--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/014-RT43779.patch Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,151 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43779. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES Thu Jan 12 00:28:22 2017
++++ new/./CHANGES Thu Jan 12 00:28:22 2017
+@@ -1,5 +1,9 @@
+ --- 9.6-ESV-R11-S10 released ---
+
++4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
++ in responses resulting in SERVFAIL being returned.
++ [RT #43779]
++
+ 4517. [security] Named could mishandle authority sections that were
+ missing RRSIGs triggering an assertion failure.
+ (CVE-2016-9444) [RT #43632]
+--- old/bin/tests/system/dname/ns2/example.db Thu Jan 12 00:28:22 2017
++++ new/bin/tests/system/dname/ns2/example.db Thu Jan 12 00:28:22 2017
+@@ -29,4 +29,6 @@
+ short-dname DNAME short
+ a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2
+ long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong
+-;
++cname CNAME a.cnamedname
++cnamedname DNAME target
++a.target A 10.0.0.3
+--- old/bin/tests/system/dname/tests.sh Thu Jan 12 00:28:22 2017
++++ new/bin/tests/system/dname/tests.sh Thu Jan 12 00:28:22 2017
+@@ -63,6 +63,24 @@
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
++echo "I:checking cname to dname from authoritative"
++ret=0
++$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname
++grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:checking cname to dname from recursive"
++ret=0
++$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname
++grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
++grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
+ echo "I:exit status: $status"
+
+ exit $status
+--- old/lib/dns/resolver.c Thu Jan 12 00:28:23 2017
++++ new/lib/dns/resolver.c Thu Jan 12 00:28:23 2017
+@@ -5776,7 +5776,7 @@
+ answer_response(fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_message_t *message;
+- dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++ dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+ dns_name_t *cname = NULL;
+ dns_rdataset_t *rdataset, *ns_rdataset;
+ isc_boolean_t done, external, chaining, aa, found, want_chaining;
+@@ -5784,7 +5784,7 @@
+ isc_boolean_t wanted_chaining;
+ unsigned int aflag;
+ dns_rdatatype_t type;
+- dns_fixedname_t fdname, fqname, fqdname;
++ dns_fixedname_t fdname, fqname;
+
+ FCTXTRACE("answer_response");
+
+@@ -5807,12 +5807,11 @@
+ aa = ISC_TRUE;
+ else
+ aa = ISC_FALSE;
+- dqname = qname = &fctx->name;
++ qname = &fctx->name;
+ type = fctx->type;
+- dns_fixedname_init(&fqdname);
+ result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ while (!done && result == ISC_R_SUCCESS) {
+- dns_namereln_t namereln, dnamereln;
++ dns_namereln_t namereln;
+
+ int order;
+ unsigned int nlabels;
+@@ -5821,8 +5820,6 @@
+ dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+- dnamereln = dns_name_fullcompare(dqname, name, &order,
+- &nlabels);
+ if (namereln == dns_namereln_equal) {
+ wanted_chaining = ISC_FALSE;
+ for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6074,11 +6071,24 @@
+ return (DNS_R_FORMERR);
+ }
+
+- if (dnamereln != dns_namereln_subdomain) {
++ /*
++ * If DNAME + synthetic CNAME then the
++ * namereln is dns_namereln_subdomain.
++ *
++ * If synthetic CNAME + DNAME then the
++ * namereln is dns_namereln_commonancestor
++ * and the number of label must match the
++ * DNAME. This order is not RFC compliant.
++ */
++
++ if (namereln != dns_namereln_subdomain &&
++ (namereln != dns_namereln_commonancestor ||
++ nlabels != dns_name_countlabels(name)))
++ {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+- dns_name_format(dqname, qbuf,
++ dns_name_format(qname, qbuf,
+ sizeof(qbuf));
+ dns_name_format(name, obuf,
+ sizeof(obuf));
+@@ -6097,7 +6107,7 @@
+ want_chaining = ISC_TRUE;
+ POST(want_chaining);
+ aflag = DNS_RDATASETATTR_ANSWER;
+- result = dname_target(rdataset, dqname,
++ result = dname_target(rdataset, qname,
+ nlabels, &fdname);
+ if (result == ISC_R_NOSPACE) {
+ /*
+@@ -6113,8 +6123,6 @@
+ dnameset = rdataset;
+
+ dname = dns_fixedname_name(&fdname);
+- dqname = dns_fixedname_name(&fqdname);
+- dns_name_copy(dname, dqname, NULL);
+ } else {
+ /*
+ * We've found a signature that
+@@ -6261,7 +6269,8 @@
+ rdataset->trust =
+ dns_trust_additional;
+
+- if (rdataset->type == dns_rdatatype_ns) {
++ if (rdataset->type == dns_rdatatype_ns)
++ {
+ ns_name = name;
+ ns_rdataset = rdataset;
+ }