--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/bind/patches/014-RT43779.patch	Mon Jan 23 11:25:04 2017 -0800
@@ -0,0 +1,151 @@
+This patch was derived from a source code patch provided by ISC to
+resolve ISC ticket RT #43779. [9.6-ESV-R11-S10]
+
+--- old/./CHANGES	Thu Jan 12 00:28:22 2017
++++ new/./CHANGES	Thu Jan 12 00:28:22 2017
+@@ -1,5 +1,9 @@
+ 	--- 9.6-ESV-R11-S10 released ---
+ 
++4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
++			in responses resulting in SERVFAIL being returned.
++			[RT #43779]
++
+ 4517.	[security]	Named could mishandle authority sections that were
+ 			missing RRSIGs triggering an assertion failure.
+ 			(CVE-2016-9444) [RT #43632]
+--- old/bin/tests/system/dname/ns2/example.db	Thu Jan 12 00:28:22 2017
++++ new/bin/tests/system/dname/ns2/example.db	Thu Jan 12 00:28:22 2017
+@@ -29,4 +29,6 @@
+ short-dname		DNAME	short
+ a.longlonglonglonglonglonglonglonglonglonglonglonglong	A 10.0.0.2
+ long-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
+-;
++cname			CNAME	a.cnamedname
++cnamedname		DNAME	target
++a.target		A	10.0.0.3
+--- old/bin/tests/system/dname/tests.sh	Thu Jan 12 00:28:22 2017
++++ new/bin/tests/system/dname/tests.sh	Thu Jan 12 00:28:22 2017
+@@ -63,6 +63,24 @@
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ 
++echo "I:checking cname to dname from authoritative"
++ret=0
++$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname
++grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
++echo "I:checking cname to dname from recursive"
++ret=0
++$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname
++grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
++grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
++grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
++if [ $ret != 0 ]; then echo "I:failed"; fi
++status=`expr $status + $ret`
++
+ echo "I:exit status: $status"
+ 
+ exit $status
+--- old/lib/dns/resolver.c	Thu Jan 12 00:28:23 2017
++++ new/lib/dns/resolver.c	Thu Jan 12 00:28:23 2017
+@@ -5776,7 +5776,7 @@
+ answer_response(fetchctx_t *fctx) {
+ 	isc_result_t result;
+ 	dns_message_t *message;
+-	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+ 	dns_name_t *cname = NULL;
+ 	dns_rdataset_t *rdataset, *ns_rdataset;
+ 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
+@@ -5784,7 +5784,7 @@
+ 	isc_boolean_t wanted_chaining;
+ 	unsigned int aflag;
+ 	dns_rdatatype_t type;
+-	dns_fixedname_t fdname, fqname, fqdname;
++	dns_fixedname_t fdname, fqname;
+ 
+ 	FCTXTRACE("answer_response");
+ 
+@@ -5807,12 +5807,11 @@
+ 		aa = ISC_TRUE;
+ 	else
+ 		aa = ISC_FALSE;
+-	dqname = qname = &fctx->name;
++	qname = &fctx->name;
+ 	type = fctx->type;
+-	dns_fixedname_init(&fqdname);
+ 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ 	while (!done && result == ISC_R_SUCCESS) {
+-		dns_namereln_t namereln, dnamereln;
++		dns_namereln_t namereln;
+ 
+ 		int order;
+ 		unsigned int nlabels;
+@@ -5821,8 +5820,6 @@
+ 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+-		dnamereln = dns_name_fullcompare(dqname, name, &order,
+-						     &nlabels);
+ 		if (namereln == dns_namereln_equal) {
+ 			wanted_chaining = ISC_FALSE;
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6074,11 +6071,24 @@
+ 					return (DNS_R_FORMERR);
+ 				}
+ 
+-				if (dnamereln != dns_namereln_subdomain) {
++				/*
++				 * If DNAME + synthetic CNAME then the
++				 * namereln is dns_namereln_subdomain.
++				 *
++				 * If synthetic CNAME + DNAME then the
++				 * namereln is dns_namereln_commonancestor
++				 * and the number of label must match the
++				 * DNAME.  This order is not RFC compliant.
++				 */
++
++				if (namereln != dns_namereln_subdomain &&
++				    (namereln != dns_namereln_commonancestor ||
++				     nlabels != dns_name_countlabels(name)))
++				{
+ 					char qbuf[DNS_NAME_FORMATSIZE];
+ 					char obuf[DNS_NAME_FORMATSIZE];
+ 
+-					dns_name_format(dqname, qbuf,
++					dns_name_format(qname, qbuf,
+ 							sizeof(qbuf));
+ 					dns_name_format(name, obuf,
+ 							sizeof(obuf));
+@@ -6097,7 +6107,7 @@
+ 					want_chaining = ISC_TRUE;
+ 					POST(want_chaining);
+ 					aflag = DNS_RDATASETATTR_ANSWER;
+-					result = dname_target(rdataset, dqname,
++					result = dname_target(rdataset, qname,
+ 							      nlabels, &fdname);
+ 					if (result == ISC_R_NOSPACE) {
+ 						/*
+@@ -6113,8 +6123,6 @@
+ 						dnameset = rdataset;
+ 
+ 					dname = dns_fixedname_name(&fdname);
+-					dqname = dns_fixedname_name(&fqdname);
+-					dns_name_copy(dname, dqname, NULL);
+ 				} else {
+ 					/*
+ 					 * We've found a signature that
+@@ -6261,7 +6269,8 @@
+ 						rdataset->trust =
+ 						    dns_trust_additional;
+ 
+-					if (rdataset->type == dns_rdatatype_ns) {
++					if (rdataset->type == dns_rdatatype_ns)
++					{
+ 						ns_name = name;
+ 						ns_rdataset = rdataset;
+ 					}