST_LIBXML2_INC=""
+ ;;
+ auto|yes)
+- case X`(xml2-config --version) 2>/dev/null` in
+- X2.[[6789]].*)
+- libxml2_libs=`xml2-config --libs`
+- libxml2_cflags=`xml2-config --cflags`
+- ;;
+- *)
+- if test "$use_libxml2" = "yes" ; then
+- AC_MSG_RESULT(no)
+- AC_MSG_ERROR(required libxml2 version not available)
+- else
+- libxml2_libs=
+- libxml2_cflags=
+- fi
+- ;;
+- esac
+- ;;
+- *)
+- if test -f "$use_libxml2/bin/xml2-config" ; then
+- libxml2_libs=`$use_libxml2/bin/xml2-config --libs`
+- libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags`
++ if pkg-config --exists libxml-2.0 ; then
++ libxml2_libs=`pkg-config libxml-2.0 --libs`
++ libxml2_cflags=`pkg-config libxml-2.0 --cflags`
+ fi
+ ;;
+ esac
+--
+2.1.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch
new file mode 100644
index 000000000..121509371
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch
@@ -0,0 +1,25 @@
+Upstream-Status: Pending
+
+Subject: gen.c: extend DIRNAMESIZE from 256 to 512
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ lib/dns/gen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/gen.c b/lib/dns/gen.c
+index 7a7dafb..51a0435 100644
+--- a/lib/dns/gen.c
++++ b/lib/dns/gen.c
+@@ -148,7 +148,7 @@ static const char copyright[] =
+ #define TYPECLASSBUF (TYPECLASSLEN + 1)
+ #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
+ #define ATTRIBUTESIZE 256
+-#define DIRNAMESIZE 256
++#define DIRNAMESIZE 512
+
+ static struct cc {
+ struct cc *next;
+--
+1.9.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
new file mode 100644
index 000000000..1ed858cd3
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
@@ -0,0 +1,34 @@
+From 5bc3167a8b714ec0c4a3f1c7f3b9411296ec0a23 Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Wed, 16 Sep 2015 20:23:47 -0700
+Subject: [PATCH] lib/dns/gen.c: fix too long error
+
+The 512 is a little short when build in deep dir, and cause "too long"
+error, use PATH_MAX if defined.
+
+Upstream-Status: Pending
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ lib/dns/gen.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/dns/gen.c b/lib/dns/gen.c
+index 51a0435..3d7214f 100644
+--- a/lib/dns/gen.c
++++ b/lib/dns/gen.c
+@@ -148,7 +148,11 @@ static const char copyright[] =
+ #define TYPECLASSBUF (TYPECLASSLEN + 1)
+ #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
+ #define ATTRIBUTESIZE 256
++#ifdef PATH_MAX
++#define DIRNAMESIZE PATH_MAX
++#else
+ #define DIRNAMESIZE 512
++#endif
+
+ static struct cc {
+ struct cc *next;
+--
+1.7.9.5
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
new file mode 100644
index 000000000..2149bd180
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
@@ -0,0 +1,154 @@
+From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 18 Feb 2016 12:11:27 +1100
+Subject: [PATCH] 4318. [security] Malformed control messages can
+ trigger assertions in named and rndc. (CVE-2016-1285)
+ [RT #41666]
+
+(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
+
+CVE: CVE-2016-1285
+Upstream-Status: Backport
+[Removed doc/arm/notes.xml changes from upstream patch]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ CHANGES | 3 +++
+ bin/named/control.c | 2 +-
+ bin/named/controlconf.c | 2 +-
+ bin/rndc/rndc.c | 8 ++++----
+ doc/arm/notes.xml | 11 +++++++++++
+ lib/isccc/cc.c | 14 +++++++-------
+ 6 files changed, 27 insertions(+), 13 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index b9bd9ef..2c727d5 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,6 @@
++4318. [security] Malformed control messages can trigger assertions
++ in named and rndc. (CVE-2016-1285) [RT #41666]
++
+ --- 9.10.3-P3 released ---
+
+ 4288. [bug] Fixed a regression in resolver.c:possibly_mark()
+diff --git a/bin/named/control.c b/bin/named/control.c
+index 8554335..81340ca 100644
+--- a/bin/named/control.c
++++ b/bin/named/control.c
+@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
+ #endif
+
+ data = isccc_alist_lookup(message, "_data");
+- if (data == NULL) {
++ if (!isccc_alist_alistp(data)) {
+ /*
+ * No data section.
+ */
+diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
+index 765afdd..a39ab8b 100644
+--- a/bin/named/controlconf.c
++++ b/bin/named/controlconf.c
+@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
+ * Limit exposure to replay attacks.
+ */
+ _ctrl = isccc_alist_lookup(request, "_ctrl");
+- if (_ctrl == NULL) {
++ if (!isccc_alist_alistp(_ctrl)) {
+ log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+ goto cleanup_request;
+ }
+diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
+index cb17050..b6e05c8 100644
+--- a/bin/rndc/rndc.c
++++ b/bin/rndc/rndc.c
+@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+ data = isccc_alist_lookup(response, "_data");
+- if (data == NULL)
+- fatal("no data section in response");
++ if (!isccc_alist_alistp(data))
++ fatal("bad or missing data section in response");
+ result = isccc_cc_lookupstring(data, "err", &errormsg);
+ if (result == ISC_R_SUCCESS) {
+ failed = ISC_TRUE;
+@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+ _ctrl = isccc_alist_lookup(response, "_ctrl");
+- if (_ctrl == NULL)
+- fatal("_ctrl section missing");
++ if (!isccc_alist_alistp(_ctrl))
++ fatal("bad or missing ctrl section in response");
+ nonce = 0;
+ if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
+ nonce = 0;
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index 47a3b74..2bb961e 100644
+--- a/lib/isccc/cc.c
++++ b/lib/isccc/cc.c
+@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+ * Extract digest.
+ */
+ _auth = isccc_alist_lookup(alist, "_auth");
+- if (_auth == NULL)
++ if (!isccc_alist_alistp(_auth))
+ return (ISC_R_FAILURE);
+ if (algorithm == ISCCC_ALG_HMACMD5)
+ hmac = isccc_alist_lookup(_auth, "hmd5");
+ else
+ hmac = isccc_alist_lookup(_auth, "hsha");
+- if (hmac == NULL)
++ if (!isccc_sexpr_binaryp(hmac))
+ return (ISC_R_FAILURE);
+ /*
+ * Compute digest.
