File bind-CVE-2023-4408.patch of Package bind.34202

Index: bind-9.16.6/bin/plugins/filter-aaaa.c
===================================================================
--- bind-9.16.6.orig/bin/plugins/filter-aaaa.c
+++ bind-9.16.6/bin/plugins/filter-aaaa.c
@@ -355,7 +355,7 @@ plugin_register(const char *parameters,
 	}
 
 	isc_mempool_create(mctx, sizeof(filter_data_t), &inst->datapool);
-	CHECK(isc_ht_init(&inst->ht, mctx, 16));
+	CHECK(isc_ht_init(&inst->ht, mctx, 16, ISC_HT_CASE_SENSITIVE));
 	isc_mutex_init(&inst->hlock);
 
 	/*
Index: bind-9.16.6/lib/dns/catz.c
===================================================================
--- bind-9.16.6.orig/lib/dns/catz.c
+++ bind-9.16.6/lib/dns/catz.c
@@ -399,12 +399,12 @@ dns_catz_zones_merge(dns_catz_zone_t *ta
 
 	dns_name_format(&target->name, czname, DNS_NAME_FORMATSIZE);
 
-	result = isc_ht_init(&toadd, target->catzs->mctx, 16);
+	result = isc_ht_init(&toadd, target->catzs->mctx, 16, ISC_HT_CASE_SENSITIVE);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
 	}
 
-	result = isc_ht_init(&tomod, target->catzs->mctx, 16);
+	result = isc_ht_init(&tomod, target->catzs->mctx, 16, ISC_HT_CASE_SENSITIVE);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
 	}
@@ -611,7 +611,7 @@ dns_catz_new_zones(dns_catz_zones_t **ca
 
 	isc_refcount_init(&new_zones->refs, 1);
 
-	result = isc_ht_init(&new_zones->zones, mctx, 4);
+	result = isc_ht_init(&new_zones->zones, mctx, 4, ISC_HT_CASE_SENSITIVE);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup_refcount;
 	}
@@ -667,7 +667,7 @@ dns_catz_new_zone(dns_catz_zones_t *catz
 	dns_name_init(&new_zone->name, NULL);
 	dns_name_dup(name, catzs->mctx, &new_zone->name);
 
-	result = isc_ht_init(&new_zone->entries, catzs->mctx, 4);
+	result = isc_ht_init(&new_zone->entries, catzs->mctx, 4, ISC_HT_CASE_SENSITIVE);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup_name;
 	}
Index: bind-9.16.6/lib/dns/include/dns/message.h
===================================================================
--- bind-9.16.6.orig/lib/dns/include/dns/message.h
+++ bind-9.16.6/lib/dns/include/dns/message.h
@@ -792,44 +792,6 @@ dns_message_findtype(const dns_name_t *n
  *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
  */
 
-isc_result_t
-dns_message_find(const dns_name_t *name, dns_rdataclass_t rdclass,
-		 dns_rdatatype_t type, dns_rdatatype_t covers,
-		 dns_rdataset_t **rdataset);
-/*%<
- * Search the name for the specified rdclass and type.  If it is found,
- * *rdataset is filled in with a pointer to that rdataset.
- *
- * Requires:
- *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
- *
- *\li	'type' be a valid type, and NOT dns_rdatatype_any.
- *
- *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
- *	Otherwise it should be 0.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		-- all is well.
- *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
- */
-
-void
-dns_message_movename(dns_message_t *msg, dns_name_t *name,
-		     dns_section_t fromsection, dns_section_t tosection);
-/*%<
- * Move a name from one section to another.
- *
- * Requires:
- *
- *\li	'msg' be valid.
- *
- *\li	'name' must be a name already in 'fromsection'.
- *
- *\li	'fromsection' must be a valid section.
- *
- *\li	'tosection' must be a valid section.
- */
-
 void
 dns_message_addname(dns_message_t *msg, dns_name_t *name,
 		    dns_section_t section);
Index: bind-9.16.6/lib/dns/include/dns/name.h
===================================================================
--- bind-9.16.6.orig/lib/dns/include/dns/name.h
+++ bind-9.16.6/lib/dns/include/dns/name.h
@@ -67,6 +67,7 @@
 #include <stdbool.h>
 #include <stdio.h>
 
+#include <isc/ht.h>
 #include <isc/lang.h>
 #include <isc/magic.h>
 #include <isc/region.h> /* Required for storage size of dns_label_t. */
@@ -110,6 +111,7 @@ struct dns_name {
 	isc_buffer_t * buffer;
 	ISC_LINK(dns_name_t) link;
 	ISC_LIST(dns_rdataset_t) list;
+	isc_ht_t *ht;
 };
 
 #define DNS_NAME_MAGIC ISC_MAGIC('D', 'N', 'S', 'n')
@@ -165,30 +167,24 @@ LIBDNS_EXTERNAL_DATA extern const dns_na
  *	unsigned char offsets[] = { 0, 6 };
  *	dns_name_t value = DNS_NAME_INITABSOLUTE(data, offsets);
  */
-#define DNS_NAME_INITNONABSOLUTE(A, B)                         \
-	{                                                      \
-		DNS_NAME_MAGIC, A, (sizeof(A) - 1), sizeof(B), \
-			DNS_NAMEATTR_READONLY, B, NULL,        \
-			{ (void *)-1, (void *)-1 }, {          \
-			NULL, NULL                             \
-		}                                              \
+#define DNS_NAME_INITNONABSOLUTE(A, B)                                   \
+	{                                                                \
+		DNS_NAME_MAGIC, A, (sizeof(A) - 1), sizeof(B),           \
+			DNS_NAMEATTR_READONLY, B, NULL,                  \
+			{ (void *)-1, (void *)-1 }, { NULL, NULL }, NULL \
 	}
 
-#define DNS_NAME_INITABSOLUTE(A, B)                                       \
-	{                                                                 \
-		DNS_NAME_MAGIC, A, sizeof(A), sizeof(B),                  \
-			DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, B, \
-			NULL, { (void *)-1, (void *)-1 }, {               \
-			NULL, NULL                                        \
-		}                                                         \
+#define DNS_NAME_INITABSOLUTE(A, B)                                            \
+	{                                                                      \
+		DNS_NAME_MAGIC, A, sizeof(A), sizeof(B),                       \
+			DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, B,      \
+			NULL, { (void *)-1, (void *)-1 }, { NULL, NULL }, NULL \
 	}
 
-#define DNS_NAME_INITEMPTY                                 \
-	{                                                  \
-		DNS_NAME_MAGIC, NULL, 0, 0, 0, NULL, NULL, \
-			{ (void *)-1, (void *)-1 }, {      \
-			NULL, NULL                         \
-		}                                          \
+#define DNS_NAME_INITEMPTY                                               \
+	{                                                                \
+		DNS_NAME_MAGIC, NULL, 0, 0, 0, NULL, NULL,               \
+			{ (void *)-1, (void *)-1 }, { NULL, NULL }, NULL \
 	}
 
