--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/011-RT43522.patch Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,66 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43522. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES Wed Jan 11 23:20:20 2017
++++ new/./CHANGES Wed Jan 11 23:20:20 2017
+@@ -1,3 +1,9 @@
++ --- 9.6-ESV-R11-S10 released ---
++
++4508. [security] Named incorrectly tried to cache TKEY records which
++ could trigger a assertion failure when there was
++ a class mismatch. (CVE-2016-9131) [RT #43522]
++
+ --- 9.6-ESV-R11-S9 released ---
+
+ 4489. [security] It was possible to trigger assertions when processing
+--- old/lib/dns/resolver.c Wed Jan 11 23:20:20 2017
++++ new/lib/dns/resolver.c Wed Jan 11 23:20:20 2017
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+@@ -5848,6 +5848,25 @@
+ ISC_LOG_NOTICE, "NSEC3 in answer");
+ return (DNS_R_FORMERR);
+ }
++ if (rdataset->type == dns_rdatatype_tkey) {
++ /*
++ * TKEY is not a valid record in a
++ * response to any query we can make.
++ */
++ isc_log_write(dns_lctx,
++ DNS_LOGCATEGORY_RESOLVER,
++ DNS_LOGMODULE_RESOLVER,
++ ISC_LOG_NOTICE, "TKEY in answer");
++ return (DNS_R_FORMERR);
++ }
++ if (rdataset->rdclass != fctx->res->rdclass) {
++ isc_log_write(dns_lctx,
++ DNS_LOGCATEGORY_RESOLVER,
++ DNS_LOGMODULE_RESOLVER,
++ ISC_LOG_NOTICE, "Mismatched class "
++ "in answer");
++ return (DNS_R_FORMERR);
++ }
+ if (rdataset->type == type && !found_cname) {
+ /*
+ * We've found an ordinary answer.
+@@ -6017,6 +6036,15 @@
+ rdataset != NULL;
+ rdataset = ISC_LIST_NEXT(rdataset, link))
+ {
++ if (rdataset->rdclass != fctx->res->rdclass) {
++ isc_log_write(dns_lctx,
++ DNS_LOGCATEGORY_RESOLVER,
++ DNS_LOGMODULE_RESOLVER,
++ ISC_LOG_NOTICE, "Mismatched class "
++ "in answer");
++ return (DNS_R_FORMERR);
++ }
++
+ /*
+ * Only pass DNAME or RRSIG(DNAME).
+ */