+@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
+ REQUIRE(ackp != NULL && *ackp == NULL);
+
+ _ctrl = isccc_alist_lookup(message, "_ctrl");
+- if (_ctrl == NULL ||
++ if (!isccc_alist_alistp(_ctrl) ||
+ isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+ isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
+ return (ISC_R_FAILURE);
+@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
+ isccc_sexpr_t *_ctrl;
+
+ _ctrl = isccc_alist_lookup(message, "_ctrl");
+- if (_ctrl == NULL)
++ if (!isccc_alist_alistp(_ctrl))
+ return (ISC_FALSE);
+ if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
+ return (ISC_TRUE);
+@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
+ isccc_sexpr_t *_ctrl;
+
+ _ctrl = isccc_alist_lookup(message, "_ctrl");
+- if (_ctrl == NULL)
++ if (!isccc_alist_alistp(_ctrl))
+ return (ISC_FALSE);
+ if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
+ return (ISC_TRUE);
+@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+
+ _ctrl = isccc_alist_lookup(message, "_ctrl");
+ _data = isccc_alist_lookup(message, "_data");
+- if (_ctrl == NULL || _data == NULL ||
++ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
+ isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+ isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
+ return (ISC_R_FAILURE);
+@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+ isccc_sexpr_t *_ctrl;
+
+ _ctrl = isccc_alist_lookup(message, "_ctrl");
+- if (_ctrl == NULL ||
++ if (!isccc_alist_alistp(_ctrl) ||
+ isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
+ isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
+ return (ISC_R_FAILURE);
+--
+1.9.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
new file mode 100644
index 000000000..ae5cc48d9
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
@@ -0,0 +1,79 @@
+From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001
+From: Mukund Sivaraman <muks@isc.org>
+Date: Mon, 22 Feb 2016 12:22:43 +0530
+Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
+ (CVE-2016-1286) (#41753)
+
+(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
+
+CVE: CVE-2016-1286
+Upstream-Status: Backport
+
+[Removed doc/arm/notes.xml changes from upstream patch.]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff -ruN a/CHANGES b/CHANGES
+--- a/CHANGES 2016-04-13 07:28:44.940873629 +0200
++++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200
+@@ -1,3 +1,7 @@
++4319. [security] Fix resolver assertion failure due to improper
++ DNAME handling when parsing fetch reply messages.
++ (CVE-2016-1286) [RT #41753]
++
+ 4318. [security] Malformed control messages can trigger assertions
+ in named and rndc. (CVE-2016-1285) [RT #41666]
+
+diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
+--- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200
++++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200
+@@ -6967,21 +6967,26 @@
+ isc_boolean_t found_dname = ISC_FALSE;
+ dns_name_t *dname_name;
+
++ /*
++ * Only pass DNAME or RRSIG(DNAME).
++ */
++ if (rdataset->type != dns_rdatatype_dname &&
++ (rdataset->type != dns_rdatatype_rrsig ||
++ rdataset->covers != dns_rdatatype_dname))
++ continue;
++
++ /*
++ * If we're not chaining, then the DNAME and
++ * its signature should not be external.
++ */
++ if (!chaining && external) {
++ log_formerr(fctx, "external DNAME");
++ return (DNS_R_FORMERR);
++ }
++
+ found = ISC_FALSE;
+ aflag = 0;
+ if (rdataset->type == dns_rdatatype_dname) {
+- /*
+- * We're looking for something else,
+- * but we found a DNAME.
+- *
+- * If we're not chaining, then the
+- * DNAME should not be external.
+- */
+- if (!chaining && external) {
+- log_formerr(fctx,
+- "external DNAME");
+- return (DNS_R_FORMERR);
+- }
+ found = ISC_TRUE;
+ want_chaining = ISC_TRUE;
+ POST(want_chaining);
+@@ -7010,9 +7015,7 @@
+ &fctx->domain)) {
+ return (DNS_R_SERVFAIL);
+ }
+- } else if (rdataset->type == dns_rdatatype_rrsig
+- && rdataset->covers ==
+- dns_rdatatype_dname) {
++ } else {
+ /*
+ * We've found a signature that
+ * covers the DNAME.
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
new file mode 100644
index 000000000..a31ea81f8
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
@@ -0,0 +1,314 @@
+From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 29 Feb 2016 07:16:48 +1100
+Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion
+ failure due to improper DNAME handling when parsing
+ fetch reply messages. (CVE-2016-1286) [RT #41753]
+
+(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374)
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/dns/resolver.c | 192 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 93 insertions(+), 99 deletions(-)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 70aba87..41e9df4 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
+ }
+
+ static inline isc_result_t
+-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
+- dns_name_t *oname, dns_fixedname_t *fixeddname)
++dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
++ unsigned int nlabels, dns_fixedname_t *fixeddname)
+ {
+ isc_result_t result;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+- unsigned int nlabels;
+- int order;
+- dns_namereln_t namereln;
+ dns_rdata_dname_t dname;
+ dns_fixedname_t prefix;
+
+@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
+ if (result != ISC_R_SUCCESS)
+ return (result);
+
+- /*
+- * Get the prefix of qname.
+- */
+- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
+- if (namereln != dns_namereln_subdomain) {
+- char qbuf[DNS_NAME_FORMATSIZE];
+- char obuf[DNS_NAME_FORMATSIZE];
+-
+- dns_rdata_freestruct(&dname);
+- dns_name_format(qname, qbuf, sizeof(qbuf));
+- dns_name_format(oname, obuf, sizeof(obuf));
+- log_formerr(fctx, "unrelated DNAME in answer: "
+- "%s is not in %s", qbuf, obuf);
+- return (DNS_R_FORMERR);
+- }
+ dns_fixedname_init(&prefix);
+ dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
+ dns_fixedname_init(fixeddname);
+@@ -6736,13 +6718,13 @@ static isc_result_t
+ answer_response(fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_message_t *message;
+- dns_name_t *name, *qname, tname, *ns_name;
++ dns_name_t *name, *dname, *qname, tname, *ns_name;
+ dns_rdataset_t *rdataset, *ns_rdataset;
+ isc_boolean_t done, external, chaining, aa, found, want_chaining;
+ isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+ unsigned int aflag;
+ dns_rdatatype_t type;
+- dns_fixedname_t dname, fqname;
++ dns_fixedname_t fdname, fqname;
+ dns_view_t *view;
+
+ FCTXTRACE("answer_response");
+@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) {
+ view = fctx->res->view;
+ result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ while (!done && result == ISC_R_SUCCESS) {
++ dns_namereln_t namereln;
++ int order;
++ unsigned int nlabels;
++
+ name = NULL;
+ dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+- if (dns_name_equal(name, qname)) {
++ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++ if (namereln == dns_namereln_equal) {
+ wanted_chaining = ISC_FALSE;
+ for (rdataset = ISC_LIST_HEAD(name->list);
+ rdataset != NULL;
+@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) {
+ */
+ INSIST(!external);
+ if (aflag ==
+- DNS_RDATASETATTR_ANSWER)
++ DNS_RDATASETATTR_ANSWER) {
+ have_answer = ISC_TRUE;
+- name->attributes |=
+- DNS_NAMEATTR_ANSWER;
++ name->attributes |=
++ DNS_NAMEATTR_ANSWER;
++ }
+ rdataset->attributes |= aflag;
+ if (aa)
+ rdataset->trust =
+@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) {
+ if (wanted_chaining)
+ chaining = ISC_TRUE;
+ } else {
++ dns_rdataset_t *dnameset = NULL;
++
+ /*
+ * Look for a DNAME (or its SIG). Anything else is
+ * ignored.