 /*%
@@ -1348,6 +1344,7 @@ ISC_LANG_ENDDECLS
 		_n->buffer = NULL;                \
 		ISC_LINK_INIT(_n, link);          \
 		ISC_LIST_INIT(_n->list);          \
+		_n->ht = NULL;                    \
 	} while (0)
 
 #define DNS_NAME_RESET(n)                                  \
Index: bind-9.16.6/lib/dns/message.c
===================================================================
--- bind-9.16.6.orig/lib/dns/message.c
+++ bind-9.16.6/lib/dns/message.c
@@ -20,6 +20,8 @@
 #include <stdbool.h>
 
 #include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/ht.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 #include <isc/string.h> /* Required for HP/UX (and others?) */
@@ -506,9 +508,11 @@ msgresetsigs(dns_message_t *msg, bool re
 		} else {
 			dns_rdataset_disassociate(msg->tsig);
 			isc_mempool_put(msg->rdspool, msg->tsig);
+			msg->tsig = NULL;
 			if (msg->querytsig != NULL) {
 				dns_rdataset_disassociate(msg->querytsig);
 				isc_mempool_put(msg->rdspool, msg->querytsig);
+				msg->querytsig = NULL;
 			}
 		}
 		if (dns_name_dynamic(msg->tsigname)) {
@@ -806,6 +810,18 @@ dns_message_destroy(dns_message_t **msgp
 }
 
 static isc_result_t
+name_hash_add(isc_ht_t *ht, dns_name_t *name, dns_name_t **foundp) {
+	isc_result_t result = isc_ht_find(ht, name->ndata, name->length,
+					  (void **)foundp);
+	if (result == ISC_R_SUCCESS) {
+		return (ISC_R_EXISTS);
+	}
+	result = isc_ht_add(ht, name->ndata, name->length, (void *)name);
+	INSIST(result == ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
 findname(dns_name_t **foundname, const dns_name_t *target,
 	 dns_namelist_t *section) {
 	dns_name_t *curr;
@@ -824,28 +840,26 @@ findname(dns_name_t **foundname, const d
 	return (ISC_R_NOTFOUND);
 }
 
-isc_result_t
-dns_message_find(const dns_name_t *name, dns_rdataclass_t rdclass,
-		 dns_rdatatype_t type, dns_rdatatype_t covers,
-		 dns_rdataset_t **rdataset) {
-	dns_rdataset_t *curr;
-
-	REQUIRE(name != NULL);
-	REQUIRE(rdataset == NULL || *rdataset == NULL);
-
-	for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
-	     curr = ISC_LIST_PREV(curr, link))
-	{
-		if (curr->rdclass == rdclass && curr->type == type &&
-		    curr->covers == covers) {
-			if (rdataset != NULL) {
-				*rdataset = curr;
-			}
-			return (ISC_R_SUCCESS);
-		}
-	}
+typedef struct __attribute__((__packed__)) rds_key {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t type;
+	dns_rdatatype_t covers;
+} rds_key_t;
 
-	return (ISC_R_NOTFOUND);
+static isc_result_t
+rds_hash_add(isc_ht_t *ht, dns_rdataset_t *rds, dns_rdataset_t **foundp) {
+	rds_key_t key = { .rdclass = rds->rdclass,
+			  .type = rds->type,
+			  .covers = rds->covers };
+	isc_result_t result = isc_ht_find(ht, (const unsigned char *)&key,
+					  sizeof(key), (void **)foundp);
+	if (result == ISC_R_SUCCESS) {
+		return (ISC_R_EXISTS);
+	}
+	result = isc_ht_add(ht, (const unsigned char *)&key, sizeof(key),
+			    (void *)rds);
+	INSIST(result == ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -973,23 +987,41 @@ getrdata(isc_buffer_t *source, dns_messa
 		}                            \
 	} while (0)
 
+static void
+cleanup_name_hashmaps(dns_namelist_t *section) {
+	dns_name_t *name = NULL;
+	for (name = ISC_LIST_HEAD(*section); name != NULL;
+	     name = ISC_LIST_NEXT(name, link))
+	{
+		if (name->ht != NULL) {
+			isc_ht_destroy(&name->ht);
+		}
+	}
+}
+
 static isc_result_t
 getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 	     unsigned int options) {
 	isc_region_t r;
 	unsigned int count;
-	dns_name_t *name;
-	dns_name_t *name2;
+	dns_name_t *name = NULL;
+	dns_name_t *name2 = NULL;
 	dns_offsets_t *offsets;
 	dns_rdataset_t *rdataset;
 	dns_rdatalist_t *rdatalist;
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 	dns_rdatatype_t rdtype;
 	dns_rdataclass_t rdclass;
 	dns_namelist_t *section;
-	bool free_name;
+ 	bool free_name = false;
+	bool free_ht = false;
 	bool best_effort;
 	bool seen_problem;
+	isc_ht_t *name_map = NULL;
+
+	if (msg->counts[DNS_SECTION_QUESTION] > 1) {
+		isc_ht_init(&name_map, msg->mctx, 1, ISC_HT_CASE_INSENSITIVE);
+	}
 
 	section = &msg->sections[DNS_SECTION_QUESTION];
 
@@ -1024,13 +1056,19 @@ getquestions(isc_buffer_t *source, dns_m
 			goto cleanup;
 		}
 
+		/* If there is only one QNAME, skip the duplicity checks */
+		if (name_map == NULL) {
+			result = ISC_R_SUCCESS;
+			goto skip_name_check;
+		}
+
 		/*
 		 * Run through the section, looking to see if this name
 		 * is already there.  If it is found, put back the allocated
 		 * name since we no longer need it, and set our name pointer
 		 * to point to the name we found.
 		 */
-		result = findname(&name2, name, section);
+		result = name_hash_add(name_map, name, &name2);
 
 		/*
 		 * If it is the first name in the section, accept it.
@@ -1042,19 +1080,25 @@ getquestions(isc_buffer_t *source, dns_m
 		 * this should be legal or not.  In either case we no longer
 		 * need this name pointer.
 		 */
-		if (result != ISC_R_SUCCESS) {
+	skip_name_check:
+		switch (result) {
+		case ISC_R_SUCCESS:
 			if (!ISC_LIST_EMPTY(*section)) {
 				DO_ERROR(DNS_R_FORMERR);
 			}
 			ISC_LIST_APPEND(*section, name, link);
-			free_name = false;
-		} else {
+			break;
+		case ISC_R_EXISTS:
 			isc_mempool_put(msg->namepool, name);
 			name = name2;
 			name2 = NULL;
-			free_name = false;
+			break;
+		default:
+			ISC_UNREACHABLE();
 		}
 
+		free_name = false;
+
 		/*
 		 * Get type and class.
 		 */
@@ -1085,14 +1129,6 @@ getquestions(isc_buffer_t *source, dns_m
 		}
 
