[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/

[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/

[Thomas Deutschmann]

commit:     f19fd949c1e9d06252fdb59c0f1fb0142cb7d9c8
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Fri Dec  2 18:53:41 2016 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Sat Dec  3 20:56:22 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f19fd949

net-dns/djbdns: Sec rev bump to v1.05-r32 (bug #404959)

CVE-2012-1191

Closes: https://github.com/gentoo/gentoo/pull/2988

Package-Manager: portage-2.3.2

 net-dns/djbdns/djbdns-1.05-r32.ebuild              | 155 +++++++++++++++++++++
 .../CVE2012-1191_0001-ghost-domain-attack.patch    |  22 +++
 2 files changed, 177 insertions(+)

diff --git a/net-dns/djbdns/djbdns-1.05-r32.ebuild b/net-dns/djbdns/djbdns-1.05-r32.ebuild
new file mode 100644
index 00000000..8dcc0f3
--- /dev/null
+++ b/net-dns/djbdns/djbdns-1.05-r32.ebuild
@@ -0,0 +1,155 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+inherit flag-o-matic readme.gentoo-r1 toolchain-funcs user
+
+DESCRIPTION="Collection of DNS client/server software"
+HOMEPAGE="http://cr.yp.to/djbdns.html"
+IPV6_PATCH="test27"
+
+SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz
+	http://smarden.org/pape/djb/manpages/${P}-man.tar.gz
+	ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.bz2 )"
+
+SLOT="0"
+LICENSE="public-domain"
+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="ipv6 selinux"
+
+DEPEND=""
+RDEPEND="sys-apps/ucspi-tcp
+	virtual/daemontools
+	selinux? ( sec-policy/selinux-djbdns )"
+
+src_unpack(){
+	# Unpack both djbdns and its man pages to separate directories.
+	default
+
+	# Now move the man pages under ${S} so that user patches can be
+	# applied to them as well in src_prepare().
+	mv "${PN}-man" "${P}/man" || die "failed to transplant man pages"
+}
+
+src_prepare() {
+	eapply \
+		"${FILESDIR}/headtail-r1.patch" \
+		"${FILESDIR}/dnsroots.patch" \
+		"${FILESDIR}/dnstracesort.patch" \
+		"${FILESDIR}/string_length_255.patch" \
+		"${FILESDIR}/srv_record_support.patch" \
+		"${FILESDIR}/increase-cname-recustion-depth.patch"
+
+	# Fix CVE2009-0858
+	eapply "${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
+
+	# Fix CVE2012-1191
+	eapply "${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
+
+	if use ipv6; then
+		elog 'At present dnstrace does NOT support IPv6. It will'\
+			 'be compiled without IPv6 support.'
+
+		# Create a separate copy of the source tree for dnstrace.
+		cp -pR "${S}" "${S}-noipv6" || die
+
+		# The big ipv6 patch.
+		eapply "${WORKDIR}/${P}-${IPV6_PATCH}.diff"
+
+		# Fix CVE2008-4392 (ipv6)
+		eapply \
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test25-r1.patch" \
+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6.patch" \
+			"${FILESDIR}/makefile-parallel-test25.patch"
+
+		cd "${S}-noipv6" || die
+	fi
+
+	# Fix CVE2008-4392 (no ipv6)
+	eapply \
+		"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch" \
+		"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch"
+
+	# Later versions of the ipv6 patch include this, but even if
+	# USE=ipv6, we're in the ${S}-noipv6 directory at this point.
+	eapply "${FILESDIR}/${PV}-errno-r1.patch"
+
+	eapply_user
+}
+
+src_compile() {
+	echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die
+	echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die
+	echo "/usr" > conf-home || die
+	emake
+
+	# If djbdns is compiled with IPv6 support, it breaks dnstrace.
+	# Therefore we must compile dnstrace separately without IPv6
+	# support.
+	if use ipv6; then
+		elog 'Compiling dnstrace without ipv6 support'
+		cp conf-cc conf-ld conf-home "${S}-noipv6/" || die
+		cd "${S}-noipv6" || die
+		emake dnstrace
+	fi
+}
+
+src_install() {
+	insinto /etc
+	doins dnsroots.global
+
+	into /usr
+	dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \
+		*-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \
+		dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort
+
+	if use ipv6; then
+		dobin dnsip6 dnsip6q "${S}-noipv6/dnstrace"
+	fi
+
+	dodoc CHANGES README
+
+	doman man/*.[158]
+
+	readme.gentoo_create_doc
+}
+
+pkg_preinst() {
+	# The nofiles group is no longer provided by baselayout.
+	# Share it with qmail if possible.
+	enewgroup nofiles 200
+
+	enewuser dnscache -1 -1 -1 nofiles
+	enewuser dnslog -1 -1 -1 nofiles
+	enewuser tinydns -1 -1 -1 nofiles
+}
+
+DISABLE_AUTOFORMATTING=1
+DOC_CONTENTS='
+To configure djbdns, please follow the instructions at,
+
+	http://cr.yp.to/djbdns.html
+
+Of particular interest are,
+
+	axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html
+	dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html
+	tinydns : http://cr.yp.to/djbdns/run-server.html
+
+Portage has created users for axfrdns, dnscache, and tinydns; the
+commands to configure these programs are,
+
+	1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip
+	2. dnscache-conf dnscache dnslog /var/dnscache $ip
+	3. tinydns-conf tinydns dnslog /var/tinydns $ip
+
+(replace $ip with the ip address on which the server will run).
+
+If you wish to configure rbldns or walldns, you will need to create
+those users yourself (although you should still use the "dnslog"
+user for the logs):
+
+	4. rbldns-conf $username dnslog /var/rbldns $ip $base
+	5. walldns-conf $username dnslog /var/walldns $ip
+'

diff --git a/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch b/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch
new file mode 100644
index 00000000..8d9b194
--- /dev/null
+++ b/net-dns/djbdns/files/CVE2012-1191_0001-ghost-domain-attack.patch
@@ -0,0 +1,22 @@
+Fix ghost domain attack vulnerability (CVE-2012-1191)
+
+Author: Peter Conrad <conrad@tivano.de>
+Origin: http://marc.info/?l=djbdns&m=134269902121506&w=2
+
+Gentoo-Bug: https://bugs.gentoo.org/404959
+
+--- a/query.c
++++ b/query.c
+@@ -792,6 +792,12 @@ static int doit(struct query *z,int state)
+     }
+ 
+     if (!dns_domain_suffix(t1,control)) { i = j; continue; }
++
++    if (!flagforwardonly && byte_equal(type,2,DNS_T_NS) && dns_domain_equal(t1,control)) {
++        char dummy[256];
++        if (!roots(dummy,control)) { i = j; continue; }
++    }
++
+     if (!roots_same(t1,control)) { i = j; continue; }
+ 
+     if (byte_equal(type,2,DNS_T_ANY))