+@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) {
+ wanted_chaining = ISC_FALSE;
+ for (rdataset = ISC_LIST_HEAD(name->list);
+ rdataset != NULL;
+- rdataset = ISC_LIST_NEXT(rdataset, link)) {
+- isc_boolean_t found_dname = ISC_FALSE;
+- dns_name_t *dname_name;
+-
++ rdataset = ISC_LIST_NEXT(rdataset, link))
++ {
+ /*
+ * Only pass DNAME or RRSIG(DNAME).
+ */
+@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) {
+ * its signature should not be external.
+ */
+ if (!chaining && external) {
+- log_formerr(fctx, "external DNAME");
++ char qbuf[DNS_NAME_FORMATSIZE];
++ char obuf[DNS_NAME_FORMATSIZE];
++
++ dns_name_format(name, qbuf,
++ sizeof(qbuf));
++ dns_name_format(&fctx->domain, obuf,
++ sizeof(obuf));
++ log_formerr(fctx, "external DNAME or "
++ "RRSIG covering DNAME "
++ "in answer: %s is "
++ "not in %s", qbuf, obuf);
++ return (DNS_R_FORMERR);
++ }
++
++ if (namereln != dns_namereln_subdomain) {
++ char qbuf[DNS_NAME_FORMATSIZE];
++ char obuf[DNS_NAME_FORMATSIZE];
++
++ dns_name_format(qname, qbuf,
++ sizeof(qbuf));
++ dns_name_format(name, obuf,
++ sizeof(obuf));
++ log_formerr(fctx, "unrelated DNAME "
++ "in answer: %s is "
++ "not in %s", qbuf, obuf);
+ return (DNS_R_FORMERR);
+ }
+
+- found = ISC_FALSE;
+ aflag = 0;
+ if (rdataset->type == dns_rdatatype_dname) {
+- found = ISC_TRUE;
+ want_chaining = ISC_TRUE;
+ POST(want_chaining);
+ aflag = DNS_RDATASETATTR_ANSWER;
+- result = dname_target(fctx, rdataset,
+- qname, name,
+- &dname);
++ result = dname_target(rdataset, qname,
++ nlabels, &fdname);
+ if (result == ISC_R_NOSPACE) {
+ /*
+ * We can't construct the
+@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) {
+ } else if (result != ISC_R_SUCCESS)
+ return (result);
+ else
+- found_dname = ISC_TRUE;
++ dnameset = rdataset;
+
+- dname_name = dns_fixedname_name(&dname);
++ dname = dns_fixedname_name(&fdname);
+ if (!is_answertarget_allowed(view,
+- qname,
+- rdataset->type,
+- dname_name,
+- &fctx->domain)) {
++ qname, rdataset->type,
++ dname, &fctx->domain)) {
+ return (DNS_R_SERVFAIL);
+ }
+ } else {
+@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) {
+ * We've found a signature that
+ * covers the DNAME.
+ */
+- found = ISC_TRUE;
+ aflag = DNS_RDATASETATTR_ANSWERSIG;
+ }
+
+- if (found) {
++ /*
++ * We've found an answer to our
++ * question.
++ */
++ name->attributes |= DNS_NAMEATTR_CACHE;
++ rdataset->attributes |= DNS_RDATASETATTR_CACHE;
++ rdataset->trust = dns_trust_answer;
++ if (!chaining) {
+ /*
+- * We've found an answer to our
+- * question.
++ * This data is "the" answer to
++ * our question only if we're
++ * not chaining.
+ */
+- name->attributes |=
+- DNS_NAMEATTR_CACHE;
+- rdataset->attributes |=
+- DNS_RDATASETATTR_CACHE;
+- rdataset->trust = dns_trust_answer;
+- if (!chaining) {
+- /*
+- * This data is "the" answer
+- * to our question only if
+- * we're not chaining.
+- */
+- INSIST(!external);
+- if (aflag ==
+- DNS_RDATASETATTR_ANSWER)
+- have_answer = ISC_TRUE;
++ INSIST(!external);
++ if (aflag == DNS_RDATASETATTR_ANSWER) {
++ have_answer = ISC_TRUE;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;
+- rdataset->attributes |= aflag;
+- if (aa)
+- rdataset->trust =
+- dns_trust_authanswer;
+- } else if (external) {
+- rdataset->attributes |=
+- DNS_RDATASETATTR_EXTERNAL;
+- }
+-
+- /*
+- * DNAME chaining.
+- */
+- if (found_dname) {
+- /*
+- * Copy the dname into the
+- * qname fixed name.
+- *
+- * Although we check for
+- * failure of the copy
+- * operation, in practice it
+- * should never fail since
+- * we already know that the
+- * result fits in a fixedname.
+- */
+- dns_fixedname_init(&fqname);
+- result = dns_name_copy(
+- dns_fixedname_name(&dname),
+- dns_fixedname_name(&fqname),
+- NULL);
+- if (result != ISC_R_SUCCESS)
+- return (result);
+- wanted_chaining = ISC_TRUE;
+- name->attributes |=
+- DNS_NAMEATTR_CHAINING;
+- rdataset->attributes |=
+- DNS_RDATASETATTR_CHAINING;
+- qname = dns_fixedname_name(
+- &fqname);
+ }
++ rdataset->attributes |= aflag;
++ if (aa)
++ rdataset->trust =
++ dns_trust_authanswer;
++ } else if (external) {
++ rdataset->attributes |=
++ DNS_RDATASETATTR_EXTERNAL;
+ }
+ }
++
++ /*
++ * DNAME chaining.
++ */
++ if (dnameset != NULL) {
++ /*
++ * Copy the dname into the qname fixed name.
++ *
++ * Although we check for failure of the copy
++ * operation, in practice it should never fail
++ * since we already know that the result fits
++ * in a fixedname.
