From owner-svn-src-vendor@freebsd.org  Wed Nov  2 04:35:11 2016
Return-Path: <owner-svn-src-vendor@freebsd.org>
Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C494BC2A0AA;
 Wed,  2 Nov 2016 04:35:11 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D21F1AD3;
 Wed,  2 Nov 2016 04:35:11 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uA24ZABb011259;
 Wed, 2 Nov 2016 04:35:10 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uA24Z5Pj011209;
 Wed, 2 Nov 2016 04:35:05 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201611020435.uA24Z5Pj011209@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 2 Nov 2016 04:35:05 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-vendor@freebsd.org
Subject: svn commit: r308191 - in vendor/bind9/dist: . doc/arm lib/dns
X-SVN-Group: vendor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-vendor@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the vendor work area tree
 <svn-src-vendor.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-vendor>, 
 <mailto:svn-src-vendor-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-vendor/>
List-Post: <mailto:svn-src-vendor@freebsd.org>
List-Help: <mailto:svn-src-vendor-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-vendor>,
 <mailto:svn-src-vendor-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 04:35:12 -0000

Author: delphij
Date: Wed Nov  2 04:35:05 2016
New Revision: 308191
URL: https://svnweb.freebsd.org/changeset/base/308191

Log:
  Vendor import of BIND 9.9.9-P4.

Modified:
  vendor/bind9/dist/CHANGES
  vendor/bind9/dist/README
  vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html
  vendor/bind9/dist/doc/arm/Bv9ARM.html
  vendor/bind9/dist/doc/arm/Bv9ARM.pdf
  vendor/bind9/dist/doc/arm/man.arpaname.html
  vendor/bind9/dist/doc/arm/man.ddns-confgen.html
  vendor/bind9/dist/doc/arm/man.dig.html
  vendor/bind9/dist/doc/arm/man.dnssec-checkds.html
  vendor/bind9/dist/doc/arm/man.dnssec-coverage.html
  vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html
  vendor/bind9/dist/doc/arm/man.dnssec-importkey.html
  vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html
  vendor/bind9/dist/doc/arm/man.dnssec-keygen.html
  vendor/bind9/dist/doc/arm/man.dnssec-revoke.html
  vendor/bind9/dist/doc/arm/man.dnssec-settime.html
  vendor/bind9/dist/doc/arm/man.dnssec-signzone.html
  vendor/bind9/dist/doc/arm/man.dnssec-verify.html
  vendor/bind9/dist/doc/arm/man.genrandom.html
  vendor/bind9/dist/doc/arm/man.host.html
  vendor/bind9/dist/doc/arm/man.isc-hmac-fixup.html
  vendor/bind9/dist/doc/arm/man.lwresd.html
  vendor/bind9/dist/doc/arm/man.named-checkconf.html
  vendor/bind9/dist/doc/arm/man.named-checkzone.html
  vendor/bind9/dist/doc/arm/man.named-journalprint.html
  vendor/bind9/dist/doc/arm/man.named.conf.html
  vendor/bind9/dist/doc/arm/man.named.html
  vendor/bind9/dist/doc/arm/man.nsec3hash.html
  vendor/bind9/dist/doc/arm/man.nsupdate.html
  vendor/bind9/dist/doc/arm/man.rndc-confgen.html
  vendor/bind9/dist/doc/arm/man.rndc.conf.html
  vendor/bind9/dist/doc/arm/man.rndc.html
  vendor/bind9/dist/doc/arm/notes.html
  vendor/bind9/dist/doc/arm/notes.pdf
  vendor/bind9/dist/doc/arm/notes.xml
  vendor/bind9/dist/lib/dns/api
  vendor/bind9/dist/lib/dns/resolver.c
  vendor/bind9/dist/version