[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/

[Michael Orlitzky]

commit:     5b6cc80b2ba5a2ee76cd203379dedb0a1dbe6aae
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 20 01:26:37 2021 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Tue Apr 20 01:26:54 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b6cc80b

net-dns/djbdns: new revision with $AR and $RANLIB support.

Upstream lives on only in our thoughts and prayers, so I patched the
Makefile slightly to make this happen.

Closes: https://bugs.gentoo.org/784230
Closes: https://bugs.gentoo.org/784233
Package-Manager: Portage-3.0.17, Repoman-3.0.2
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>

 ...bdns-1.05-r34.ebuild => djbdns-1.05-r35.ebuild} |  3 +-
 net-dns/djbdns/files/AR-and-RANLIB-support.patch   | 48 ++++++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/net-dns/djbdns/djbdns-1.05-r34.ebuild b/net-dns/djbdns/djbdns-1.05-r35.ebuild
similarity index 97%
rename from net-dns/djbdns/djbdns-1.05-r34.ebuild
rename to net-dns/djbdns/djbdns-1.05-r35.ebuild
index f2f79e02fd0..8cc9d5c60aa 100644
--- a/net-dns/djbdns/djbdns-1.05-r34.ebuild
+++ b/net-dns/djbdns/djbdns-1.05-r35.ebuild
@@ -44,6 +44,7 @@ PATCHES=(
 	"${FILESDIR}/increase-cname-recustion-depth.patch"
 	"${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
 	"${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
+	"${FILESDIR}/AR-and-RANLIB-support.patch"
 )
 
 src_prepare() {
@@ -73,7 +74,7 @@ src_compile() {
 	echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die
 	echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die
 	echo "/usr" > conf-home || die
-	emake
+	emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB)
 }
 
 src_install() {

diff --git a/net-dns/djbdns/files/AR-and-RANLIB-support.patch b/net-dns/djbdns/files/AR-and-RANLIB-support.patch
new file mode 100644
index 00000000000..792bc22a82c
--- /dev/null
+++ b/net-dns/djbdns/files/AR-and-RANLIB-support.patch
@@ -0,0 +1,48 @@
+From 5dde3af17a784615ab52130702458ca83d5b18bd Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Mon, 19 Apr 2021 21:11:02 -0400
+Subject: [PATCH 1/1] Makefile: support AR and RANLIB variables.
+
+These variables should default to the generic "ar" and "ranlib"
+commands, but if the user specifies them we now respect them.
+
+Gentoo-bug: https://bugs.gentoo.org/784230
+Gentoo-bug: https://bugs.gentoo.org/784233
+---
+ Makefile | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 1429643..5742195 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,8 @@
+ # Don't edit Makefile! Use conf-* for configuration.
+ 
+ SHELL=/bin/sh
++AR ?= ar
++RANLIB ?= ranlib
+ 
+ default: it
+ 
+@@ -581,7 +583,7 @@ warn-auto.sh systype
+ 	( cat warn-auto.sh; \
+ 	echo 'main="$$1"; shift'; \
+ 	echo 'rm -f "$$main"'; \
+-	echo 'ar cr "$$main" $${1+"$$@"}'; \
++	echo '$(AR) cr "$$main" $${1+"$$@"}'; \
+ 	case "`cat systype`" in \
+ 	sunos-5.*) ;; \
+ 	unix_sv*) ;; \
+@@ -590,7 +592,7 @@ warn-auto.sh systype
+ 	dgux-*) ;; \
+ 	hp-ux-*) ;; \
+ 	sco*) ;; \
+-	*) echo 'ranlib "$$main"' ;; \
++	*) echo '$(RANLIB) "$$main"' ;; \
+ 	esac \
+ 	) > makelib
+ 	chmod 755 makelib
+-- 
+2.26.3
+

[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/

[Michael Orlitzky]

commit:     b6b626201479d9889c4b28a10b24c9fd9d944bba
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Thu Nov 17 13:09:07 2022 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Thu Nov 17 13:23:36 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6b62620

net-dns/djbdns: new revision with updated ipv6 patch.

The new ipv6 patch corrects a logic error, but now also includes a bunch
of other Makefile dependency fixes, obsoleting one of our own
patches. One of the CVE patches has once again been manually rebased,
and I dropped the "headtail" patch in favor of sed to avoid a new
conditional patch.

Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>

 net-dns/djbdns/Manifest                            |  2 +-
 ...bdns-1.05-r36.ebuild => djbdns-1.05-r37.ebuild} | 14 ++++++++----
 ...rge-similar-outgoing-queries-ipv6-test32.patch} | 26 +++++++++++-----------
 3 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/net-dns/djbdns/Manifest b/net-dns/djbdns/Manifest
index 7892a331568a..8ba71a5953bf 100644
--- a/net-dns/djbdns/Manifest
+++ b/net-dns/djbdns/Manifest
@@ -1,4 +1,4 @@
 DIST djbdns-1.05-man.tar.gz 17170 BLAKE2B 2fef7e1be8a427b2c426c2af58bf4c22795e64d03e0f605ca333e38f187ff65b333e88a7cea0e8a9ec867b446b5ca34a5c97dd24ae18b28ee4c747f2fd1f1608 SHA512 98af7bd9033a2205fbbc0f23b7eab45b9756f6ceff5199a62952e19c89c9fe3c03495cb6f8621d388f883c40650309a1509095417df3f54af21a71350c4aa183
 DIST djbdns-1.05-test28.diff.xz 22072 BLAKE2B fff6c13220adfa056a0ac5942ff9385d83b75f8622adaebab65f557a2ca8d014fe3c255fe55ba9afca56b24880b7cd28597b26b5bcc3bbbd3ef9f581b67004fd SHA512 7fbfeda10221a0a09897c2e744df5606c83113c394ce055d822b0d8733873d72567a88c37905d21c7d2395170fc12b9e9eb133a941aa809f1b9856872ab48230
-DIST djbdns-1.05-test29.diff.xz 28884 BLAKE2B cff7dd55d68eb33a7f8725898469f39b7a1109c7a081e00b0465d599e0ea462e888f510b98a37a31190dfadb2006c6ba2f42311e235e1d9456f745dd756035a9 SHA512 f3fda79813f0067aadc399b1b8af9b33b179ee212fee188119ad2e3d8fced3b31dbd4d2a83922a138da523bb6d6784c3d98105053f9267e7e4f41cf77b76ce88
+DIST djbdns-1.05-test32.diff.xz 31096 BLAKE2B 0bd6948ba3930f7d6e657f91ff76b1101fa7bb8f3da6849344c2230622fce6c15354e632a9140fefafee5986b522fb85c77c70ac64821d280043d1cd3564be2a SHA512 ed5ea46e3346841a8e8b6a77756c1dba53dab5636f73cf495bf1a182c393bef83d6035f6af26fb903baa75ee689db4abae222b6f85a7e245eb59f9c805163774
 DIST djbdns-1.05.tar.gz 85648 BLAKE2B 51918fcc8944e64e72709636ee7d56975a138a2806e22c019fa836770de3a338bb8f682216b89c09d6b2861c2423e60e28dc60639f5a86aca2040e1788e4cf5c SHA512 20f066402801d7bec183cb710a5bc51e41f1410024741e5803e26f68f2c13567e48eba793f233dfab903459c3335bc169e24b99d66a4c64e617e1f0779732fa9

diff --git a/net-dns/djbdns/djbdns-1.05-r36.ebuild b/net-dns/djbdns/djbdns-1.05-r37.ebuild
similarity index 89%
rename from net-dns/djbdns/djbdns-1.05-r36.ebuild
rename to net-dns/djbdns/djbdns-1.05-r37.ebuild
index 115ca72ded0b..95606086af30 100644
--- a/net-dns/djbdns/djbdns-1.05-r36.ebuild
+++ b/net-dns/djbdns/djbdns-1.05-r37.ebuild
@@ -6,7 +6,7 @@ inherit readme.gentoo-r1 toolchain-funcs
 
 DESCRIPTION="Collection of DNS client/server software"
 HOMEPAGE="https://cr.yp.to/djbdns.html"
-IPV6_PATCH="test29"
+IPV6_PATCH="test32"
 
 SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz
 	http://smarden.org/pape/djb/manpages/${P}-man.tar.gz
@@ -36,7 +36,6 @@ src_unpack() {
 }
 
 PATCHES=(
-	"${FILESDIR}/headtail-r1.patch"
 	"${FILESDIR}/dnsroots.patch"
 	"${FILESDIR}/dnstracesort.patch"
 	"${FILESDIR}/string_length_255.patch"
@@ -53,9 +52,8 @@ src_prepare() {
 			# The big ipv6 patch.
 			"${WORKDIR}/${P}-${IPV6_PATCH}.diff"
 			# Fix CVE2008-4392 (ipv6)
-			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch"
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch"
 			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch"
-			"${FILESDIR}/makefile-parallel-test25.patch"
 		)
 	else
 		PATCHES=(${PATCHES[@]}
@@ -68,6 +66,14 @@ src_prepare() {
 	fi
 
 	default
+
+	# Change "head -X" to the posix-compatible "head -nX" within the
+	# Makefile. We do this with sed instead of a patch because the ipv6
+	# patch uses some of the surrounding lines; we'd need two versions
+	# of the patch.
+	sed -i Makefile \
+		-e 's/head[[:space:]]\{1,\}\-\([0-9]\{1,\}\)/head -n\1/g' \
+		|| die 'failed to sed head in the Makefile'
 }
 
 src_compile() {

diff --git a/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch b/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch
similarity index 92%
rename from net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch
rename to net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch
index 866b3cc51317..3dd47fbeb147 100644
--- a/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test29.patch
+++ b/net-dns/djbdns/files/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch
@@ -1,8 +1,8 @@
 diff --git a/Makefile b/Makefile
-index b89243a..626a829 100644
+index cee69a5..5afa9dc 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -348,11 +348,11 @@ stralloc.h iopause.h taia.h tai.h uint64.h taia.h
+@@ -351,11 +351,11 @@ iopause.h taia.h tai.h uint64.h
  	./compile dns_txt.c
  
  dnscache: \
@@ -16,16 +16,17 @@ index b89243a..626a829 100644
  	env.a alloc.a buffer.a libtai.a unix.a byte.a  `cat \
  	socket.lib`
  