++ */
++ dns_fixedname_init(&fqname);
++ qname = dns_fixedname_name(&fqname);
++ result = dns_name_copy(dname, qname, NULL);
++ if (result != ISC_R_SUCCESS)
++ return (result);
++ wanted_chaining = ISC_TRUE;
++ name->attributes |= DNS_NAMEATTR_CHAINING;
++ dnameset->attributes |=
++ DNS_RDATASETATTR_CHAINING;
++ }
+ if (wanted_chaining)
+ chaining = ISC_TRUE;
+ }
+--
+1.9.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
new file mode 100644
index 000000000..1b84d46b7
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
@@ -0,0 +1,247 @@
+CVE-2016-2088
+
+Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the
+v9_10_3_patch branch.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088
+https://kb.isc.org/article/AA-01351
+
+CVE: CVE-2016-2088
+Upstream-Status: Backport
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
+
+Original commit message from Mark Andrews <marka@isc.org> below:
+
+4322. [security] Duplicate EDNS COOKIE options in a response could
+ trigger an assertion failure. (CVE-2016-2088)
+ [RT #41809]
+
+(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
+(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
+---
+ CHANGES | 4 ++++
+ bin/dig/dighost.c | 9 +++++++++
+ bin/named/client.c | 33 +++++++++++++++++++++++----------
+ doc/arm/notes.xml | 7 +++++++
+ lib/dns/resolver.c | 14 +++++++++++++-
+ 5 files changed, 56 insertions(+), 11 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index c5b5d2b..d2e3360 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,7 @@
++4322. [security] Duplicate EDNS COOKIE options in a response could
++ trigger an assertion failure. (CVE-2016-2088)
++ [RT #41809]
++
+ 4319. [security] Fix resolver assertion failure due to improper
+ DNAME handling when parsing fetch reply messages.
+ (CVE-2016-1286) [RT #41753]
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index ca82f8e..340904f 100644
+--- a/bin/dig/dighost.c
++++ b/bin/dig/dighost.c
+@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
+ isc_buffer_t optbuf;
+ isc_uint16_t optcode, optlen;
+ dns_rdataset_t *opt = msg->opt;
++ isc_boolean_t seen_cookie = ISC_FALSE;
+
+ result = dns_rdataset_first(opt);
+ if (result == ISC_R_SUCCESS) {
+@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
+ optlen = isc_buffer_getuint16(&optbuf);
+ switch (optcode) {
+ case DNS_OPT_COOKIE:
++ /*
++ * Only process the first cookie option.
++ */
++ if (seen_cookie) {
++ isc_buffer_forward(&optbuf, optlen);
++ break;
++ }
+ process_sit(l, msg, &optbuf, optlen);
++ seen_cookie = ISC_TRUE;
+ break;
+ default:
+ isc_buffer_forward(&optbuf, optlen);
+diff --git a/bin/named/client.c b/bin/named/client.c
+index 683305c..0d7331a 100644
+--- a/bin/named/client.c
++++ b/bin/named/client.c
+@@ -120,7 +120,10 @@
+ */
+ #endif
+
+-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
++#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
++
++#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
++#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
+
+ /*% nameserver client manager structure */
+ struct ns_clientmgr {
+@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+ {
+ char nsid[BUFSIZ], *nsidp;
+ #ifdef ISC_PLATFORM_USESIT
+- unsigned char sit[SIT_SIZE];
++ unsigned char sit[COOKIE_SIZE];
+ #endif
+ isc_result_t result;
+ dns_view_t *view;
+@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+ flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
+
+ /* Set EDNS options if applicable */
+- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
++ if (WANTNSID(client) &&
+ (ns_g_server->server_id != NULL ||
+ ns_g_server->server_usehostname)) {
+ if (ns_g_server->server_usehostname) {
+@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+
+ INSIST(count < DNS_EDNSOPTIONS);
+ ednsopts[count].code = DNS_OPT_COOKIE;
+- ednsopts[count].length = SIT_SIZE;
++ ednsopts[count].length = COOKIE_SIZE;
+ ednsopts[count].value = sit;
+ count++;
+ }
+@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
+
+ static void
+ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+- unsigned char dbuf[SIT_SIZE];
++ unsigned char dbuf[COOKIE_SIZE];
+ unsigned char *old;
+ isc_stdtime_t now;
+ isc_uint32_t when;
+ isc_uint32_t nonce;
+ isc_buffer_t db;
+
++ /*
++ * If we have already seen a ECS option skip this ECS option.
++ */
++ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
++ isc_buffer_forward(buf, optlen);
++ return;
++ }
+ client->attributes |= NS_CLIENTATTR_WANTSIT;
+
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_sitopt);
+
+- if (optlen != SIT_SIZE) {
++ if (optlen != COOKIE_SIZE) {
+ /*
+ * Not our token.
+ */
+@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+ isc_buffer_init(&db, dbuf, sizeof(dbuf));
+ compute_sit(client, when, nonce, &db);
+
+- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
++ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_sitnomatch);
+ return;
+ }
+ isc_stats_increment(ns_g_server->nsstats,
+ dns_nsstatscounter_sitmatch);
+-
+ client->attributes |= NS_CLIENTATTR_HAVESIT;
+ }
+ #endif
+@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
+ optlen = isc_buffer_getuint16(&optbuf);
+ switch (optcode) {
+ case DNS_OPT_NSID:
+- isc_stats_increment(ns_g_server->nsstats,
++ if (!WANTNSID(client))
++ isc_stats_increment(
++ ns_g_server->nsstats,
+ dns_nsstatscounter_nsidopt);
+ client->attributes |= NS_CLIENTATTR_WANTNSID;
+ isc_buffer_forward(&optbuf, optlen);
+@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
+ break;
+ #endif
+ case DNS_OPT_EXPIRE:
+- isc_stats_increment(ns_g_server->nsstats,
++ if (!WANTEXPIRE(client))
++ isc_stats_increment(
++ ns_g_server->nsstats,
+ dns_nsstatscounter_expireopt);
+ client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
+ isc_buffer_forward(&optbuf, optlen);
+diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
+index ebf4f55..095eb5b 100644
+--- a/doc/arm/notes.xml
++++ b/doc/arm/notes.xml
+@@ -51,6 +51,13 @@
+ <title>Security Fixes</title>
+ <itemizedlist>
+ <listitem>
++ <para>
++ Duplicate EDNS COOKIE options in a response could trigger
++ an assertion failure. This flaw is disclosed in CVE-2016-2088.
++ [RT #41809]
++ </para>
++ </listitem>
++ <listitem>
+ <para>
+ Specific APL data could trigger an INSIST. This flaw
+ was discovered by Brian Mitchell and is disclosed in
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index a797e3f..ba1ae23 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
+ unsigned char *sit;
+ dns_adbaddrinfo_t *addrinfo;
+ unsigned char cookie[8];
++ isc_boolean_t seen_cookie = ISC_FALSE;
+ #endif
++ isc_boolean_t seen_nsid = ISC_FALSE;
+
+ result = dns_rdataset_first(opt);
+ if (result == ISC_R_SUCCESS) {
+@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
+ INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
+ switch (optcode) {
+ case DNS_OPT_NSID:
+- if (query->options & DNS_FETCHOPT_WANTNSID)
++ if (!seen_nsid &&
++ query->options & DNS_FETCHOPT_WANTNSID)
+ log_nsid(&optbuf, optlen, query,
+ ISC_LOG_DEBUG(3),
+ query->fctx->res->mctx);
+ isc_buffer_forward(&optbuf, optlen);
++ seen_nsid = ISC_TRUE;
+ break;
+ #ifdef ISC_PLATFORM_USESIT
+ case DNS_OPT_COOKIE:
++ /*
++ * Only process the first cookie option.
