--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/012-RT43548.patch	Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,45 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43548. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES	Wed Jan 11 23:22:41 2017
++++ new/./CHANGES	Wed Jan 11 23:22:41 2017
+@@ -1,5 +1,10 @@
+ 	--- 9.6-ESV-R11-S10 released ---
+ 
++4510.	[security]	Named mishandled some responses where covering RRSIG
++			records are returned without the requested data
++			resulting in a assertion failure. (CVE-2016-9147)
++			[RT #43548]
++
+ 4508.	[security]	Named incorrectly tried to cache TKEY records which
+ 			could trigger a assertion failure when there was
+ 			a class mismatch. (CVE-2016-9131) [RT #43522]
+--- old/lib/dns/resolver.c	Wed Jan 11 23:22:41 2017
++++ new/lib/dns/resolver.c	Wed Jan 11 23:22:41 2017
+@@ -5958,15 +5958,19 @@
+ 						 * a CNAME or DNAME).
+ 						 */
+ 						INSIST(!external);
+-						if ((rdataset->type !=
+-						     dns_rdatatype_cname) ||
+-						    !found_dname ||
+-						    (aflag ==
+-						     DNS_RDATASETATTR_ANSWER))
++						/*
++						 * Don't use found_cname here
++						 * as we have just set it
++						 * above.
++						 */
++						if (cname == NULL &&
++						    !found_dname &&
++						    aflag ==
++						     DNS_RDATASETATTR_ANSWER)
+ 						{
+ 							have_answer = ISC_TRUE;
+-							if (rdataset->type ==
+-							    dns_rdatatype_cname)
++							if (found_cname &&
++							    cname == NULL)
+ 								cname = name;
+ 							name->attributes |=
+ 							    DNS_NAMEATTR_ANSWER;