 		/*
-		 * Can't ask the same question twice.
-		 */
-		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
-		if (result == ISC_R_SUCCESS) {
-			DO_ERROR(DNS_R_FORMERR);
-		}
-
-		/*
 		 * Allocate a new rdatalist.
 		 */
 		rdatalist = newrdatalist(msg);
@@ -1105,6 +1141,7 @@ getquestions(isc_buffer_t *source, dns_m
 			result = ISC_R_NOMEMORY;
 			goto cleanup;
 		}
+		dns_rdataset_init(rdataset);
 
 		/*
 		 * Convert rdatalist to rdataset, and attach the latter to
@@ -1113,26 +1150,57 @@ getquestions(isc_buffer_t *source, dns_m
 		rdatalist->type = rdtype;
 		rdatalist->rdclass = rdclass;
 
-		dns_rdataset_init(rdataset);
 		result = dns_rdatalist_tordataset(rdatalist, rdataset);
-		if (result != ISC_R_SUCCESS) {
-			goto cleanup;
-		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
 
+		/*
+		 * Skip the duplicity check for first rdataset
+		 */
+		if (ISC_LIST_EMPTY(name->list)) {
+			result = ISC_R_SUCCESS;
+			goto skip_rds_check;
+		}
+
+		/*
+		 * Can't ask the same question twice.
+		 */
+		if (name->ht == NULL) {
+			isc_ht_init(&name->ht, msg->mctx, 1,
+				    ISC_HT_CASE_SENSITIVE);
+			free_ht = true;
+
+			INSIST(ISC_LIST_HEAD(name->list) ==
+			       ISC_LIST_TAIL(name->list));
+
+			dns_rdataset_t *old_rdataset =
+				ISC_LIST_HEAD(name->list);
+
+			result = rds_hash_add(name->ht, old_rdataset, NULL);
+
+			INSIST(result == ISC_R_SUCCESS);
+		}
+		result = rds_hash_add(name->ht, rdataset, NULL);
+		if (result == ISC_R_EXISTS) {
+			DO_ERROR(DNS_R_FORMERR);
+		}
+
+	skip_rds_check:
 		ISC_LIST_APPEND(name->list, rdataset, link);
+
 		rdataset = NULL;
 	}
 
 	if (seen_problem) {
-		return (DNS_R_RECOVERABLE);
+		result = DNS_R_RECOVERABLE;
 	}
-	return (ISC_R_SUCCESS);
 
 cleanup:
 	if (rdataset != NULL) {
-		INSIST(!dns_rdataset_isassociated(rdataset));
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
 		isc_mempool_put(msg->rdspool, rdataset);
 	}
 #if 0
@@ -1144,6 +1212,14 @@ cleanup:
 		isc_mempool_put(msg->namepool, name);
 	}
 
+	if (free_ht) {
+		cleanup_name_hashmaps(section);
+	}
+
+	if (name_map != NULL) {
+		isc_ht_destroy(&name_map);
+	}
+
 	return (result);
 }
 
@@ -1223,17 +1299,24 @@ getsection(isc_buffer_t *source, dns_mes
 	dns_name_t *name = NULL;
 	dns_name_t *name2 = NULL;
 	dns_offsets_t *offsets;
-	dns_rdataset_t *rdataset;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdataset_t *found_rdataset = NULL;
 	dns_rdatalist_t *rdatalist;
-	isc_result_t result;
+	isc_result_t result = ISC_R_SUCCESS;
 	dns_rdatatype_t rdtype, covers;
 	dns_rdataclass_t rdclass;
 	dns_rdata_t *rdata;
 	dns_ttl_t ttl;
 	dns_namelist_t *section;
-	bool free_name = false, free_rdataset = false;
-	bool preserve_order, best_effort, seen_problem;
+	bool free_name = false, seen_problem = false;
+	bool free_ht = false;
+	bool preserve_order, best_effort;
 	bool isedns, issigzero, istsig;
+	isc_ht_t *name_map = NULL;
+
+	if (msg->counts[sectionid] > 1) {
+		isc_ht_init(&name_map, msg->mctx, 1, ISC_HT_CASE_INSENSITIVE);
+	}
 
 	preserve_order = ((options & DNS_MESSAGEPARSE_PRESERVEORDER) != 0);
 	best_effort = ((options & DNS_MESSAGEPARSE_BESTEFFORT) != 0);
@@ -1247,10 +1330,10 @@ getsection(isc_buffer_t *source, dns_mes
 
 		skip_name_search = false;
 		skip_type_search = false;
-		free_rdataset = false;
 		isedns = false;
 		issigzero = false;
 		istsig = false;
+		found_rdataset = NULL;
 
 		name = isc_mempool_get(msg->namepool);
 		if (name == NULL) {
@@ -1295,8 +1378,8 @@ getsection(isc_buffer_t *source, dns_mes
 		if (msg->rdclass_set == 0 &&
 		    rdtype != dns_rdatatype_opt &&  /* class is UDP SIZE */
 		    rdtype != dns_rdatatype_tsig && /* class is ANY */
-		    rdtype != dns_rdatatype_tkey)
-		{ /* class is undefined */
+		    rdtype != dns_rdatatype_tkey)   /* class is undefined */
+		{
 			msg->rdclass = rdclass;
 			msg->rdclass_set = 1;
 		}
@@ -1402,10 +1485,6 @@ getsection(isc_buffer_t *source, dns_mes
 		 * Then put the meta-class back into the finished rdata.
 		 */
 		rdata = newrdata(msg);
-		if (rdata == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
 		if (msg->opcode == dns_opcode_update &&
 		    update(sectionid, rdclass)) {
 			if (rdatalen != 0) {
@@ -1488,33 +1567,71 @@ getsection(isc_buffer_t *source, dns_mes
 				free_name = false;
 			}
 		} else {
+			if (name_map == NULL) {
+				result = ISC_R_SUCCESS;
+				goto skip_name_check;
+			}
+
 			/*
 			 * Run through the section, looking to see if this name
 			 * is already there.  If it is found, put back the
 			 * allocated name since we no longer need it, and set
 			 * our name pointer to point to the name we found.
 			 */
-			result = findname(&name2, name, section);
+			result = name_hash_add(name_map, name, &name2);
 
 			/*
 			 * If it is a new name, append to the section.
 			 */
-			if (result == ISC_R_SUCCESS) {
+		skip_name_check:
+			switch (result) {
+			case ISC_R_SUCCESS:
+				ISC_LIST_APPEND(*section, name, link);
+				break;
+			case ISC_R_EXISTS:
 				isc_mempool_put(msg->namepool, name);
 				name = name2;
-			} else {
-				ISC_LIST_APPEND(*section, name, link);
+				name2 = NULL;
+				break;
+			default:
+				ISC_UNREACHABLE();
 			}
 			free_name = false;
 		}
 