++ */
++ if (seen_cookie) {
++ isc_buffer_forward(&optbuf, optlen);
++ break;
++ }
+ sit = isc_buffer_current(&optbuf);
+ compute_cc(query, cookie, sizeof(cookie));
+ INSIST(query->fctx->rmessage->sitbad == 0 &&
+@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
+ isc_buffer_forward(&optbuf, optlen);
+ inc_stats(query->fctx->res,
+ dns_resstatscounter_sitin);
++ seen_cookie = ISC_TRUE;
+ break;
+ #endif
+ default:
+--
+2.1.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
new file mode 100644
index 000000000..096d5d84f
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
@@ -0,0 +1,44 @@
+From 9b40619ff6fddfef2758ba797789f8487f412df3 Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Mon, 16 Feb 2015 00:50:01 -0800
+Subject: [PATCH] confgen: don't build unix.o twice
+
+Fixed:
+unix/os.o: file not recognized: File truncated
+collect2: error: ld returned 1 exit status
+
+This is because os.o was built twice:
+* The implicity rule (depends on unix/os.o)
+* The "make all" in unix subdir (depends on unix/os.o)
+
+Depend on subdirs which is unix only rather than unix/os.o will fix the
+problem.
+
+Upstream-Status: Pending
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ bin/confgen/Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
+index 8b3e5aa..4868a24 100644
+--- a/bin/confgen/Makefile.in
++++ b/bin/confgen/Makefile.in
+@@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c
+ ddns-confgen.@O@: ddns-confgen.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
+
+-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
++rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS)
+ export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
+
+-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
++ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS)
+ export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
+
+--
+1.7.9.5
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
new file mode 100644
index 000000000..13df3bb0e
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
@@ -0,0 +1,49 @@
+From 9473d29843579802e96b0293a3e953fed93de82c Mon Sep 17 00:00:00 2001
+From: Paul Gortmaker <paul.gortmaker@windriver.com>
+Date: Tue, 9 Jun 2015 11:22:00 -0400
+Subject: [PATCH] bind: ensure searching for json headers searches sysroot
+
+Bind can fail configure by detecting headers w/o libs[1], or
+it can fail the host contamination check as per below:
+
+ERROR: This autoconf log indicates errors, it looked at host include and/or library paths while determining system capabilities.
+Rerun configure task after fixing this. The path was 'build/tmp/work/core2-64-poky-linux/bind/9.10.2-r1/build'
+ERROR: Function failed: do_qa_configure
+ERROR: Logfile of failure stored in: build/tmp/work/core2-64-poky-linux/bind/9.10.2-r1/temp/log.do_configure.5242
+ERROR: Task 5 (meta/recipes-connectivity/bind/bind_9.10.2.bb, do_configure) failed with exit code '1'
+NOTE: Tasks Summary: Attempted 773 tasks of which 768 didn't need to be rerun and 1 failed.
+No currently running tasks (773 of 781)
+
+Summary: 1 task failed:
+ /meta/recipes-connectivity/bind/bind_9.10.2.bb, do_configure
+
+One way to fix it would be to unconditionally disable json in bind
+configure[2] but here we fix it by using the path to where we would
+put the header if we had json in the sysroot, in case someone wants
+to make use of the combination some day.
+
+[1] https://trac.macports.org/ticket/45305
+[2] https://trac.macports.org/changeset/126406
+
+Upstream-Status: Inappropriate [OE Specific]
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+---
+ configure.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.in b/configure.in
+index c9ef3a601343..17a1f613e9ac 100644
+--- a/configure.in
++++ b/configure.in
+@@ -2139,7 +2139,7 @@ case "$use_libjson" in
+ libjson_libs=""
+ ;;
+ auto|yes)
+- for d in /usr /usr/local /opt/local
++ for d in "${STAGING_INCDIR}"
+ do
+ if test -f "${d}/include/json/json.h"
+ then
+--
+2.4.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind9 b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind9
new file mode 100644
index 000000000..968679ff7
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/bind9
@@ -0,0 +1,2 @@
+# startup options for the server
+OPTIONS="-u bind"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/conf.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/conf.patch
new file mode 100644
index 000000000..aad345f9f
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/conf.patch
@@ -0,0 +1,330 @@
+Upstream-Status: Inappropriate [configuration]
+
+the patch is imported from openembedded project
+
+11/30/2010 - Qing He <qing.he@intel.com>
+
+diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
+--- bind-9.3.1.orig/conf/db.0 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/db.0 2005-07-10 22:14:00.000000000 +0200
+@@ -0,0 +1,12 @@
++;
++; BIND reverse data file for broadcast zone
++;
++$TTL 604800
++@ IN SOA localhost. root.localhost. (
++ 1 ; Serial
++ 604800 ; Refresh
++ 86400 ; Retry
++ 2419200 ; Expire
++ 604800 ) ; Negative Cache TTL
++;
++@ IN NS localhost.
+diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
+--- bind-9.3.1.orig/conf/db.127 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/db.127 2005-07-10 22:14:00.000000000 +0200
+@@ -0,0 +1,13 @@
++;
++; BIND reverse data file for local loopback interface
++;
++$TTL 604800
++@ IN SOA localhost. root.localhost. (
++ 1 ; Serial
++ 604800 ; Refresh
++ 86400 ; Retry
++ 2419200 ; Expire
++ 604800 ) ; Negative Cache TTL
++;
++@ IN NS localhost.
++1.0.0 IN PTR localhost.
+diff -urN bind-9.3.1.orig/conf/db.empty bind-9.3.1/conf/db.empty
+--- bind-9.3.1.orig/conf/db.empty 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/db.empty 2005-07-10 22:14:00.000000000 +0200
+@@ -0,0 +1,14 @@
++; BIND reverse data file for empty rfc1918 zone
++;
++; DO NOT EDIT THIS FILE - it is used for multiple zones.
++; Instead, copy it, edit named.conf, and use that copy.
++;
++$TTL 86400
++@ IN SOA localhost. root.localhost. (
++ 1 ; Serial
++ 604800 ; Refresh
++ 86400 ; Retry
++ 2419200 ; Expire
++ 86400 ) ; Negative Cache TTL
++;
++@ IN NS localhost.
+diff -urN bind-9.3.1.orig/conf/db.255 bind-9.3.1/conf/db.255
+--- bind-9.3.1.orig/conf/db.255 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/db.255 2005-07-10 22:14:00.000000000 +0200
+@@ -0,0 +1,12 @@
++;
++; BIND reserve data file for broadcast zone
++;
++$TTL 604800
++@ IN SOA localhost. root.localhost. (
++ 1 ; Serial
++ 604800 ; Refresh
++ 86400 ; Retry
++ 2419200 ; Expire
++ 604800 ) ; Negative Cache TTL
++;
++@ IN NS localhost.
+diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
+--- bind-9.3.1.orig/conf/db.local 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/db.local 2005-07-10 22:14:00.000000000 +0200
+@@ -0,0 +1,13 @@
++;
++; BIND data file for local loopback interface
++;
++$TTL 604800
++@ IN SOA localhost. root.localhost. (
++ 1 ; Serial
++ 604800 ; Refresh
++ 86400 ; Retry
++ 2419200 ; Expire
++ 604800 ) ; Negative Cache TTL
++;
++@ IN NS localhost.
++@ IN A 127.0.0.1
+diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
+--- bind-9.3.1.orig/conf/db.root 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/db.root 2005-07-10 22:14:00.000000000 +0200
+@@ -0,0 +1,45 @@
++
++; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net.
++;; global options: printcmd
++;; Got answer:
++;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18944
++;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
++
++;; QUESTION SECTION:
++;. IN NS
++
++;; ANSWER SECTION:
++. 518400 IN NS A.ROOT-SERVERS.NET.
++. 518400 IN NS B.ROOT-SERVERS.NET.
++. 518400 IN NS C.ROOT-SERVERS.NET.
++. 518400 IN NS D.ROOT-SERVERS.NET.
++. 518400 IN NS E.ROOT-SERVERS.NET.
++. 518400 IN NS F.ROOT-SERVERS.NET.
++. 518400 IN NS G.ROOT-SERVERS.NET.
++. 518400 IN NS H.ROOT-SERVERS.NET.
++. 518400 IN NS I.ROOT-SERVERS.NET.
++. 518400 IN NS J.ROOT-SERVERS.NET.
++. 518400 IN NS K.ROOT-SERVERS.NET.
++. 518400 IN NS L.ROOT-SERVERS.NET.
++. 518400 IN NS M.ROOT-SERVERS.NET.
++
++;; ADDITIONAL SECTION:
++A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
++B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
++C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
++D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
++E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
++F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
++G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
++H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
++I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
++J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
++K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
++L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12
++M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
++
++;; Query time: 81 msec
++;; SERVER: 198.41.0.4#53(a.root-servers.net.)
++;; WHEN: Sun Feb 1 11:27:14 2004
++;; MSG SIZE rcvd: 436
++
+diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
+--- bind-9.3.1.orig/conf/named.conf 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/named.conf 2005-07-10 22:33:46.000000000 +0200
+@@ -0,0 +1,49 @@
++// This is the primary configuration file for the BIND DNS server named.
++//
++// If you are just adding zones, please do that in /etc/bind/named.conf.local
++
++include "/etc/bind/named.conf.options";
++
++// prime the server with knowledge of the root servers
++zone "." {
++ type hint;
++ file "/etc/bind/db.root";
++};
++
++// be authoritative for the localhost forward and reverse zones, and for
++// broadcast zones as per RFC 1912
++
++zone "localhost" {
++ type master;
++ file "/etc/bind/db.local";
++};
++
++zone "127.in-addr.arpa" {
++ type master;
++ file "/etc/bind/db.127";
++};
++
++zone "0.in-addr.arpa" {
++ type master;
++ file "/etc/bind/db.0";
++};
++
++zone "255.in-addr.arpa" {
++ type master;
++ file "/etc/bind/db.255";
++};
++
++// zone "com" { type delegation-only; };
++// zone "net" { type delegation-only; };
++
++// From the release notes:
++// Because many of our users are uncomfortable receiving undelegated answers
++// from root or top level domains, other than a few for whom that behaviour
++// has been trusted and expected for quite some length of time, we have now
++// introduced the "root-delegations-only" feature which applies delegation-only
++// logic to all top level domains, and to the root domain. An exception list
++// should be specified, including "MUSEUM" and "DE", and any other top level
++// domains from whom undelegated responses are expected and trusted.
++// root-delegation-only exclude { "DE"; "MUSEUM"; };
++
++include "/etc/bind/named.conf.local";
+diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
+--- bind-9.3.1.orig/conf/named.conf.local 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/named.conf.local 2005-07-10 22:14:06.000000000 +0200
+@@ -0,0 +1,8 @@
++//
++// Do any local configuration here
++//
++
++// Consider adding the 1918 zones here, if they are not used in your
++// organization
++//include "/etc/bind/zones.rfc1918";
++
+diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.options
+--- bind-9.3.1.orig/conf/named.conf.options 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/named.conf.options 2005-07-10 22:14:06.000000000 +0200
+@@ -0,0 +1,24 @@
++options {
++ directory "/var/cache/bind";
++
++ // If there is a firewall between you and nameservers you want
++ // to talk to, you might need to uncomment the query-source
++ // directive below. Previous versions of BIND always asked
++ // questions using port 53, but BIND 8.1 and later use an unprivileged
++ // port by default.
++
++ // query-source address * port 53;
++
++ // If your ISP provided one or more IP addresses for stable
++ // nameservers, you probably want to use them as forwarders.
++ // Uncomment the following block, and insert the addresses replacing
++ // the all-0's placeholder.
++
++ // forwarders {
++ // 0.0.0.0;
++ // };
++
++ auth-nxdomain no; # conform to RFC1035
++
++};
++
+diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
+--- bind-9.3.1.orig/conf/zones.rfc1918 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/conf/zones.rfc1918 2005-07-10 22:14:10.000000000 +0200
+@@ -0,0 +1,20 @@
++zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++
++zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
++
++zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
+diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
+--- bind-9.3.1.orig/init.d 1970-01-01 01:00:00.000000000 +0100
++++ bind-9.3.1/init.d 2005-07-10 23:09:58.000000000 +0200
+@@ -0,0 +1,70 @@
++#!/bin/sh
++
++PATH=/sbin:/bin:/usr/sbin:/usr/bin
++
++# for a chrooted server: "-u bind -t /var/lib/named"
++# Don't modify this line, change or create /etc/default/bind9.
++OPTIONS=""
++
++test -f /etc/default/bind9 && . /etc/default/bind9
++
++test -x /usr/sbin/rndc || exit 0
++
++case "$1" in
++ start)
++ echo -n "Starting domain name service: named"
++
++ modprobe capability >/dev/null 2>&1 || true
++ if [ ! -f /etc/bind/rndc.key ]; then
++ /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
++ chmod 0640 /etc/bind/rndc.key
++ fi
++ if [ -f /var/run/named/named.pid ]; then
++ ps `cat /var/run/named/named.pid` > /dev/null && exit 1
++ fi
++
++ # dirs under /var/run can go away on reboots.