-@@ -373,7 +373,7 @@ compile dnscache.c env.h exit.h scan.h strerr.h error.h ip4.h \
- uint16.h uint64.h socket.h uint16.h dns.h stralloc.h gen_alloc.h \
- iopause.h taia.h tai.h uint64.h taia.h taia.h byte.h roots.h fmt.h \
- iopause.h query.h dns.h uint32.h alloc.h response.h uint32.h cache.h \
--uint32.h uint64.h ndelay.h log.h uint64.h okclient.h droproot.h
-+uint32.h uint64.h ndelay.h log.h uint64.h okclient.h droproot.h maxclient.h
+@@ -374,7 +374,8 @@ dnscache.o: \
+ compile dnscache.c env.h exit.h scan.h strerr.h error.h ip4.h ip6.h \
+ uint16.h uint64.h socket.h uint32.h dns.h stralloc.h gen_alloc.h \
+ iopause.h taia.h tai.h byte.h roots.h fmt.h query.h alloc.h \
+-response.h cache.h ndelay.h log.h okclient.h droproot.h openreadclose.h
++response.h cache.h ndelay.h log.h okclient.h droproot.h openreadclose.h \
++maxclient.h
  	./compile dnscache.c
  
  dnsfilter: \
-@@ -751,11 +751,16 @@ qlog.o: \
+@@ -750,10 +751,15 @@ qlog.o: \
  compile qlog.c buffer.h qlog.h uint16.h
  	./compile qlog.c
  
@@ -36,10 +37,9 @@ index b89243a..626a829 100644
 +
  query.o: \
  compile query.c error.h roots.h log.h uint64.h case.h cache.h \
- uint32.h uint64.h byte.h dns.h stralloc.h gen_alloc.h iopause.h \
- taia.h tai.h uint64.h taia.h uint64.h uint32.h uint16.h dd.h alloc.h \
--response.h uint32.h query.h dns.h uint32.h
-+response.h uint32.h query.h dns.h uint32.h qmerge.h
+ uint32.h byte.h dns.h stralloc.h gen_alloc.h iopause.h taia.h tai.h \
+-uint16.h dd.h alloc.h response.h query.h ip6.h
++uint16.h dd.h alloc.h response.h query.h ip6.h qmerge.h
  	./compile query.c
  
  random-ip: \

[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/

[Michael Orlitzky]

commit:     0a4405074f435983fb6515a2cfed1dca2a67a783
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Fri Dec  2 13:12:12 2022 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Fri Dec  2 22:43:58 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a440507

net-dns/djbdns: new revision increasing tinydns's softlimit.

The tinydns launch script imposes a "softlimit" on the amount of memory
it can use, and sometime recently (in djbdns terms, anyway), the old
default of 300000 became insufficient. We raise it 4500000. This will
only help new installations; users with existing ones will need to
modify their local launch scripts because the script itself is not
controlled by the package manager.

Thanks to Vadim Efimov for pointing out that this problem is widespread
and in need of fixing.

Closes: https://bugs.gentoo.org/883159
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>

 .../{djbdns-1.05-r37.ebuild => djbdns-1.05-r38.ebuild} |  1 +
 net-dns/djbdns/files/tinydns-softlimit.patch           | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/net-dns/djbdns/djbdns-1.05-r37.ebuild b/net-dns/djbdns/djbdns-1.05-r38.ebuild
similarity index 98%
rename from net-dns/djbdns/djbdns-1.05-r37.ebuild
rename to net-dns/djbdns/djbdns-1.05-r38.ebuild
index 95606086af30..b9e8644c4128 100644
--- a/net-dns/djbdns/djbdns-1.05-r37.ebuild
+++ b/net-dns/djbdns/djbdns-1.05-r38.ebuild
@@ -44,6 +44,7 @@ PATCHES=(
 	"${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
 	"${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
 	"${FILESDIR}/AR-and-RANLIB-support.patch"
+	"${FILESDIR}/tinydns-softlimit.patch"
 )
 
 src_prepare() {

diff --git a/net-dns/djbdns/files/tinydns-softlimit.patch b/net-dns/djbdns/files/tinydns-softlimit.patch
new file mode 100644
index 000000000000..89d80d933012
--- /dev/null
+++ b/net-dns/djbdns/files/tinydns-softlimit.patch
@@ -0,0 +1,18 @@
+Use a larger memory limit by default than was chosen at the beginning
+of time. This is evidently necessary on many machines, including my
+own, starting somewhere around December 2020.
+
+https://bugs.gentoo.org/883159
+
+diff -Naur a/tinydns-conf.c b/tinydns-conf.c
+--- a/tinydns-conf.c	2001-02-11 21:11:45.000000000 +0000
++++ b/tinydns-conf.c	2021-11-08 17:23:06.181385437 +0000
+@@ -46,7 +46,7 @@
+
+   start("run");
+   outs("#!/bin/sh\nexec 2>&1\nexec envuidgid "); outs(user);
+-  outs(" envdir ./env softlimit -d300000 ");
++  outs(" envdir ./env softlimit -d4500000 ");
+   outs(auto_home); outs("/bin/tinydns\n");
+   finish();
+   perm(0755);

[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/

[Michael Orlitzky]

commit:     9c51d1e85c83c2c1af71f61cc2f003374ca902c9
Author:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 24 12:07:59 2024 +0000
Commit:     Michael Orlitzky <mjo <AT> gentoo <DOT> org>
CommitDate: Sat Feb 24 12:32:24 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c51d1e8

net-dns/djbdns: new revision with configurable UDP response limit

This new revision allows the user to set TRUNCATELEN in the environment
to a value between 512 (per the RFC) and 16384. This affects only the
dnscache daemon and is useful in some cases to work around
implementation bugs; for example,

  https://forum.mikrotik.com/viewtopic.php?t=200627

Thanks to Jaco Kroon for the patches.