Modified: vendor/bind9/dist/CHANGES
==============================================================================
--- vendor/bind9/dist/CHANGES	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/CHANGES	Wed Nov  2 04:35:05 2016	(r308191)
@@ -1,3 +1,8 @@
+	--- 9.9.9-P4 released ---
+
+4489.	[security]	It was possible to trigger assertions when processing
+			a response. (CVE-2016-8864) [RT #43465]
+
 	--- 9.9.9-P3 released ---
 
 4467.	[security]	It was possible to trigger a assertion when rendering

Modified: vendor/bind9/dist/README
==============================================================================
--- vendor/bind9/dist/README	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/README	Wed Nov  2 04:35:05 2016	(r308191)
@@ -51,6 +51,10 @@ BIND 9
 	For up-to-date release notes and errata, see
 	http://www.isc.org/software/bind9/releasenotes
 
+BIND 9.9.9-P4
+
+	This version contains a fix for CVE-2016-8864.
+
 BIND 9.9.9-P3
 
 	This version contains a fix for CVE-2016-2776.

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -555,6 +555,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -153,6 +153,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -663,6 +663,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -1960,6 +1960,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -138,6 +138,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -12314,6 +12314,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -248,6 +248,6 @@ zone "example.com" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -44,7 +44,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.9.9-P3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.9.9-P4</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -60,7 +60,7 @@
 </div>
 <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.9.9-P3</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.9.9-P4</h2></div></div></div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
@@ -68,7 +68,11 @@
       This document summarizes changes since BIND 9.9.9:
     </p>
 <p>
-      BIND 9.10.9-P3 addresses the security issue described in
+      BIND 9.9.9-P4 addresses the security issue described in
+      CVE-2016-8864.
+    </p>
+<p>
+      BIND 9.9.9-P3 addresses the security issue described in
       CVE-2016-2776.
     </p>
 <p>
@@ -97,6 +101,10 @@
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem"><p>
+	  It was possible to trigger assertions when processing
+	  a response. This flaw is disclosed in CVE-2016-8864. [RT #43465]
+	</p></li>
+<li class="listitem"><p>
 	  It was possible to trigger a assertion when rendering a
 	  message using a specially crafted request. This flaw is
 	  disclosed in CVE-2016-2776. [RT #43139]
@@ -184,6 +192,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -497,6 +497,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -539,6 +539,6 @@ $ <strong class="userinput"><code>sample
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.html
==============================================================================
--- vendor/bind9/dist/doc/arm/Bv9ARM.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/Bv9ARM.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -40,7 +40,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.9.9-P3</p></div>
+<div><p class="releaseinfo">BIND Version 9.9.9-P4</p></div>
 <div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
 </div>
@@ -233,7 +233,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.9.9-P3</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.9.9-P4</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -373,6 +373,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/Bv9ARM.pdf
==============================================================================
Binary file (source and/or target). No diff available.

Modified: vendor/bind9/dist/doc/arm/man.arpaname.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.arpaname.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.arpaname.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -81,6 +81,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.ddns-confgen.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.ddns-confgen.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.ddns-confgen.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -170,6 +170,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dig.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dig.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dig.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -746,6 +746,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-checkds.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-checkds.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-checkds.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -112,6 +112,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-coverage.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-coverage.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-coverage.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -195,6 +195,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -213,6 +213,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-importkey.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-importkey.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-importkey.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -177,6 +177,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -346,6 +346,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-keygen.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-keygen.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-keygen.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -448,6 +448,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-revoke.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-revoke.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-revoke.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -125,6 +125,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-settime.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-settime.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-settime.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -255,6 +255,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-signzone.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-signzone.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-signzone.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -538,6 +538,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.dnssec-verify.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.dnssec-verify.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.dnssec-verify.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -150,6 +150,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.genrandom.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.genrandom.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.genrandom.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -102,6 +102,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.host.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.host.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.host.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -248,6 +248,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.isc-hmac-fixup.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.isc-hmac-fixup.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.isc-hmac-fixup.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -112,6 +112,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.lwresd.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.lwresd.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.lwresd.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -253,6 +253,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.named-checkconf.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.named-checkconf.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.named-checkconf.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -151,6 +151,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.named-checkzone.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.named-checkzone.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.named-checkzone.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -321,6 +321,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.named-journalprint.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.named-journalprint.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.named-journalprint.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -102,6 +102,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.named.conf.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.named.conf.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.named.conf.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -672,6 +672,6 @@ zone <em class="replaceable"><code>strin
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.named.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.named.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.named.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -351,6 +351,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.nsec3hash.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.nsec3hash.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.nsec3hash.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -103,6 +103,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.nsupdate.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.nsupdate.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.nsupdate.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -639,6 +639,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.rndc-confgen.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.rndc-confgen.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.rndc-confgen.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -216,6 +216,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.rndc.conf.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.rndc.conf.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.rndc.conf.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -245,6 +245,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/man.rndc.html
==============================================================================
--- vendor/bind9/dist/doc/arm/man.rndc.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/man.rndc.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -581,6 +581,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
 </body>
 </html>