+		rdatalist = newrdatalist(msg);
+		if (rdatalist == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		dns_message_gettemprdataset(msg, &rdataset);
+		if (rdataset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		rdatalist->type = rdtype;
+		rdatalist->covers = covers;
+		rdatalist->rdclass = rdclass;
+		rdatalist->ttl = ttl;
+
+		RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
+			      ISC_R_SUCCESS);
+		dns_rdataset_setownercase(rdataset, name);
+		rdatalist = NULL;
+
 		/*
 		 * Search name for the particular type and class.
 		 * Skip this stage if in update mode or this is a meta-type.
 		 */
-		if (preserve_order || msg->opcode == dns_opcode_update ||
-		    skip_type_search) {
-			result = ISC_R_NOTFOUND;
+		if (isedns || istsig || issigzero) {
+			/* Skip adding the rdataset to the tables */
+		} else if (preserve_order || msg->opcode == dns_opcode_update ||
+			   skip_type_search)
+		{
+			result = ISC_R_SUCCESS;
+
+			ISC_LIST_APPEND(name->list, rdataset, link);
 		} else {
 			/*
 			 * If this is a type that can only occur in
@@ -1524,63 +1641,71 @@ getsection(isc_buffer_t *source, dns_mes
 				DO_ERROR(DNS_R_FORMERR);
 			}
 
-			rdataset = NULL;
-			result = dns_message_find(name, rdclass, rdtype, covers,
-						  &rdataset);
-		}
+			if (ISC_LIST_EMPTY(name->list)) {
+				result = ISC_R_SUCCESS;
+				goto skip_rds_check;
+			}
+
+			if (name->ht == NULL) {
+				isc_ht_init(&name->ht, msg->mctx, 1,
+					    ISC_HT_CASE_SENSITIVE);
+				free_ht = true;
+
+				INSIST(ISC_LIST_HEAD(name->list) ==
+				       ISC_LIST_TAIL(name->list));
+
+				dns_rdataset_t *old_rdataset =
+					ISC_LIST_HEAD(name->list);
+
+				result = rds_hash_add(name->ht, old_rdataset,
+						      NULL);
+
+				INSIST(result == ISC_R_SUCCESS);
+			}
+			found_rdataset = NULL;
+			result = rds_hash_add(name->ht, rdataset,
+					      &found_rdataset);
+
+			/*
+			 * If we found an rdataset that matches, we need to
+			 * append this rdata to that set.  If we did not, we
+			 * need to create a new rdatalist, store the important
+			 * bits there, convert it to an rdataset, and link the
+			 * latter to the name. Yuck.  When appending, make
+			 * certain that the type isn't a singleton type, such as
+			 * SOA or CNAME.
+			 *
+			 * Note that this check will be bypassed when preserving
+			 * order, the opcode is an update, or the type search is
+			 * skipped.
+			 */
+		skip_rds_check:
+			switch (result) {
+			case ISC_R_EXISTS:
+				/* Free the rdataset we used as the key */
+				dns_rdataset_disassociate(rdataset);
+				isc_mempool_put(msg->rdspool, rdataset);
+				result = ISC_R_SUCCESS;
+				rdataset = found_rdataset;
+
+				if (!dns_rdatatype_issingleton(rdtype)) {
+					break;
+				}
 
-		/*
-		 * If we found an rdataset that matches, we need to
-		 * append this rdata to that set.  If we did not, we need
-		 * to create a new rdatalist, store the important bits there,
-		 * convert it to an rdataset, and link the latter to the name.
-		 * Yuck.  When appending, make certain that the type isn't
-		 * a singleton type, such as SOA or CNAME.
-		 *
-		 * Note that this check will be bypassed when preserving order,
-		 * the opcode is an update, or the type search is skipped.
-		 */
-		if (result == ISC_R_SUCCESS) {
-			if (dns_rdatatype_issingleton(rdtype)) {
-				dns_rdata_t *first;
 				dns_rdatalist_fromrdataset(rdataset,
 							   &rdatalist);
-				first = ISC_LIST_HEAD(rdatalist->rdata);
+				dns_rdata_t *first =
+					ISC_LIST_HEAD(rdatalist->rdata);
 				INSIST(first != NULL);
 				if (dns_rdata_compare(rdata, first) != 0) {
 					DO_ERROR(DNS_R_FORMERR);
 				}
-			}
-		}
-
-		if (result == ISC_R_NOTFOUND) {
-			rdataset = isc_mempool_get(msg->rdspool);
-			if (rdataset == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			free_rdataset = true;
-
-			rdatalist = newrdatalist(msg);
-			if (rdatalist == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-
-			rdatalist->type = rdtype;
-			rdatalist->covers = covers;
-			rdatalist->rdclass = rdclass;
-			rdatalist->ttl = ttl;
-
-			dns_rdataset_init(rdataset);
-			RUNTIME_CHECK(
-				dns_rdatalist_tordataset(rdatalist, rdataset) ==
-				ISC_R_SUCCESS);
-			dns_rdataset_setownercase(rdataset, name);
-
-			if (!isedns && !istsig && !issigzero) {
+				break;
+			case ISC_R_SUCCESS:
 				ISC_LIST_APPEND(name->list, rdataset, link);
-				free_rdataset = false;
+				break;
+			default:
+				ISC_UNREACHABLE();
 			}
 		}
 
@@ -1615,8 +1740,6 @@ getsection(isc_buffer_t *source, dns_mes
 			dns_rcode_t ercode;
 
 			msg->opt = rdataset;
-			rdataset = NULL;
-			free_rdataset = false;
 			ercode = (dns_rcode_t)(
 				(msg->opt->ttl & DNS_MESSAGE_EDNSRCODE_MASK) >>
 				20);
@@ -1627,8 +1750,6 @@ getsection(isc_buffer_t *source, dns_mes
 			msg->sig0 = rdataset;
 			msg->sig0name = name;
 			msg->sigstart = recstart;
-			rdataset = NULL;
-			free_rdataset = false;
 			free_name = false;
 		} else if (istsig) {
 			msg->tsig = rdataset;
@@ -1638,22 +1759,17 @@ getsection(isc_buffer_t *source, dns_mes
 			 * Windows doesn't like TSIG names to be compressed.
 			 */
 			msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
-			rdataset = NULL;
-			free_rdataset = false;
 			free_name = false;
 		}
+		rdataset = NULL;
 
 		if (seen_problem) {
 			if (free_name) {
 				isc_mempool_put(msg->namepool, name);
 			}
-			if (free_rdataset) {
-				isc_mempool_put(msg->rdspool, rdataset);
-			}
-			free_name = free_rdataset = false;
+			free_name = false;
 		}
 		INSIST(!free_name);
-		INSIST(!free_rdataset);
 	}
 
