--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/012-RT43548.patch Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,45 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43548. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES Wed Jan 11 23:22:41 2017
++++ new/./CHANGES Wed Jan 11 23:22:41 2017
+@@ -1,5 +1,10 @@
+ --- 9.6-ESV-R11-S10 released ---
+
++4510. [security] Named mishandled some responses where covering RRSIG
++ records are returned without the requested data
++ resulting in a assertion failure. (CVE-2016-9147)
++ [RT #43548]
++
+ 4508. [security] Named incorrectly tried to cache TKEY records which
+ could trigger a assertion failure when there was
+ a class mismatch. (CVE-2016-9131) [RT #43522]
+--- old/lib/dns/resolver.c Wed Jan 11 23:22:41 2017
++++ new/lib/dns/resolver.c Wed Jan 11 23:22:41 2017
+@@ -5958,15 +5958,19 @@
+ * a CNAME or DNAME).
+ */
+ INSIST(!external);
+- if ((rdataset->type !=
+- dns_rdatatype_cname) ||
+- !found_dname ||
+- (aflag ==
+- DNS_RDATASETATTR_ANSWER))
++ /*
++ * Don't use found_cname here
++ * as we have just set it
++ * above.
++ */
++ if (cname == NULL &&
++ !found_dname &&
++ aflag ==
++ DNS_RDATASETATTR_ANSWER)
+ {
+ have_answer = ISC_TRUE;
+- if (rdataset->type ==
+- dns_rdatatype_cname)
++ if (found_cname &&
++ cname == NULL)
+ cname = name;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;