++ mkdir -p /var/run/named
++ mkdir -p /var/cache/bind
++ chmod 775 /var/run/named
++ chown root:bind /var/run/named >/dev/null 2>&1 || true
++
++ if [ ! -x /usr/sbin/named ]; then
++ echo "named binary missing - not starting"
++ exit 1
++ fi
++ if start-stop-daemon --start --quiet --exec /usr/sbin/named \
++ --pidfile /var/run/named/named.pid -- $OPTIONS; then
++ if [ -x /sbin/resolvconf ] ; then
++ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo
++ fi
++ fi
++ echo "."
++ ;;
++
++ stop)
++ echo -n "Stopping domain name service: named"
++ if [ -x /sbin/resolvconf ]; then
++ /sbin/resolvconf -d lo
++ fi
++ /usr/sbin/rndc stop >/dev/null 2>&1
++ echo "."
++ ;;
++
++ reload)
++ /usr/sbin/rndc reload
++ ;;
++
++ restart|force-reload)
++ $0 stop
++ sleep 2
++ $0 start
++ ;;
++
++ *)
++ echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
++ exit 1
++ ;;
++esac
++
++exit 0
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch
new file mode 100644
index 000000000..6989d6d4b
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch
@@ -0,0 +1,17 @@
+Upstream-Status: Pending
+
+Signed-off-by Saul Wold <sgw@linux.intel.com>
+
+Index: bind-9.9.5/bin/Makefile.in
+===================================================================
+--- bind-9.9.5.orig/bin/Makefile.in
++++ bind-9.9.5/bin/Makefile.in
+@@ -19,7 +19,7 @@ srcdir = @srcdir@
+ VPATH = @srcdir@
+ top_srcdir = @top_srcdir@
+
+-SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \
++SUBDIRS = named rndc dig delv dnssec tools nsupdate \
+ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
+ TARGETS =
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
new file mode 100644
index 000000000..db201270f
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ ! -s /etc/bind/rndc.key ]; then
+ echo -n "Generating /etc/bind/rndc.key:"
+ /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
+ chmod 0640 /etc/bind/rndc.key
+fi
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
new file mode 100644
index 000000000..11db95ede
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
@@ -0,0 +1,65 @@
+Subject: init.d: add support for read-only rootfs
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ init.d | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/init.d b/init.d
+index 0111ed4..24677c8 100644
+--- a/init.d
++++ b/init.d
+@@ -6,8 +6,48 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ # Don't modify this line, change or create /etc/default/bind9.
+ OPTIONS=""
+
++test -f /etc/default/rcS && . /etc/default/rcS
+ test -f /etc/default/bind9 && . /etc/default/bind9
+
++# This function is here because it's possible that /var and / are on different partitions.
++is_on_read_only_partition () {
++ DIRECTORY=$1
++ dir=`readlink -f $DIRECTORY`
++ while true; do
++ if [ ! -d "$dir" ]; then
++ echo "ERROR: $dir is not a directory"
++ exit 1
++ else
++ for flag in `awk -v dir=$dir '{ if ($2 == dir) { print "FOUND"; split($4,FLAGS,",") } }; \
++ END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do
++ [ "$flag" = "FOUND" ] && partition="read-write"
++ [ "$flag" = "ro" ] && { partition="read-only"; break; }
++ done
++ if [ "$dir" = "/" -o -n "$partition" ]; then
++ break
++ else
++ dir=`dirname $dir`
++ fi
++ fi
++ done
++ [ "$partition" = "read-only" ] && echo "yes" || echo "no"
++}
++
++bind_mount () {
++ olddir=$1
++ newdir=$2
++ mkdir -p $olddir
++ cp -a $newdir/* $olddir
++ mount --bind $olddir $newdir
++}
++
++# Deal with read-only rootfs
++if [ "$ROOTFS_READ_ONLY" = "yes" ]; then
++ [ "$VERBOSE" != "no" ] && echo "WARN: start bind service in read-only rootfs"
++ [ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
++ [ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
++fi
++
+ test -x /usr/sbin/rndc || exit 0
+
+ case "$1" in
+--
+1.7.9.5
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
new file mode 100644
index 000000000..146f3e35d
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
@@ -0,0 +1,42 @@
+bind: make "/etc/init.d/bind stop" work
+
+Upstream-Status: Inappropriate [configuration]
+
+Add some configurations, make rndc command be able to controls
+the named daemon.
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ conf/named.conf | 5 +++++
+ conf/rndc.conf | 5 +++++
+ 2 files changed, 10 insertions(+), 0 deletions(-)
+ create mode 100644 conf/rndc.conf
+
+diff --git a/conf/named.conf b/conf/named.conf
+index 95829cf..c8899e7 100644
+--- a/conf/named.conf
++++ b/conf/named.conf
+@@ -47,3 +47,8 @@ zone "255.in-addr.arpa" {
+ // root-delegation-only exclude { "DE"; "MUSEUM"; };
+
+ include "/etc/bind/named.conf.local";
++include "/etc/bind/rndc.key" ;
++controls {
++ inet 127.0.0.1 allow { localhost; }
++ keys { rndc-key; };
++};
+diff --git a/conf/rndc.conf b/conf/rndc.conf
+new file mode 100644
+index 0000000..a0b481d
+--- /dev/null
++++ b/conf/rndc.conf
+@@ -0,0 +1,5 @@
++include "/etc/bind/rndc.key";
++options {
++ default-server localhost;
++ default-key rndc-key;
++};
+
+--
+1.7.5.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
new file mode 100644
index 000000000..2930796b6
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
@@ -0,0 +1,104 @@
+bind: port a patch to fix a build failure
+
+mips1 does not support ll and sc instructions, and lead to below error, now
+we port a patch from debian to fix it
+[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz]
+
+| {standard input}: Assembler messages:
+| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)'
+| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)'
+
+Upstream-Status: Pending
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+--- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h
++++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h
+@@ -31,18 +31,20 @@
+ isc_atomic_xadd(isc_int32_t *p, int val) {
+ isc_int32_t orig;
+
+- /* add is a cheat, since MIPS has no mov instruction */
+- __asm__ volatile (
+- "1:"
+- "ll $3, %1\n"
+- "add %0, $0, $3\n"
+- "add $3, $3, %2\n"
+- "sc $3, %1\n"
+- "beq $3, 0, 1b"
+- : "=&r"(orig)
+- : "m"(*p), "r"(val)
+- : "memory", "$3"
+- );
++ __asm__ __volatile__ (
++ " .set push \n"