 	/*
@@ -1671,16 +1787,24 @@ getsection(isc_buffer_t *source, dns_mes
 	}
 
 	if (seen_problem) {
-		return (DNS_R_RECOVERABLE);
+		result = DNS_R_RECOVERABLE;
 	}
-	return (ISC_R_SUCCESS);
 
 cleanup:
+	if (rdataset != NULL && rdataset != found_rdataset) {
+		dns_rdataset_disassociate(rdataset);
+		isc_mempool_put(msg->rdspool, rdataset);
+	}
 	if (free_name) {
 		isc_mempool_put(msg->namepool, name);
 	}
-	if (free_rdataset) {
-		isc_mempool_put(msg->rdspool, rdataset);
+
+	if (free_ht) {
+		cleanup_name_hashmaps(section);
+	}
+
+	if (name_map != NULL) {
+		isc_ht_destroy(&name_map);
 	}
 
 	return (result);
@@ -2473,7 +2597,7 @@ dns_message_findname(dns_message_t *msg,
 		     const dns_name_t *target, dns_rdatatype_t type,
 		     dns_rdatatype_t covers, dns_name_t **name,
 		     dns_rdataset_t **rdataset) {
-	dns_name_t *foundname;
+	dns_name_t *foundname = NULL;
 	isc_result_t result;
 
 	/*
@@ -2521,22 +2645,6 @@ dns_message_findname(dns_message_t *msg,
 }
 
 void
-dns_message_movename(dns_message_t *msg, dns_name_t *name,
-		     dns_section_t fromsection, dns_section_t tosection) {
-	REQUIRE(msg != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(name != NULL);
-	REQUIRE(VALID_NAMED_SECTION(fromsection));
-	REQUIRE(VALID_NAMED_SECTION(tosection));
-
-	/*
-	 * Unlink the name from the old section
-	 */
-	ISC_LIST_UNLINK(msg->sections[fromsection], name, link);
-	ISC_LIST_APPEND(msg->sections[tosection], name, link);
-}
-
-void
 dns_message_addname(dns_message_t *msg, dns_name_t *name,
 		    dns_section_t section) {
 	REQUIRE(msg != NULL);
@@ -2637,6 +2745,10 @@ dns_message_puttempname(dns_message_t *m
 	REQUIRE(!ISC_LINK_LINKED(item, link));
 	REQUIRE(ISC_LIST_HEAD(item->list) == NULL);
 
+	if (item->ht != NULL) {
+		isc_ht_destroy(&item->ht);
+	}
+
 	if (dns_name_dynamic(item)) {
 		dns_name_free(item, msg->mctx);
 	}
Index: bind-9.16.6/lib/dns/name.c
===================================================================
--- bind-9.16.6.orig/lib/dns/name.c
+++ bind-9.16.6/lib/dns/name.c
@@ -186,6 +186,7 @@ dns_name_invalidate(dns_name_t *name) {
 	name->offsets = NULL;
 	name->buffer = NULL;
 	ISC_LINK_INIT(name, link);
+	INSIST(name->ht == NULL);
 }
 
 bool
Index: bind-9.16.6/lib/dns/rpz.c
===================================================================
--- bind-9.16.6.orig/lib/dns/rpz.c
+++ bind-9.16.6/lib/dns/rpz.c
@@ -1546,7 +1546,7 @@ dns_rpz_new_zone(dns_rpz_zones_t *rpzs,
 	 * simplifies update_from_db
 	 */
 
-	result = isc_ht_init(&zone->nodes, rpzs->mctx, 1);
+	result = isc_ht_init(&zone->nodes, rpzs->mctx, 1, ISC_HT_CASE_SENSITIVE);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup_ht;
 	}
@@ -1729,7 +1729,8 @@ setup_update(dns_rpz_zone_t *rpz) {
 		      ISC_LOG_DEBUG(1), "rpz: %s: using hashtable size %d",
 		      domain, hashsize);
 
-	result = isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize);
+	result = isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize,
+		    ISC_HT_CASE_SENSITIVE);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
Index: bind-9.16.6/lib/dns/win32/libdns.def.in
===================================================================
--- bind-9.16.6.orig/lib/dns/win32/libdns.def.in
+++ bind-9.16.6/lib/dns/win32/libdns.def.in
@@ -529,7 +529,6 @@ dns_message_checksig
 dns_message_create
 dns_message_currentname
 dns_message_destroy
-dns_message_find
 dns_message_findname
 dns_message_findtype
 dns_message_firstname
@@ -549,7 +548,6 @@ dns_message_gettsigkey
 dns_message_headertotext
 dns_message_logfmtpacket
 dns_message_logpacket
-dns_message_movename
 dns_message_nextname
 dns_message_parse
 dns_message_peekheader
Index: bind-9.16.6/lib/isc/ht.c
===================================================================
--- bind-9.16.6.orig/lib/isc/ht.c
+++ bind-9.16.6/lib/isc/ht.c
@@ -25,51 +25,274 @@ typedef struct isc_ht_node isc_ht_node_t
 #define ISC_HT_MAGIC	 ISC_MAGIC('H', 'T', 'a', 'b')
 #define ISC_HT_VALID(ht) ISC_MAGIC_VALID(ht, ISC_HT_MAGIC)
 
+#define HT_NO_BITS    0
+#define HT_MIN_BITS   1
+#define HT_MAX_BITS   32
+#define HT_OVERCOMMIT 3
+
+#define HT_NEXTTABLE(idx)      ((idx == 0) ? 1 : 0)
+#define TRY_NEXTTABLE(idx, ht) (idx == ht->hindex && rehashing_in_progress(ht))
+
+#define GOLDEN_RATIO_32 0x61C88647
+
+#define HASHSIZE(bits) (UINT64_C(1) << (bits))
+
 struct isc_ht_node {
 	void *value;
 	isc_ht_node_t *next;
+	uint32_t hashval;
 	size_t keysize;
-	unsigned char key[FLEXIBLE_ARRAY_MEMBER];
+	unsigned char key[];
 };
 
 struct isc_ht {
 	unsigned int magic;
 	isc_mem_t *mctx;
-	size_t size;
-	size_t mask;
-	unsigned int count;
-	isc_ht_node_t **table;
+	size_t count;
+	bool case_sensitive;
+	size_t size[2];
+	uint8_t hashbits[2];
+	isc_ht_node_t **table[2];
+	uint8_t hindex;
+	uint32_t hiter; /* rehashing iterator */
 };
 
 struct isc_ht_iter {
 	isc_ht_t *ht;
 	size_t i;
+	uint8_t hindex;
 	isc_ht_node_t *cur;
 };
 