Closes: https://bugs.gentoo.org/916209
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>

 net-dns/djbdns/djbdns-1.05-r39.ebuild              | 136 +++++++++++++++++++++
 ...s-dnscache-configurable-truncate-manpages.patch |  53 ++++++++
 ...-dnscache-configurable-truncate-size-nov6.patch |  83 +++++++++++++
 ...ns-dnscache-configurable-truncate-size-v6.patch |  87 +++++++++++++
 4 files changed, 359 insertions(+)

diff --git a/net-dns/djbdns/djbdns-1.05-r39.ebuild b/net-dns/djbdns/djbdns-1.05-r39.ebuild
new file mode 100644
index 000000000000..2801d37b2612
--- /dev/null
+++ b/net-dns/djbdns/djbdns-1.05-r39.ebuild
@@ -0,0 +1,136 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit readme.gentoo-r1 toolchain-funcs
+
+DESCRIPTION="Collection of DNS client/server software"
+HOMEPAGE="https://cr.yp.to/djbdns.html"
+IPV6_PATCH="test32"
+
+SRC_URI="http://cr.yp.to/djbdns/${P}.tar.gz
+	http://smarden.org/pape/djb/manpages/${P}-man.tar.gz
+	ipv6? ( http://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.xz )"
+
+SLOT="0"
+LICENSE="public-domain"
+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="ipv6 selinux"
+
+RDEPEND="
+	acct-user/dnscache
+	acct-user/dnslog
+	acct-user/tinydns
+	sys-apps/ucspi-tcp
+	virtual/daemontools
+	selinux? ( sec-policy/selinux-djbdns )"
+
+src_unpack() {
+	# Unpack both djbdns and its man pages to separate directories.
+	default
+
+	# Now move the man pages under ${S} so that user patches can be
+	# applied to them as well in src_prepare().
+	mv "${PN}-man" "${P}/man" || die "failed to transplant man pages"
+}
+
+PATCHES=(
+	"${FILESDIR}/dnsroots.patch"
+	"${FILESDIR}/dnstracesort.patch"
+	"${FILESDIR}/string_length_255.patch"
+	"${FILESDIR}/srv_record_support.patch"
+	"${FILESDIR}/increase-cname-recustion-depth.patch"
+	"${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
+	"${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
+	"${FILESDIR}/AR-and-RANLIB-support.patch"
+	"${FILESDIR}/tinydns-softlimit.patch"
+	"${FILESDIR}/${PN}-dnscache-configurable-truncate-manpages.patch"
+)
+
+src_prepare() {
+	if use ipv6; then
+		PATCHES=(${PATCHES[@]}
+			# The big ipv6 patch.
+			"${WORKDIR}/${P}-${IPV6_PATCH}.diff"
+			# Fix CVE2008-4392 (ipv6)
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch"
+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch"
+			"${FILESDIR}/${PN}-dnscache-configurable-truncate-size-v6.patch"
+		)
+	else
+		PATCHES=(${PATCHES[@]}
+			# Fix CVE2008-4392 (no ipv6)
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch"
+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch"
+			# Later versions of the ipv6 patch include this
+			"${FILESDIR}/${PV}-errno-r1.patch"
+			"${FILESDIR}/${PN}-dnscache-configurable-truncate-size-nov6.patch"
+		)
+	fi
+
+	default
+
+	# Change "head -X" to the posix-compatible "head -nX" within the
+	# Makefile. We do this with sed instead of a patch because the ipv6
+	# patch uses some of the surrounding lines; we'd need two versions
+	# of the patch.
+	sed -i Makefile \
+		-e 's/head[[:space:]]\{1,\}\-\([0-9]\{1,\}\)/head -n\1/g' \
+		|| die 'failed to sed head in the Makefile'
+}
+
+src_compile() {
+	echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die
+	echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die
+	echo "/usr" > conf-home || die
+	emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB)
+}
+
+src_install() {
+	insinto /etc
+	doins dnsroots.global
+
+	into /usr
+	dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \
+		*-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \
+		dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort
+
+	if use ipv6; then
+		dobin dnsip6 dnsip6q
+	fi
+
+	dodoc CHANGES README
+
+	doman man/*.[158]
+
+	readme.gentoo_create_doc
+}
+
+DISABLE_AUTOFORMATTING=1
+DOC_CONTENTS='
+To configure djbdns, please follow the instructions at,
+
+	http://cr.yp.to/djbdns.html
+
+Of particular interest are,
+
+	axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html
+	dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html
+	tinydns : http://cr.yp.to/djbdns/run-server.html
+
+Portage has created users for axfrdns, dnscache, and tinydns; the
+commands to configure these programs are,
+
+	1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip
+	2. dnscache-conf dnscache dnslog /var/dnscache $ip
+	3. tinydns-conf tinydns dnslog /var/tinydns $ip
+
+(replace $ip with the ip address on which the server will run).
+
+If you wish to configure rbldns or walldns, you will need to create
+those users yourself (although you should still use the "dnslog"
+user for the logs):
+
+	4. rbldns-conf $username dnslog /var/rbldns $ip $base
+	5. walldns-conf $username dnslog /var/walldns $ip
+'

diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch
new file mode 100644
index 000000000000..0b022299ab1c
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-manpages.patch
@@ -0,0 +1,53 @@
+From 927121fa9afe047009a2502491d1c7000871b45c Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Wed, 25 Oct 2023 19:28:50 -0400
+Subject: [PATCH] dnscache.8,tinydns.8: document TRUNCATELEN hack for microtiks
+
+---
+ dnscache.8 | 9 +++++++++
+ tinydns.8  | 9 +++++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/dnscache.8 b/dnscache.8
+index 54fd357..38dab27 100644
+--- a/man/dnscache.8
++++ b/man/dnscache.8
+@@ -116,6 +116,15 @@ for other caches, not root servers.
+ It forwards queries to those caches the same way that a client does,
+ rather than contacting a chain of servers according to NS records.
+ 
++.B dnscache
++will use the value of
++.I $TRUNCATELEN
++as the cut-off for a UDP response. The standard value according to the
++RFC is 512 (bytes), but
++.I $TRUNCATELEN
++can be anywhere between 512 and 16384. This may be necessary to work
++around implementation bugs.
++
+ .SH Memory use
+ 
+ .B dnscache
+diff --git a/tinydns.8 b/tinydns.8
+index ff92edd..bc991dd 100644
+--- a/man/tinydns.8
++++ b/man/tinydns.8
+@@ -47,6 +47,15 @@ as specified by
+ a binary file created by
+ .BR tinydns-data (8).
+ 
++.B tinydns
++will use the value of
++.I $TRUNCATELEN
++as the cut-off for a UDP response. The standard value according to the
++RFC is 512 (bytes), but
++.I $TRUNCATELEN
++can be anywhere between 512 and 16384. This may be necessary to work
++around implementation bugs.
++
+ .SH Further details
+ 
+ .B tinydns
+-- 
+2.41.0
+

diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch
new file mode 100644
index 000000000000..9f16531a5441
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-nov6.patch
@@ -0,0 +1,83 @@
+From: Jaco Kroon <jaco@uls.co.za>
+Date: Tue, 24 Oct 2023 06:36:10 +0200
+Subject: [PATCH] dnscache: Enable larger truncation
+
+This variation conflicts with the IPv6 patch.
+
+This is a workaround for https://forum.mikrotik.com/viewtopic.php?t=200627
+where Mikrotik doesn't fall back if the UDP response is truncated.
+
+This is done by enabling larger (configurable) than 512 byte responses on UDP
+such that Mikrotik doesn't have a need to revert to TCP.  Since it's impossible
+to truly know the maximum size of a DNS response trivially this is made
+configurable and the upper limit is arbitrarily capped to 16KB.
+
+Signed-off-by: Jaco Kroon <jaco@uls.co.za>
+diff -bru djbdns-1.05.o/dnscache.c djbdns-1.05/dnscache.c
+--- djbdns-1.05.o/dnscache.c	2024-02-23 08:05:00.037623680 +0200
++++ djbdns-1.05/dnscache.c	2024-02-23 08:18:26.320580927 +0200
+@@ -52,6 +52,7 @@
+ static char buf[1024];
+ uint64 numqueries = 0;
+ 
++static unsigned int truncate_len = 512;
+ 
+ static int udp53;
+ 
+@@ -77,7 +78,7 @@
+ {
+   if (!u[j].active) return;
+   response_id(u[j].id);
+-  if (response_len > 512) response_tc();
++  if (response_len > truncate_len) response_tc();
+   socket_send4(udp53,response,response_len,u[j].ip,u[j].port);
+   log_querydone(&u[j].active,response_len);
+   u[j].active = 0; --uactive;
+@@ -430,6 +431,15 @@
+   if (!cache_init(cachesize))
+     strerr_die3x(111,FATAL,"not enough memory for cache of size ",x);
+ 
++  x = env_get("TRUNCATELEN");
++  if (x) {
++    scan_ulong(x,&truncate_len);
++    if (truncate_len < 512)
++      truncate_len = 512;
++    if (truncate_len > 16384)
++      truncate_len = 16384;
++  }
++
+   if (env_get("HIDETTL"))
+     response_hidettl();
+   if (env_get("FORWARDONLY"))
+diff -Nbrau djbdns-1.05.o/server.c djbdns-1.05/server.c
+--- djbdns-1.05.o/server.c	2001-02-11 23:11:45.000000000 +0200
++++ djbdns-1.05/server.c	2024-02-23 08:19:40.020855813 +0200
+@@ -83,6 +83,7 @@
+ {
+   char *x;
+   int udp53;
++  unsigned int truncate_len = 512;
+ 
+   x = env_get("IP");
+   if (!x)
+@@ -105,11 +106,19 @@
+ 
+   buffer_putsflush(buffer_2,starting);
+ 
++  x = env_get("TRUNCATELEN");
++  if (x) {
++    scan_ulong(x,&truncate_len);
++    if (truncate_len < 512)
++      truncate_len = 512;
++    if (truncate_len > 16384)
++      truncate_len = 16384;
++  }
+   for (;;) {
+     len = socket_recv4(udp53,buf,sizeof buf,ip,&port);
+     if (len < 0) continue;
+     if (!doit()) continue;
+-    if (response_len > 512) response_tc();
++    if (response_len > truncate_len) response_tc();
+     socket_send4(udp53,response,response_len,ip,port);
+     /* may block for buffer space; if it fails, too bad */
+   }

diff --git a/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch
new file mode 100644
index 000000000000..291ebe4f5c44
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-dnscache-configurable-truncate-size-v6.patch
@@ -0,0 +1,87 @@
+From: Jaco Kroon <jaco@uls.co.za>
+Date: Tue, 24 Oct 2023 06:36:10 +0200
+Subject: [PATCH] dnscache: Enable larger truncation
+
+This variation applies on top of the IPv6 patch.
+
+This is a workaround for https://forum.mikrotik.com/viewtopic.php?t=200627
+where Mikrotik doesn't fall back if the UDP response is truncated.
+
+This is done by enabling larger (configurable) than 512 byte responses on UDP
+such that Mikrotik doesn't have a need to revert to TCP.  Since it's impossible
+to truly know the maximum size of a DNS response trivially this is made
+configurable and the upper limit is arbitrarily capped to 16KB.
+
+Signed-off-by: Jaco Kroon <jaco@uls.co.za>
+diff -bru djbdns-1.05.o/dnscache.c djbdns-1.05/dnscache.c
+--- a/dnscache.c	2023-10-20 00:34:15.788688135 +0200
++++ b/dnscache.c	2023-10-20 00:46:55.030355147 +0200
+@@ -58,6 +58,7 @@
+ static char buf[1024];
+ uint64 numqueries = 0;
+ 
++static unsigned int truncate_len = 512;
+ 
+ static int udp53;
+ 
+@@ -84,7 +85,7 @@
+ {
+   if (!u[j].active) return;
+   response_id(u[j].id);
+-  if (response_len > 512) response_tc();
++  if (response_len > truncate_len) response_tc();
+   socket_send6(udp53,response,response_len,u[j].ip,u[j].port,u[j].scope_id);
+   log_querydone(&u[j].active,response_len);
+   u[j].active = 0; --uactive;
+@@ -449,6 +450,15 @@
+   if (!cache_init(cachesize))
+     strerr_die3x(111,FATAL,"not enough memory for cache of size ",x);
+ 
++  x = env_get("TRUNCATELEN");
++  if (x) {
++    scan_ulong(x,&truncate_len);
++    if (truncate_len < 512)
++      truncate_len = 512;
++    if (truncate_len > 16384)
++      truncate_len = 16384;
++  }
++
+   if (openreadclose("ignoreip",&sa,64) < 0) 
+     strerr_die2x(111,FATAL,"trouble reading ignoreip");
+   for(j = k = i = 0; i < sa.len; i++)
+Only in djbdns-1.05/: .dnscache.c.swp
+diff -bru djbdns-1.05.o/server.c djbdns-1.05/server.c
+--- djbdns-1.05.o/server.c	2023-10-20 00:34:15.778688116 +0200
++++ djbdns-1.05/server.c	2023-10-20 00:43:31.519954643 +0200
+@@ -94,6 +94,7 @@
+   int *udp53;
+   unsigned int off;
+   unsigned int cnt;
++  unsigned int truncate_len = 512;
+   iopause_fd *iop;
+ 
+   x = env_get("IP");
+@@ -154,6 +155,14 @@
+ 
+   buffer_putsflush(buffer_2,starting);
+ 
++  x = env_get("TRUNCATELEN");
++  if (x) {
++    scan_ulong(x,&truncate_len);
++    if (truncate_len < 512)
++      truncate_len = 512;
++    if (truncate_len > 16384)
++      truncate_len = 16384;
++  }
+   for (;;) {
+     struct taia stamp;
+     struct taia deadline;
+@@ -168,7 +177,7 @@
+ 	len = socket_recv6(udp53[i],buf,sizeof buf,ip,&port,&ifid);
+ 	if (len < 0) continue;
+ 	if (!doit()) continue;
+-	if (response_len > 512) response_tc();
++	if (response_len > truncate_len) response_tc();
+ 	socket_send6(udp53[i],response,response_len,ip,port,ifid);
+ 	/* may block for buffer space; if it fails, too bad */
+       }