++ " .set mips2 \n"
++ " .set noreorder \n"
++ " .set noat \n"
++ "1: ll $1, %1 \n"
++ " addu %0, $1, %2 \n"
++ " sc %0, %1 \n"
++ " beqz %0, 1b \n"
++ " move %0, $1 \n"
++ " .set pop \n"
++ : "=&r" (orig), "+R" (*p)
++ : "r" (val)
++ : "memory");
+
+ return (orig);
+ }
+@@ -52,16 +54,7 @@
+ */
+ static inline void
+ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+- __asm__ volatile (
+- "1:"
+- "ll $3, %0\n"
+- "add $3, $0, %1\n"
+- "sc $3, %0\n"
+- "beq $3, 0, 1b"
+- :
+- : "m"(*p), "r"(val)
+- : "memory", "$3"
+- );
++ *p = val;
+ }
+
+ /*
+@@ -72,20 +65,23 @@
+ static inline isc_int32_t
+ isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
+ isc_int32_t orig;
++ isc_int32_t tmp;
+
+- __asm__ volatile(
+- "1:"
+- "ll $3, %1\n"
+- "add %0, $0, $3\n"
+- "bne $3, %2, 2f\n"
+- "add $3, $0, %3\n"
+- "sc $3, %1\n"
+- "beq $3, 0, 1b\n"
+- "2:"
+- : "=&r"(orig)
+- : "m"(*p), "r"(cmpval), "r"(val)
+- : "memory", "$3"
+- );
++ __asm__ __volatile__ (
++ " .set push \n"
++ " .set mips2 \n"
++ " .set noreorder \n"
++ " .set noat \n"
++ "1: ll $1, %1 \n"
++ " bne $1, %3, 2f \n"
++ " move %2, %4 \n"
++ " sc %2, %1 \n"
++ " beqz %2, 1b \n"
++ "2: move %0, $1 \n"
++ " .set pop \n"
++ : "=&r"(orig), "+R" (*p), "=r" (tmp)
++ : "r"(cmpval), "r"(val)
++ : "memory");
+
+ return (orig);
+ }
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/named.service b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/named.service
new file mode 100644
index 000000000..cda56ef01
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/named.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Berkeley Internet Name Domain (DNS)
+Wants=nss-lookup.target
+Before=nss-lookup.target
+After=network.target
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/default/bind9
+PIDFile=/run/named/named.pid
+
+ExecStartPre=@SBINDIR@/generate-rndc-key.sh
+ExecStart=@SBINDIR@/named $OPTIONS
+
+ExecReload=@BASE_BINDIR@/sh -c '@SBINDIR@/rndc reload > /dev/null 2>&1 || @BASE_BINDIR@/kill -HUP $MAINPID'
+
+ExecStop=@BASE_BINDIR@/sh -c '@SBINDIR@/rndc stop > /dev/null 2>&1 || @BASE_BINDIR@/kill -TERM $MAINPID'
+
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
new file mode 100644
index 000000000..1e3a20f9a
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -0,0 +1,109 @@
+SUMMARY = "ISC Internet Domain Name Server"
+HOMEPAGE = "http://www.isc.org/sw/bind/"
+SECTION = "console/network"
+
+LICENSE = "ISC & BSD"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f"
+
+DEPENDS = "openssl libcap"
+
+SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
+ file://conf.patch \
+ file://make-etc-initd-bind-stop-work.patch \
+ file://mips1-not-support-opcode.diff \
+ file://dont-test-on-host.patch \
+ file://generate-rndc-key.sh \
+ file://named.service \
+ file://bind9 \
+ file://init.d-add-support-for-read-only-rootfs.patch \
+ file://bind-confgen-build-unix.o-once.patch \
+ file://0001-build-use-pkg-config-to-find-libxml2.patch \
+ file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
+ file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
+ file://0001-lib-dns-gen.c-fix-too-long-error.patch \
+ file://CVE-2016-1285.patch \
+ file://CVE-2016-1286_1.patch \
+ file://CVE-2016-1286_2.patch \
+ file://CVE-2016-2088.patch \
+ "
+
+SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"
+SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83"
+
+ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
+EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \
+ --disable-devpoll --disable-epoll --with-gost=no \
+ --with-gssapi=no --with-ecdsa=yes \
+ --sysconfdir=${sysconfdir}/bind \
+ --with-openssl=${STAGING_LIBDIR}/.. \
+ "
+inherit autotools update-rc.d systemd useradd pkgconfig
+
+# PACKAGECONFIGs readline and libedit should NOT be set at same time
+PACKAGECONFIG ?= "readline"
+PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2"
+PACKAGECONFIG[readline] = "--with-readline=-lreadline,,readline"
+PACKAGECONFIG[libedit] = "--with-readline=-ledit,,libedit"
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN} = "--system --home ${localstatedir}/cache/bind --no-create-home \
+ --user-group bind"
+
+INITSCRIPT_NAME = "bind"
+INITSCRIPT_PARAMS = "defaults"
+
+SYSTEMD_SERVICE_${PN} = "named.service"
+
+PARALLEL_MAKE = ""
+
+RDEPENDS_${PN} = "python-core"
+RDEPENDS_${PN}-dev = ""
+
+PACKAGE_BEFORE_PN += "${PN}-utils"
+FILES_${PN}-utils = "${bindir}/host ${bindir}/dig"
+FILES_${PN}-dev += "${bindir}/isc-config.h"
+FILES_${PN} += "${sbindir}/generate-rndc-key.sh"
+
+do_install_prepend() {
+ # clean host path in isc-config.sh before the hardlink created
+ # by "make install":
+ # bind9-config -> isc-config.sh
+ sed -i -e "s,${STAGING_LIBDIR},${libdir}," ${B}/isc-config.sh
+}
+
+do_install_append() {
+ rm "${D}${bindir}/nslookup"
+ rm "${D}${mandir}/man1/nslookup.1"
+ rmdir "${D}${localstatedir}/run"
+ rmdir --ignore-fail-on-non-empty "${D}${localstatedir}"
+ install -d -o bind "${D}${localstatedir}/cache/bind"
+ install -d "${D}${sysconfdir}/bind"
+ install -d "${D}${sysconfdir}/init.d"
+ install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
+ install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind"
+ sed -i -e '1s,#!.*python,#! /usr/bin/env python,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds
+
+ # Install systemd related files
+ install -d ${D}${sbindir}
+ install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir}
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/named.service ${D}${systemd_unitdir}/system
+ sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
+ -e 's,@SBINDIR@,${sbindir},g' \
+ ${D}${systemd_unitdir}/system/named.service
+
+ install -d ${D}${sysconfdir}/default
+ install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default
+}
+
+CONFFILES_${PN} = " \
+ ${sysconfdir}/bind/named.conf \
+ ${sysconfdir}/bind/named.conf.local \
+ ${sysconfdir}/bind/named.conf.options \
+ ${sysconfdir}/bind/db.0 \
+ ${sysconfdir}/bind/db.127 \
+ ${sysconfdir}/bind/db.empty \
+ ${sysconfdir}/bind/db.local \
+ ${sysconfdir}/bind/db.root \
+ "
+
OpenPOWER on IntegriCloud