Modified: vendor/bind9/dist/doc/arm/notes.html
==============================================================================
--- vendor/bind9/dist/doc/arm/notes.html	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/notes.html	Wed Nov  2 04:35:05 2016	(r308191)
@@ -21,7 +21,7 @@
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="article"><div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.9.9-P3</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.9.9-P4</h2></div></div></div>
 <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
@@ -29,7 +29,11 @@
       This document summarizes changes since BIND 9.9.9:
     </p>
 <p>
-      BIND 9.10.9-P3 addresses the security issue described in
+      BIND 9.9.9-P4 addresses the security issue described in
+      CVE-2016-8864.
+    </p>
+<p>
+      BIND 9.9.9-P3 addresses the security issue described in
       CVE-2016-2776.
     </p>
 <p>
@@ -58,6 +62,10 @@
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
 <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem"><p>
+	  It was possible to trigger assertions when processing
+	  a response. This flaw is disclosed in CVE-2016-8864. [RT #43465]
+	</p></li>
+<li class="listitem"><p>
 	  It was possible to trigger a assertion when rendering a
 	  message using a specially crafted request. This flaw is
 	  disclosed in CVE-2016-2776. [RT #43139]

Modified: vendor/bind9/dist/doc/arm/notes.pdf
==============================================================================
Binary file (source and/or target). No diff available.

Modified: vendor/bind9/dist/doc/arm/notes.xml
==============================================================================
--- vendor/bind9/dist/doc/arm/notes.xml	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/doc/arm/notes.xml	Wed Nov  2 04:35:05 2016	(r308191)
@@ -24,7 +24,11 @@
       This document summarizes changes since BIND 9.9.9:
     </para>
     <para>
-      BIND 9.10.9-P3 addresses the security issue described in
+      BIND 9.9.9-P4 addresses the security issue described in
+      CVE-2016-8864.
+    </para>
+    <para>
+      BIND 9.9.9-P3 addresses the security issue described in
       CVE-2016-2776.
     </para>
     <para>
@@ -53,6 +57,12 @@
     <itemizedlist>
       <listitem>
 	<para>
+	  It was possible to trigger assertions when processing
+	  a response. This flaw is disclosed in CVE-2016-8864. [RT #43465]
+	</para>
+      </listitem>
+      <listitem>
+	<para>
 	  It was possible to trigger a assertion when rendering a
 	  message using a specially crafted request. This flaw is
 	  disclosed in CVE-2016-2776. [RT #43139]

Modified: vendor/bind9/dist/lib/dns/api
==============================================================================
--- vendor/bind9/dist/lib/dns/api	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/lib/dns/api	Wed Nov  2 04:35:05 2016	(r308191)
@@ -7,5 +7,5 @@
 # 9.10: 140-149
 # 9.11: 160-169
 LIBINTERFACE = 172
-LIBREVISION = 2
+LIBREVISION = 3
 LIBAGE = 0