[gentoo-commits] repo/gentoo:master commit in: net-dns/djbdns/files/, net-dns/djbdns/

[Viorel Munteanu]

commit:     b938f9f9a917d3bacb73ef914c371dfc5f2d8ebe
Author:     Jaco Kroon <jaco <AT> uls <DOT> co <DOT> za>
AuthorDate: Mon May 27 14:37:52 2024 +0000
Commit:     Viorel Munteanu <ceamac <AT> gentoo <DOT> org>
CommitDate: Mon May 27 15:08:30 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b938f9f9

net-dns/djbdns: 1.05-r40

Work around local receive overflow bug.

Bug: https://bugs.gentoo.org/932846
Signed-off-by: Jaco Kroon <jaco <AT> uls.co.za>
Closes: https://github.com/gentoo/gentoo/pull/36841
Signed-off-by: Viorel Munteanu <ceamac <AT> gentoo.org>

 net-dns/djbdns/djbdns-1.05-r40.ebuild              | 143 +++++++++++++++++++++
 ...dp-overflow-response-buffer-truncate-nov6.patch |  13 ++
 ...-udp-overflow-response-buffer-truncate-v6.patch |  34 +++++
 3 files changed, 190 insertions(+)

diff --git a/net-dns/djbdns/djbdns-1.05-r40.ebuild b/net-dns/djbdns/djbdns-1.05-r40.ebuild
new file mode 100644
index 000000000000..f5a5afde9b70
--- /dev/null
+++ b/net-dns/djbdns/djbdns-1.05-r40.ebuild
@@ -0,0 +1,143 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit flag-o-matic readme.gentoo-r1 toolchain-funcs
+
+DESCRIPTION="Collection of DNS client/server software"
+HOMEPAGE="https://cr.yp.to/djbdns.html"
+IPV6_PATCH="test32"
+
+SRC_URI="https://cr.yp.to/djbdns/${P}.tar.gz
+	https://smarden.org/pape/djb/manpages/${P}-man.tar.gz
+	ipv6? ( https://www.fefe.de/dns/${P}-${IPV6_PATCH}.diff.xz )"
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86"
+IUSE="ipv6 selinux"
+
+RDEPEND="
+	acct-user/dnscache
+	acct-user/dnslog
+	acct-user/tinydns
+	sys-apps/ucspi-tcp
+	virtual/daemontools
+	selinux? ( sec-policy/selinux-djbdns )"
+
+src_unpack() {
+	# Unpack both djbdns and its man pages to separate directories.
+	default
+
+	# Now move the man pages under ${S} so that user patches can be
+	# applied to them as well in src_prepare().
+	mv "${PN}-man" "${P}/man" || die "failed to transplant man pages"
+}
+
+PATCHES=(
+	"${FILESDIR}/dnsroots.patch"
+	"${FILESDIR}/dnstracesort.patch"
+	"${FILESDIR}/string_length_255.patch"
+	"${FILESDIR}/srv_record_support.patch"
+	"${FILESDIR}/increase-cname-recustion-depth.patch"
+	"${FILESDIR}/CVE2009-0858_0001-check-response-domain-name-length.patch"
+	"${FILESDIR}/CVE2012-1191_0001-ghost-domain-attack.patch"
+	"${FILESDIR}/AR-and-RANLIB-support.patch"
+	"${FILESDIR}/tinydns-softlimit.patch"
+	"${FILESDIR}/${PN}-dnscache-configurable-truncate-manpages.patch"
+)
+
+src_prepare() {
+	if use ipv6; then
+		PATCHES=(${PATCHES[@]}
+			# The big ipv6 patch.
+			"${WORKDIR}/${P}-${IPV6_PATCH}.diff"
+			# Fix CVE2008-4392 (ipv6)
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-ipv6-test32.patch"
+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records-ipv6-test29.patch"
+			"${FILESDIR}/${PN}-dnscache-configurable-truncate-size-v6.patch"
+			"${FILESDIR}/${PN}-udp-overflow-response-buffer-truncate-v6.patch"
+		)
+	else
+		PATCHES=(${PATCHES[@]}
+			"${FILESDIR}/implicit-declarations-nov6.patch"
+			# Fix CVE2008-4392 (no ipv6)
+			"${FILESDIR}/CVE2008-4392_0001-dnscache-merge-similar-outgoing-queries-r1.patch"
+			"${FILESDIR}/CVE2008-4392_0002-dnscache-cache-soa-records.patch"
+			# Later versions of the ipv6 patch include this
+			"${FILESDIR}/${PV}-errno-r1.patch"
+			"${FILESDIR}/${PN}-dnscache-configurable-truncate-size-nov6.patch"
+			"${FILESDIR}/${PN}-udp-overflow-response-buffer-truncate-nov6.patch"
+		)
+	fi
+
+	default
+
+	# Change "head -X" to the posix-compatible "head -nX" within the
+	# Makefile. We do this with sed instead of a patch because the ipv6
+	# patch uses some of the surrounding lines; we'd need two versions
+	# of the patch.
+	sed -i Makefile \
+		-e 's/head[[:space:]]\{1,\}\-\([0-9]\{1,\}\)/head -n\1/g' \
+		|| die 'failed to sed head in the Makefile'
+}
+
+src_compile() {
+	# Bug 927539. This is beyond our ability to realistically fix due
+	# to patch conflicts.
+	append-cflags $(test-flags-CC -Wno-error=incompatible-pointer-types)
+
+	echo "$(tc-getCC) ${CFLAGS}" > conf-cc || die
+	echo "$(tc-getCC) ${LDFLAGS}" > conf-ld || die
+	echo "/usr" > conf-home || die
+	emake AR=$(tc-getAR) RANLIB=$(tc-getRANLIB)
+}
+
+src_install() {
+	insinto /etc
+	doins dnsroots.global
+
+	into /usr
+	dobin *-conf dnscache tinydns walldns rbldns pickdns axfrdns \
+		*-get *-data *-edit dnsip dnsipq dnsname dnstxt dnsmx \
+		dnsfilter random-ip dnsqr dnsq dnstrace dnstracesort
+
+	if use ipv6; then
+		dobin dnsip6 dnsip6q
+	fi
+
+	dodoc CHANGES README
+
+	doman man/*.[158]
+
+	readme.gentoo_create_doc
+}
+
+DISABLE_AUTOFORMATTING=1
+DOC_CONTENTS='
+To configure djbdns, please follow the instructions at,
+
+	http://cr.yp.to/djbdns.html
+
+Of particular interest are,
+
+	axfrdns : http://cr.yp.to/djbdns/axfrdns-conf.html
+	dnscache: http://cr.yp.to/djbdns/run-cache-x-home.html
+	tinydns : http://cr.yp.to/djbdns/run-server.html
+
+Portage has created users for axfrdns, dnscache, and tinydns; the
+commands to configure these programs are,
+
+	1. axfrdns-conf tinydns dnslog /var/axfrdns /var/tinydns $ip
+	2. dnscache-conf dnscache dnslog /var/dnscache $ip
+	3. tinydns-conf tinydns dnslog /var/tinydns $ip
+
+(replace $ip with the ip address on which the server will run).
+
+If you wish to configure rbldns or walldns, you will need to create
+those users yourself (although you should still use the "dnslog"
+user for the logs):
+
+	4. rbldns-conf $username dnslog /var/rbldns $ip $base
+	5. walldns-conf $username dnslog /var/walldns $ip
+'

