[PATCH] bind: Update to version 9.20.9

[Adolf Belka]

- Update from version 9.20.8 to 9.20.9
- Update of rootfile
- Changelog
    9.20.9
        Security Fixes
                - [CVE-2025-40775] Prevent assertion when processing TSIG 
algorithm.
                  ``b8c198ac5ca``
                  DNS messages that included a Transaction Signature (TSIG) 
containing
                  an invalid value in the algorithm field caused 
:iscman:`named` to
                  crash with an assertion failure. This has been fixed.
                  :cve:`2025-40775` :gl:`#5300`
        Feature Changes
                - Use jinja2 templates in system tests. ``8f545784ff0``
                  `python-jinja2` is now required to run system tests. 
:gl:`#4938`
                  :gl:`!10396`
        Bug Fixes
                - Fix EDNS yaml output. ``8c3b226d89b``
                  `dig` was producing invalid YAML when displaying some EDNS 
options.
                  This has been corrected.
                  Several other improvements have been made to the display of 
EDNS
                  option data: - We now use the correct name for the 
UPDATE-LEASE
                  option, which was previously displayed as "UL", and split it 
into
                  separate LEASE and LEASE-KEY components in YAML mode. - 
Human-readable
                  durations are now displayed as comments in YAML mode so as 
not to
                  interfere with machine parsing. - KEY-TAG options are now 
displayed as
                  an array of integers in YAML mode. - EDNS COOKIE options are 
displayed
                  as separate CLIENT and SERVER components, and cookie STATUS 
is a
                  retrievable variable in YAML mode. :gl:`#5014` :gl:`!10414`
                - Return DNS COOKIE and NSID with BADVERS. ``34b7323bad6``
                  This change allows the client to identify the server that 
returns the
                  BADVERS and to provide a DNS SERVER COOKIE to be included in 
the
                  resend of the request. :gl:`#5235` :gl:`!10392`
                - Disable own memory context for libxml2 on macOS. 
``51e51d5ea8f``
                  Apple broke custom memory allocation functions in the 
system-wide
                  libxml2 starting with macOS Sequoia 15.4.  Usage of the 
custom memory
                  allocation functions has been disabled on macOS. :gl:`#5268`
                  :gl:`!10411`
                - `check_private` failed to account for the length byte before 
the OID.
                  ``2b827380e75``
                  In PRIVATEOID keys, the key data begins with a length byte 
followed
                  by an ASN.1 object identifier that indicates the cryptographic
                  algorithm  to use. Previously, the length byte was not 
accounted for
                  when  checking the contents of keys and signatures, which 
could have
                  led to interoperability problems with any zones signed using
                  PRIVATEOID. This has been fixed. :gl:`#5270` :gl:`!10376`
                - Fix a serve-stale issue with a delegated zone. ``d839d11bf62``
                  When ``stale-answer-client-timeout 0`` option was enabled, it 
could be
                  ignored when resolving a zone which is a delegation of an
                  authoritative zone belonging to the resolver. This has been 
fixed.
                  :gl:`#5275` :gl:`!10420`
                - Fix the ksr two-tone test. ``3e2b255b5b7``
                  The two-tone ksr subtest (test_ksr_twotone) depended on the
                  dnssec-policy keys algorithm values in named.conf being 
entered in
                  numerical order.  As the algorithms used in the test can be 
selected
                  randomly this does not always happen. Sort the dnssec-policy 
keys by
                  algorithm when adding them to the key list from named.conf.
                  :gl:`#5286` :gl:`!10435`
                - Revert NSEC3 closest encloser lookup improvements. 
``ac41f158fad``
                  The performance improvements for NSEC3 closest encloser 
lookups that
                  were restored in BIND 9.20.8 turned out to cause incorrect 
NSEC3
                  records to be returned in nonexistence proofs and were 
therefore
                  reverted again. :gl:`#5292` :gl:`!10443`

Signed-off-by: Adolf Belka <adolf.be...@ipfire.org>
---
 config/rootfiles/common/bind | 10 +++++-----
 lfs/bind                     |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind
index 0beffd862..23d8cd20b 100644
--- a/config/rootfiles/common/bind
+++ b/config/rootfiles/common/bind
@@ -240,18 +240,18 @@ usr/bin/nsupdate
 #usr/include/ns/types.h
 #usr/include/ns/update.h
 #usr/include/ns/xfrout.h
-usr/lib/libdns-9.20.8.so
+usr/lib/libdns-9.20.9.so
 #usr/lib/libdns.la
 #usr/lib/libdns.so
-usr/lib/libisc-9.20.8.so
+usr/lib/libisc-9.20.9.so
 #usr/lib/libisc.la
 #usr/lib/libisc.so
-usr/lib/libisccc-9.20.8.so
+usr/lib/libisccc-9.20.9.so
 #usr/lib/libisccc.la
 #usr/lib/libisccc.so
-usr/lib/libisccfg-9.20.8.so
+usr/lib/libisccfg-9.20.9.so
 #usr/lib/libisccfg.la
 #usr/lib/libisccfg.so
-usr/lib/libns-9.20.8.so
+usr/lib/libns-9.20.9.so
 #usr/lib/libns.la
 #usr/lib/libns.so
diff --git a/lfs/bind b/lfs/bind
index 330501460..6d448f728 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 9.20.8
+VER        = 9.20.9
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 
cc8f9de7cff23af113c48d365d41774f5141f937091b2f97e682104be03e64c86eb6f00a5f2e43ac4a3472c24b2909ca0d4cb82194cf4e8e510d5dded40ddd5a
+$(DL_FILE)_BLAKE2 = 
40a1428d2da9d92b3604f04234b2ff44701abcf2ea22883caea7fb4ee157547125fd68accb8fe10853ff64cd5018fa89e36eeb53021fa3ee9bc056e05ac228d6
 
 install : $(TARGET)
 
-- 
2.49.0