Modified: vendor/bind9/dist/lib/dns/resolver.c
==============================================================================
--- vendor/bind9/dist/lib/dns/resolver.c	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/lib/dns/resolver.c	Wed Nov  2 04:35:05 2016	(r308191)
@@ -593,7 +593,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddri
 	valarg->addrinfo = addrinfo;
 
 	if (!ISC_LIST_EMPTY(fctx->validators))
-		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+		valoptions |= DNS_VALIDATOR_DEFER;
+	else
+		valoptions &= ~DNS_VALIDATOR_DEFER;
 
 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
 				      sigrdataset, fctx->rmessage,
@@ -5277,13 +5279,6 @@ cache_name(fetchctx_t *fctx, dns_name_t 
 							   rdataset,
 							   sigrdataset,
 							   valoptions, task);
-					/*
-					 * Defer any further validations.
-					 * This prevents multiple validators
-					 * from manipulating fctx->rmessage
-					 * simultaneously.
-					 */
-					valoptions |= DNS_VALIDATOR_DEFER;
 				}
 			} else if (CHAINING(rdataset)) {
 				if (rdataset->type == dns_rdatatype_cname)
@@ -5396,6 +5391,11 @@ cache_name(fetchctx_t *fctx, dns_name_t 
 				       eresult == DNS_R_NCACHENXRRSET);
 			}
 			event->result = eresult;
+			if (adbp != NULL && *adbp != NULL) {
+				if (anodep != NULL && *anodep != NULL)
+					dns_db_detachnode(*adbp, anodep);
+				dns_db_detach(adbp);
+			}
 			dns_db_attach(fctx->cache, adbp);
 			dns_db_transfernode(fctx->cache, &node, anodep);
 			clone_results(fctx);
@@ -5643,6 +5643,11 @@ ncache_message(fetchctx_t *fctx, dns_adb
 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
 		if (event != NULL) {
 			event->result = eresult;
+			if (adbp != NULL && *adbp != NULL) {
+				if (anodep != NULL && *anodep != NULL)
+					dns_db_detachnode(*adbp, anodep);
+				dns_db_detach(adbp);
+			}
 			dns_db_attach(fctx->cache, adbp);
 			dns_db_transfernode(fctx->cache, &node, anodep);
 			clone_results(fctx);
@@ -6464,13 +6469,15 @@ static isc_result_t
 answer_response(fetchctx_t *fctx) {
 	isc_result_t result;
 	dns_message_t *message;
-	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+	dns_name_t *cname = NULL;
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
-	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+	isc_boolean_t have_answer, found_cname, found_dname, found_type;
+	isc_boolean_t wanted_chaining;
 	unsigned int aflag;
 	dns_rdatatype_t type;
-	dns_fixedname_t fdname, fqname;
+	dns_fixedname_t fdname, fqname, fqdname;
 	dns_view_t *view;
 
 	FCTXTRACE("answer_response");
@@ -6484,6 +6491,7 @@ answer_response(fetchctx_t *fctx) {
 
 	done = ISC_FALSE;
 	found_cname = ISC_FALSE;
+	found_dname = ISC_FALSE;
 	found_type = ISC_FALSE;
 	chaining = ISC_FALSE;
 	have_answer = ISC_FALSE;
@@ -6493,12 +6501,13 @@ answer_response(fetchctx_t *fctx) {
 		aa = ISC_TRUE;
 	else
 		aa = ISC_FALSE;
-	qname = &fctx->name;
+	dqname = qname = &fctx->name;
 	type = fctx->type;
 	view = fctx->res->view;
+	dns_fixedname_init(&fqdname);
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (!done && result == ISC_R_SUCCESS) {
-		dns_namereln_t namereln;
+		dns_namereln_t namereln, dnamereln;
 		int order;
 		unsigned int nlabels;
 