diff --git a/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch
new file mode 100644
index 000000000000..058691cb94ff
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-nov6.patch
@@ -0,0 +1,13 @@
+--- djbdns-1.05.o/dns_transmit.c	2001-02-11 23:11:45.000000000 +0200
++++ djbdns-1.05/dns_transmit.c	2024-05-27 16:25:11.857369652 +0200
+@@ -265,9 +265,9 @@
+       if (errno == error_connrefused) if (d->udploop == 2) return 0;
+       return nextudp(d);
+     }
+-    if (r + 1 > sizeof udpbuf) return 0;
+ 
+     if (irrelevant(d,udpbuf,r)) return 0;
++    if ((size_t)r + 1 > sizeof udpbuf) return firsttcp(d); /* if udp overflowed, retry with TCP */
+     if (serverwantstcp(udpbuf,r)) return firsttcp(d);
+     if (serverfailed(udpbuf,r)) {
+       if (d->udploop == 2) return 0;

diff --git a/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch
new file mode 100644
index 000000000000..bf55e7dd86df
--- /dev/null
+++ b/net-dns/djbdns/files/djbdns-udp-overflow-response-buffer-truncate-v6.patch
@@ -0,0 +1,34 @@
+Deal with local recv() truncation.
+
+In the case where an upstream cache sends a UDP response that would overflow
+the djb cache's default receive buffer, then djbdns would treat this as an
+invalid response.  The norm nowadays is the send >512b UDP responses,
+especially for TXT RRs.  It looks like up to around 4KB is deemed acceptable in
+most cases I've investigated.
+
+So, in the case where we locally end up reciving a truncated packet by way of
+recv() because the local UDP buffer is too small, treat that like the TC bit
+was set, because really we can know the response was truncated.
+
+Therefor check the irrelevant (inappropriate response) data first, then if the
+buffer was fully received (it might be that the response fits exactly, but
+short of parsing this buffer there is no simple way to confirm this, so just
+assume it's unlikely to get an exact sized buffer back and retry using TCP
+anyway).  Yes, this is a waste of resources in this specific case, but so be
+it.
+
+Signed-off-by: <jaco@uls.co.za>
+
+--- djbdns-1.05.o/dns_transmit.c	2024-05-27 13:20:25.788463090 +0200
++++ djbdns-1.05/dns_transmit.c	2024-05-27 14:13:38.786335627 +0200
+@@ -266,9 +266,9 @@
+       if (errno == error_connrefused) if (d->udploop == 2) return 0;
+       return nextudp(d);
+     }
+-    if ((size_t)r + 1 > sizeof udpbuf) return 0;
+ 
+     if (irrelevant(d,udpbuf,r)) return 0;
++    if ((size_t)r + 1 > sizeof udpbuf) return firsttcp(d); /* if udp overflowed, retry with TCP */
+     if (serverwantstcp(udpbuf,r)) return firsttcp(d);
+     if (serverfailed(udpbuf,r)) {
+       if (d->udploop == 2) return 0;