+static isc_ht_node_t *
+isc__ht_find(const isc_ht_t *ht, const unsigned char *key,
+	     const uint32_t keysize, const uint32_t hashval, const uint8_t idx);
+static void
+isc__ht_add(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize,
+	    const uint32_t hashval, const uint8_t idx, void *value);
+static isc_result_t
+isc__ht_delete(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize,
+	       const uint32_t hashval, const uint8_t idx);
+
+static uint32_t
+rehash_bits(isc_ht_t *ht, size_t newcount);
+
+static void
+hashtable_new(isc_ht_t *ht, const uint8_t idx, const uint8_t bits);
+static void
+hashtable_free(isc_ht_t *ht, const uint8_t idx);
+static void
+hashtable_rehash(isc_ht_t *ht, uint32_t newbits);
+static void
+hashtable_rehash_one(isc_ht_t *ht);
+static void
+maybe_rehash(isc_ht_t *ht, size_t newcount);
+
+static isc_result_t
+isc__ht_iter_next(isc_ht_iter_t *it);
+
+static uint8_t maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+	0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
+	0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
+	0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73,
+	0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+	0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83,
+	0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b,
+	0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3,
+	0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
+	0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3,
+	0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
+	0xfc, 0xfd, 0xfe, 0xff
+};
+
+static int
+memcasecmp(const void *vs1, const void *vs2, size_t len) {
+	uint8_t const *s1 = vs1;
+	uint8_t const *s2 = vs2;
+	for (size_t i = 0; i < len; i++) {
+		uint8_t u1 = s1[i];
+		uint8_t u2 = s2[i];
+		int U1 = maptolower[u1];
+		int U2 = maptolower[u2];
+		int diff = U1 - U2;
+		if (diff) {
+			return diff;
+		}
+	}
+	return 0;
+}
+
+static bool
+isc__ht_node_match(isc_ht_node_t *node, const uint32_t hashval,
+		   const uint8_t *key, uint32_t keysize, bool case_sensitive) {
+	return (node->hashval == hashval && node->keysize == keysize &&
+		(case_sensitive ? (memcmp(node->key, key, keysize) == 0)
+				: (memcasecmp(node->key, key, keysize) == 0)));
+}
+
+static uint32_t
+hash_32(uint32_t val, unsigned int bits) {
+	REQUIRE(bits <= HT_MAX_BITS);
+	/* High bits are more random. */
+	return (val * GOLDEN_RATIO_32 >> (32 - bits));
+}
+
+static bool
+rehashing_in_progress(const isc_ht_t *ht) {
+	return (ht->table[HT_NEXTTABLE(ht->hindex)] != NULL);
+}
+
+static bool
+hashtable_is_overcommited(isc_ht_t *ht) {
+	return (ht->count >= (ht->size[ht->hindex] * HT_OVERCOMMIT));
+}
+
+static uint32_t
+rehash_bits(isc_ht_t *ht, size_t newcount) {
+	uint32_t newbits = ht->hashbits[ht->hindex];
+
+	while (newcount >= HASHSIZE(newbits) && newbits <= HT_MAX_BITS) {
+		newbits += 1;
+	}
+
+	return (newbits);
+}
+
+/*
+ * Rebuild the hashtable to reduce the load factor
+ */
+static void
+hashtable_rehash(isc_ht_t *ht, uint32_t newbits) {
+	uint8_t oldindex = ht->hindex;
+	uint32_t oldbits = ht->hashbits[oldindex];
+	uint8_t newindex = HT_NEXTTABLE(oldindex);
+
+	REQUIRE(ht->hashbits[oldindex] >= HT_MIN_BITS);
+	REQUIRE(ht->hashbits[oldindex] <= HT_MAX_BITS);
+	REQUIRE(ht->table[oldindex] != NULL);
+
+	REQUIRE(newbits <= HT_MAX_BITS);
+	REQUIRE(ht->hashbits[newindex] == HT_NO_BITS);
+	REQUIRE(ht->table[newindex] == NULL);
+
+	REQUIRE(newbits > oldbits);
+
+	hashtable_new(ht, newindex, newbits);
+
+	ht->hindex = newindex;
+
+	hashtable_rehash_one(ht);
+}
+
+static void
+hashtable_rehash_one(isc_ht_t *ht) {
+	isc_ht_node_t **newtable = ht->table[ht->hindex];
+	uint32_t oldsize = ht->size[HT_NEXTTABLE(ht->hindex)];
+	isc_ht_node_t **oldtable = ht->table[HT_NEXTTABLE(ht->hindex)];
+	isc_ht_node_t *node = NULL;
+	isc_ht_node_t *nextnode;
+
+	/* Find first non-empty node */
+	while (ht->hiter < oldsize && oldtable[ht->hiter] == NULL) {
+		ht->hiter++;
+	}
+
+	/* Rehashing complete */
+	if (ht->hiter == oldsize) {
+		hashtable_free(ht, HT_NEXTTABLE(ht->hindex));
+		ht->hiter = 0;
+		return;
+	}
+
+	/* Move the first non-empty node from old hashtable to new hashtable */
+	for (node = oldtable[ht->hiter]; node != NULL; node = nextnode) {
+		uint32_t hash = hash_32(node->hashval,
+					ht->hashbits[ht->hindex]);
+		nextnode = node->next;
+		node->next = newtable[hash];
+		newtable[hash] = node;
+	}
+
+	oldtable[ht->hiter] = NULL;
+
+	ht->hiter++;
+}
+
+static void
+maybe_rehash(isc_ht_t *ht, size_t newcount) {
+	uint32_t newbits = rehash_bits(ht, newcount);
+
+	if (ht->hashbits[ht->hindex] < newbits && newbits <= HT_MAX_BITS) {
+		hashtable_rehash(ht, newbits);
+	}
+}
+
+static void
+hashtable_new(isc_ht_t *ht, const uint8_t idx, const uint8_t bits) {
+	size_t size;
+	REQUIRE(ht->hashbits[idx] == HT_NO_BITS);
+	REQUIRE(ht->table[idx] == NULL);
+	REQUIRE(bits >= HT_MIN_BITS);
+	REQUIRE(bits <= HT_MAX_BITS);
+
+	ht->hashbits[idx] = bits;
+	ht->size[idx] = HASHSIZE(ht->hashbits[idx]);
+
+	size = ht->size[idx] * sizeof(isc_ht_node_t *);
+
+	ht->table[idx] = isc_mem_get(ht->mctx, size);
+	memset(ht->table[idx], 0, size);
+}
+
+static void
+hashtable_free(isc_ht_t *ht, const uint8_t idx) {
+	size_t size = ht->size[idx] * sizeof(isc_ht_node_t *);
+
+	for (size_t i = 0; i < ht->size[idx]; i++) {
+		isc_ht_node_t *node = ht->table[idx][i];
+		while (node != NULL) {
+			isc_ht_node_t *next = node->next;
+			ht->count--;
+			isc_mem_put(ht->mctx, node,
+				    sizeof(*node) + node->keysize);
+			node = next;
+		}
+	}
+
+	isc_mem_put(ht->mctx, ht->table[idx], size);
+	ht->hashbits[idx] = HT_NO_BITS;
+	ht->table[idx] = NULL;
+}
+
 isc_result_t
-isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits) {
+isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits,
+	    unsigned int options) {
 	isc_ht_t *ht = NULL;
-	size_t i;
+	bool case_sensitive = ((options & ISC_HT_CASE_INSENSITIVE) == 0);
 
