This patch was derived from ISC source differences between bind-9.9.8
and bind-9.9.8-P1.

diff -u -r bind-9.6-ESV-R11/CHANGES security_fix/CHANGES
--- bind-9.6-ESV-R11/CHANGES	2015-11-25 10:51:09.302761399 +0000
+++ security_fix/CHANGES	2015-11-25 11:09:12.099398001 +0000
@@ -1,3 +1,10 @@
+	--- 9.6-ESV-R11-P4 released ---
+
+4260.	[security]	Insufficient testing when parsing a message allowed
+			records with an incorrect class to be be accepted,
+			triggering a REQUIRE failure when those records
+			were subsequently cached. (CVE-2015-8000) [RT #40987]
+
 	--- 9.6-ESV-R11-P3 released ---
 
 4168.	[security]	A buffer accounting error could trigger an
diff -u -r bind-9.6-ESV-R11/lib/dns/include/dns/message.h security_fix/lib/dns/include/dns/message.h
--- bind-9.6-ESV-R11/lib/dns/include/dns/message.h	2014-01-27 19:00:45.000000000 +0000
+++ security_fix/lib/dns/include/dns/message.h	2015-11-25 10:36:05.092923013 +0000
@@ -15,8 +15,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
-
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
 
@@ -207,6 +205,8 @@
 	unsigned int			verify_attempted : 1;
 	unsigned int			free_query : 1;
 	unsigned int			free_saved : 1;
+	unsigned int			tkey : 1;
+	unsigned int			rdclass_set : 1;
 
 	unsigned int			opt_reserved;
 	unsigned int			sig_reserved;
@@ -1363,6 +1363,15 @@
  * \li	 other.
  */
 
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
+/*%<
+ * Set the expected class of records in the response.
+ *
+ * Requires:
+ * \li   msg be a valid message with parsing intent.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_MESSAGE_H */
diff -u -r bind-9.6-ESV-R11/lib/dns/message.c security_fix/lib/dns/message.c
--- bind-9.6-ESV-R11/lib/dns/message.c	2014-01-27 19:00:45.000000000 +0000
+++ security_fix/lib/dns/message.c	2015-11-25 10:36:05.089305076 +0000
@@ -436,6 +436,8 @@
 	m->saved.base = NULL;
 	m->saved.length = 0;
 	m->free_saved = 0;
+	m->tkey = 0;
+	m->rdclass_set = 0;
 	m->querytsig = NULL;
 }
 
@@ -1084,13 +1086,19 @@
 		 * If this class is different than the one we already read,
 		 * this is an error.
 		 */
-		if (msg->state == DNS_SECTION_ANY) {
-			msg->state = DNS_SECTION_QUESTION;
+		if (msg->rdclass_set == 0) {
 			msg->rdclass = rdclass;
+			msg->rdclass_set = 1;
 		} else if (msg->rdclass != rdclass)
 			DO_FORMERR;
 
 		/*
+		 * Is this a TKEY query?
+		 */
+		if (rdtype == dns_rdatatype_tkey)
+			msg->tkey = 1;
+
+		/*
 		 * Can't ask the same question twice.
 		 */
 		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
@@ -1234,12 +1242,12 @@
 		 * If there was no question section, we may not yet have
 		 * established a class.  Do so now.
 		 */
-		if (msg->state == DNS_SECTION_ANY &&
+		if (msg->rdclass_set == 0 &&
 		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
 		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
 		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
 			msg->rdclass = rdclass;
-			msg->state = DNS_SECTION_QUESTION;
+			msg->rdclass_set = 1;
 		}
 
 		/*
@@ -1249,7 +1257,7 @@
 		if (msg->opcode != dns_opcode_update
 		    && rdtype != dns_rdatatype_tsig
 		    && rdtype != dns_rdatatype_opt
-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
+		    && rdtype != dns_rdatatype_key /* in a TKEY query */
 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
 		    && msg->rdclass != dns_rdataclass_any
@@ -1257,6 +1265,16 @@
 			DO_FORMERR;
 
 		/*
+		 * If this is not a TKEY query/response then the KEY
+		 * record's class needs to match.
+		 */
+		if (msg->opcode != dns_opcode_update && !msg->tkey &&
+		    rdtype == dns_rdatatype_key &&
+		    msg->rdclass != dns_rdataclass_any &&
+		    msg->rdclass != rdclass)
+			DO_FORMERR;
+
+		/*
 		 * Special type handling for TSIG, OPT, and TKEY.
 		 */
 		if (rdtype == dns_rdatatype_tsig) {
@@ -1370,6 +1388,10 @@
 				skip_name_search = ISC_TRUE;
 				skip_type_search = ISC_TRUE;
 				issigzero = ISC_TRUE;
+			} else {
+				if (msg->rdclass != dns_rdataclass_any &&
+				    msg->rdclass != rdclass)
+					DO_FORMERR;
 			}
 		} else
 			covers = 0;
@@ -1608,6 +1630,7 @@
 	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
 
 	msg->header_ok = 1;
+	msg->state = DNS_SECTION_QUESTION;
 
 	/*
 	 * -1 means no EDNS.
@@ -3491,3 +3514,15 @@
 		dns_message_puttemprdatalist(message, &rdatalist);
 	return (result);
 }
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+	REQUIRE(msg->rdclass_set == 0);
+
+	msg->rdclass = rdclass;
+	msg->rdclass_set = 1;
+}
diff -u -r bind-9.6-ESV-R11/lib/dns/resolver.c security_fix/lib/dns/resolver.c
--- bind-9.6-ESV-R11/lib/dns/resolver.c	2015-11-25 10:51:09.306905077 +0000
+++ security_fix/lib/dns/resolver.c	2015-11-25 10:48:57.126663153 +0000
@@ -6614,6 +6614,8 @@
 			goto done;
 	}
 
+	dns_message_setclass(message, fctx->res->rdclass);
+
 	result = dns_message_parse(message, &devent->buffer, 0);
 	if (result != ISC_R_SUCCESS) {
 		switch (result) {
@@ -6686,6 +6690,12 @@
 	 */
 	log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
 
+	if (message->rdclass != fctx->res->rdclass) {
+		resend = ISC_TRUE;
+		FCTXTRACE("bad class");
+		goto done;
+	}
+
 	/*
 	 * Process receive opt record.
 	 */
diff -u -r bind-9.6-ESV-R11/lib/dns/xfrin.c security_fix/lib/dns/xfrin.c
--- bind-9.6-ESV-R11/lib/dns/xfrin.c	2014-01-27 19:00:45.000000000 +0000
+++ security_fix/lib/dns/xfrin.c	2015-11-25 10:36:05.092532938 +0000
@@ -1205,6 +1205,8 @@
 	msg->tsigctx = xfr->tsigctx;
 	xfr->tsigctx = NULL;
 
+	dns_message_setclass(msg, xfr->rdclass);
+
 	if (xfr->nmsg > 0)
 		msg->tcp_continuation = 1;
 
--- bind-9.6-ESV-R11/version	2015-08-24 00:18:24.000000000 +0000
+++ security_fix/version	2015-11-25 10:36:05.092532938 +0000
@@ -10,4 +10,4 @@
 PATCHVER=
 RELEASETYPE=-ESV
 RELEASEVER=-R11
-EXTENSIONS=-P3
+EXTENSIONS=-P4