@@ -6506,6 +6515,8 @@ answer_response(fetchctx_t *fctx) {
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+		dnamereln = dns_name_fullcompare(dqname, name, &order,
+						 &nlabels);
 		if (namereln == dns_namereln_equal) {
 			wanted_chaining = ISC_FALSE;
 			for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6600,7 +6611,7 @@ answer_response(fetchctx_t *fctx) {
 					}
 				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
-					   dns_rdatatype_cname
+					      dns_rdatatype_cname
 					   && !found_type) {
 					/*
 					 * We're looking for something else,
@@ -6630,11 +6641,18 @@ answer_response(fetchctx_t *fctx) {
 						 * a CNAME or DNAME).
 						 */
 						INSIST(!external);
-						if (aflag ==
-						    DNS_RDATASETATTR_ANSWER) {
+						if ((rdataset->type !=
+						     dns_rdatatype_cname) ||
+						    !found_dname ||
+						    (aflag ==
+						     DNS_RDATASETATTR_ANSWER))
+						{
 							have_answer = ISC_TRUE;
+							if (rdataset->type ==
+							    dns_rdatatype_cname)
+								cname = name;
 							name->attributes |=
-								DNS_NAMEATTR_ANSWER;
+							    DNS_NAMEATTR_ANSWER;
 						}
 						rdataset->attributes |= aflag;
 						if (aa)
@@ -6728,11 +6746,11 @@ answer_response(fetchctx_t *fctx) {
 					return (DNS_R_FORMERR);
 				}
 
-				if (namereln != dns_namereln_subdomain) {
+				if (dnamereln != dns_namereln_subdomain) {
 					char qbuf[DNS_NAME_FORMATSIZE];
 					char obuf[DNS_NAME_FORMATSIZE];
 
-					dns_name_format(qname, qbuf,
+					dns_name_format(dqname, qbuf,
 							sizeof(qbuf));
 					dns_name_format(name, obuf,
 							sizeof(obuf));
@@ -6747,7 +6765,7 @@ answer_response(fetchctx_t *fctx) {
 					want_chaining = ISC_TRUE;
 					POST(want_chaining);
 					aflag = DNS_RDATASETATTR_ANSWER;
-					result = dname_target(rdataset, qname,
+					result = dname_target(rdataset, dqname,
 							      nlabels, &fdname);
 					if (result == ISC_R_NOSPACE) {
 						/*
@@ -6764,10 +6782,13 @@ answer_response(fetchctx_t *fctx) {
 
 					dname = dns_fixedname_name(&fdname);
 					if (!is_answertarget_allowed(view,
-							qname, rdataset->type,
-							dname, &fctx->domain)) {
+						     dqname, rdataset->type,
+						     dname, &fctx->domain))
+					{
 						return (DNS_R_SERVFAIL);
 					}
+					dqname = dns_fixedname_name(&fqdname);
+					dns_name_copy(dname, dqname, NULL);
 				} else {
 					/*
 					 * We've found a signature that
@@ -6792,6 +6813,10 @@ answer_response(fetchctx_t *fctx) {
 					INSIST(!external);
 					if (aflag == DNS_RDATASETATTR_ANSWER) {
 						have_answer = ISC_TRUE;
+						found_dname = ISC_TRUE;
+						if (cname != NULL)
+							cname->attributes &=
+							   ~DNS_NAMEATTR_ANSWER;
 						name->attributes |=
 							DNS_NAMEATTR_ANSWER;
 					}

Modified: vendor/bind9/dist/version
==============================================================================
--- vendor/bind9/dist/version	Wed Nov  2 03:07:01 2016	(r308190)
+++ vendor/bind9/dist/version	Wed Nov  2 04:35:05 2016	(r308191)
@@ -7,5 +7,5 @@ MAJORVER=9
 MINORVER=9
 PATCHVER=9
 RELEASETYPE=-P
-RELEASEVER=3
+RELEASEVER=4
 EXTENSIONS=