 	REQUIRE(htp != NULL && *htp == NULL);
 	REQUIRE(mctx != NULL);
-	REQUIRE(bits >= 1 && bits <= (sizeof(size_t) * 8 - 1));
+	REQUIRE(bits >= 1 && bits <= HT_MAX_BITS);
 
-	ht = isc_mem_get(mctx, sizeof(struct isc_ht));
+	ht = isc_mem_get(mctx, sizeof(*ht));
+	*ht = (isc_ht_t){
+		.case_sensitive = case_sensitive,
+	};
 
-	ht->mctx = NULL;
 	isc_mem_attach(mctx, &ht->mctx);
 
-	ht->size = ((size_t)1 << bits);
-	ht->mask = ((size_t)1 << bits) - 1;
-	ht->count = 0;
-
-	ht->table = isc_mem_get(ht->mctx, ht->size * sizeof(isc_ht_node_t *));
-
-	for (i = 0; i < ht->size; i++) {
-		ht->table[i] = NULL;
-	}
+	hashtable_new(ht, 0, bits);
 
 	ht->magic = ISC_HT_MAGIC;
 
@@ -80,126 +303,188 @@ isc_ht_init(isc_ht_t **htp, isc_mem_t *m
 void
 isc_ht_destroy(isc_ht_t **htp) {
 	isc_ht_t *ht;
-	size_t i;
 
 	REQUIRE(htp != NULL);
+	REQUIRE(ISC_HT_VALID(*htp));
 
 	ht = *htp;
 	*htp = NULL;
-
-	REQUIRE(ISC_HT_VALID(ht));
-
 	ht->magic = 0;
 
-	for (i = 0; i < ht->size; i++) {
-		isc_ht_node_t *node = ht->table[i];
-		while (node != NULL) {
-			isc_ht_node_t *next = node->next;
-			ht->count--;
-			isc_mem_put(ht->mctx, node,
-				    offsetof(isc_ht_node_t, key) +
-					    node->keysize);
-			node = next;
+	for (size_t i = 0; i <= 1; i++) {
+		if (ht->table[i] != NULL) {
+			hashtable_free(ht, i);
 		}
 	}
 
 	INSIST(ht->count == 0);
 
-	isc_mem_put(ht->mctx, ht->table, ht->size * sizeof(isc_ht_node_t *));
-	isc_mem_putanddetach(&ht->mctx, ht, sizeof(struct isc_ht));
+	isc_mem_putanddetach(&ht->mctx, ht, sizeof(*ht));
 }
 
-isc_result_t
-isc_ht_add(isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
-	   void *value) {
+static void
+isc__ht_add(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize,
+	    const uint32_t hashval, const uint8_t idx, void *value) {
 	isc_ht_node_t *node;
 	uint32_t hash;
 
+	hash = hash_32(hashval, ht->hashbits[idx]);
+
+	node = isc_mem_get(ht->mctx, sizeof(*node) + keysize);
+	*node = (isc_ht_node_t){
+		.keysize = keysize,
+		.hashval = hashval,
+		.next = ht->table[idx][hash],
+		.value = value,
+	};
+
+	memmove(node->key, key, keysize);
+
+	ht->count++;
+	ht->table[idx][hash] = node;
+}
+
+isc_result_t
+isc_ht_add(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize,
+	   void *value) {
+	uint32_t hashval;
+
 	REQUIRE(ISC_HT_VALID(ht));
 	REQUIRE(key != NULL && keysize > 0);
 
-	hash = isc_hash_function(key, keysize, true);
-	node = ht->table[hash & ht->mask];
-	while (node != NULL) {
-		if (keysize == node->keysize &&
-		    memcmp(key, node->key, keysize) == 0) {
-			return (ISC_R_EXISTS);
-		}
-		node = node->next;
+	if (rehashing_in_progress(ht)) {
+		/* Rehash in progress */
+		hashtable_rehash_one(ht);
+	} else if (hashtable_is_overcommited(ht)) {
+		/* Rehash requested */
+		maybe_rehash(ht, ht->count);
 	}
 
-	node = isc_mem_get(ht->mctx, offsetof(isc_ht_node_t, key) + keysize);
+	hashval = isc_hash32(key, keysize, ht->case_sensitive);
 
-	memmove(node->key, key, keysize);
-	node->keysize = keysize;
-	node->next = ht->table[hash & ht->mask];
-	node->value = value;
+	if (isc__ht_find(ht, key, keysize, hashval, ht->hindex) != NULL) {
+		return (ISC_R_EXISTS);
+	}
+
+	isc__ht_add(ht, key, keysize, hashval, ht->hindex, value);
 
-	ht->count++;
-	ht->table[hash & ht->mask] = node;
 	return (ISC_R_SUCCESS);
 }
 
+static isc_ht_node_t *
+isc__ht_find(const isc_ht_t *ht, const unsigned char *key,
+	     const uint32_t keysize, const uint32_t hashval,
+	     const uint8_t idx) {
+	uint32_t hash;
+	uint8_t findex = idx;
+
+nexttable:
+	hash = hash_32(hashval, ht->hashbits[findex]);
+	for (isc_ht_node_t *node = ht->table[findex][hash]; node != NULL;
+	     node = node->next)
+	{
+		if (isc__ht_node_match(node, hashval, key, keysize,
+				       ht->case_sensitive))
+		{
+			return (node);
+		}
+	}
+	if (TRY_NEXTTABLE(findex, ht)) {
+		/*
+		 * Rehashing in progress, check the other table
+		 */
+		findex = HT_NEXTTABLE(findex);
+		goto nexttable;
+	}
+
+	return (NULL);
+}
+
+
 isc_result_t
-isc_ht_find(const isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
-	    void **valuep) {
+isc_ht_find(const isc_ht_t *ht, const unsigned char *key,
+	    const uint32_t keysize, void **valuep) {
+	uint32_t hashval;
 	isc_ht_node_t *node;
-	uint32_t hash;
 
 	REQUIRE(ISC_HT_VALID(ht));
 	REQUIRE(key != NULL && keysize > 0);
 	REQUIRE(valuep == NULL || *valuep == NULL);
 
-	hash = isc_hash_function(key, keysize, true);
-	node = ht->table[hash & ht->mask];
-	while (node != NULL) {
-		if (keysize == node->keysize &&
-		    memcmp(key, node->key, keysize) == 0) {
-			if (valuep != NULL) {
-				*valuep = node->value;
-			}
-			return (ISC_R_SUCCESS);
-		}
-		node = node->next;
+	hashval = isc_hash32(key, keysize, ht->case_sensitive);
+
+	node = isc__ht_find(ht, key, keysize, hashval, ht->hindex);
+	if (node == NULL) {
+		return (ISC_R_NOTFOUND);
 	}
 
-	return (ISC_R_NOTFOUND);
+	if (valuep != NULL) {
+		*valuep = node->value;
+	}
+	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize) {
-	isc_ht_node_t *node, *prev;
+static isc_result_t
+isc__ht_delete(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize,
+	       const uint32_t hashval, const uint8_t idx) {
+	isc_ht_node_t *prev = NULL;
 	uint32_t hash;
 
-	REQUIRE(ISC_HT_VALID(ht));
-	REQUIRE(key != NULL && keysize > 0);
+	hash = hash_32(hashval, ht->hashbits[idx]);
 
-	prev = NULL;
-	hash = isc_hash_function(key, keysize, true);
-	node = ht->table[hash & ht->mask];
-	while (node != NULL) {
-		if (keysize == node->keysize &&
-		    memcmp(key, node->key, keysize) == 0) {
+	for (isc_ht_node_t *node = ht->table[idx][hash]; node != NULL;
+	     prev = node, node = node->next)
+	{
+		if (isc__ht_node_match(node, hashval, key, keysize,
+				       ht->case_sensitive))
+		{
 			if (prev == NULL) {
-				ht->table[hash & ht->mask] = node->next;
+				ht->table[idx][hash] = node->next;
 			} else {
 				prev->next = node->next;
 			}
 			isc_mem_put(ht->mctx, node,
-				    offsetof(isc_ht_node_t, key) +
-					    node->keysize);
+				    sizeof(*node) + node->keysize);
 			ht->count--;
 
 			return (ISC_R_SUCCESS);
 		}
-
-		prev = node;
-		node = node->next;
 	}
+
 	return (ISC_R_NOTFOUND);
 }
 
 isc_result_t
+isc_ht_delete(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize) {
+	uint32_t hashval;
+	uint8_t hindex;
+	isc_result_t result;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(key != NULL && keysize > 0);
+
+	if (rehashing_in_progress(ht)) {
+		/* Rehash in progress */
+		hashtable_rehash_one(ht);
+	}
+
+	hindex = ht->hindex;
+	hashval = isc_hash32(key, keysize, ht->case_sensitive);
+nexttable:
+	result = isc__ht_delete(ht, key, keysize, hashval, hindex);
+
+	if (result == ISC_R_NOTFOUND && TRY_NEXTTABLE(hindex, ht)) {
+		/*
+		 * Rehashing in progress, check the other table
+		 */
+		hindex = HT_NEXTTABLE(hindex);
+		goto nexttable;
+	}
+
+	return (result);
+}
+
+isc_result_t
 isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp) {
 	isc_ht_iter_t *it;
 
@@ -207,10 +492,10 @@ isc_ht_iter_create(isc_ht_t *ht, isc_ht_
 	REQUIRE(itp != NULL && *itp == NULL);
 
 	it = isc_mem_get(ht->mctx, sizeof(isc_ht_iter_t));
-
-	it->ht = ht;
-	it->i = 0;
-	it->cur = NULL;
+	*it = (isc_ht_iter_t){
+		.ht = ht,
+		.hindex = ht->hindex,
+	};
 
 	*itp = it;
 
@@ -227,25 +512,46 @@ isc_ht_iter_destroy(isc_ht_iter_t **itp)
 	it = *itp;
 	*itp = NULL;
 	ht = it->ht;
-	isc_mem_put(ht->mctx, it, sizeof(isc_ht_iter_t));
+	isc_mem_put(ht->mctx, it, sizeof(*it));
 }
 
 isc_result_t
 isc_ht_iter_first(isc_ht_iter_t *it) {
+	isc_ht_t *ht;
+
 	REQUIRE(it != NULL);
 
+	ht = it->ht;
+
+	it->hindex = ht->hindex;
 	it->i = 0;
-	while (it->i < it->ht->size && it->ht->table[it->i] == NULL) {
+
+	return (isc__ht_iter_next(it));
+}
+
+static isc_result_t
+isc__ht_iter_next(isc_ht_iter_t *it) {
+	isc_ht_t *ht = it->ht;
+
+	while (it->i < ht->size[it->hindex] &&
+	       ht->table[it->hindex][it->i] == NULL)
+	{
 		it->i++;
 	}
 
-	if (it->i == it->ht->size) {
-		return (ISC_R_NOMORE);
+	if (it->i < ht->size[it->hindex]) {
+		it->cur = ht->table[it->hindex][it->i];
+
+		return (ISC_R_SUCCESS);
 	}
 
-	it->cur = it->ht->table[it->i];
+	if (TRY_NEXTTABLE(it->hindex, ht)) {
+		it->hindex = HT_NEXTTABLE(it->hindex);
+		it->i = 0;
+		return (isc__ht_iter_next(it));
+	}
 
-	return (ISC_R_SUCCESS);
+	return (ISC_R_NOMORE);
 }
 
 isc_result_t
@@ -254,60 +560,36 @@ isc_ht_iter_next(isc_ht_iter_t *it) {
 	REQUIRE(it->cur != NULL);
 
 	it->cur = it->cur->next;
-	if (it->cur == NULL) {
-		do {
-			it->i++;
-		} while (it->i < it->ht->size && it->ht->table[it->i] == NULL);
-		if (it->i >= it->ht->size) {
-			return (ISC_R_NOMORE);
-		}
-		it->cur = it->ht->table[it->i];
+
+	if (it->cur != NULL) {
+		return (ISC_R_SUCCESS);
 	}
 
-	return (ISC_R_SUCCESS);
+	it->i++;
+
+	return (isc__ht_iter_next(it));
 }
 
 isc_result_t
 isc_ht_iter_delcurrent_next(isc_ht_iter_t *it) {
 	isc_result_t result = ISC_R_SUCCESS;
-	isc_ht_node_t *to_delete = NULL;
-	isc_ht_node_t *prev = NULL;
-	isc_ht_node_t *node = NULL;
-	uint32_t hash;
+	isc_ht_node_t *dnode = NULL;
+	uint8_t dindex;
 	isc_ht_t *ht;
+	isc_result_t dresult;
+
 	REQUIRE(it != NULL);
 	REQUIRE(it->cur != NULL);
-	to_delete = it->cur;
+
 	ht = it->ht;
+	dnode = it->cur;
+	dindex = it->hindex;
 
-	it->cur = it->cur->next;
-	if (it->cur == NULL) {
-		do {
-			it->i++;
-		} while (it->i < ht->size && ht->table[it->i] == NULL);
-		if (it->i >= ht->size) {
-			result = ISC_R_NOMORE;
-		} else {
-			it->cur = ht->table[it->i];
-		}
-	}
+	result = isc_ht_iter_next(it);
 
-	hash = isc_hash_function(to_delete->key, to_delete->keysize, true);
-	node = ht->table[hash & ht->mask];
-	while (node != to_delete) {
-		prev = node;
-		node = node->next;
-		INSIST(node != NULL);
-	}
-
-	if (prev == NULL) {
-		ht->table[hash & ht->mask] = node->next;
-	} else {
-		prev->next = node->next;
-	}
-	isc_mem_put(ht->mctx, node,
-		    offsetof(isc_ht_node_t, key) + node->keysize);
-	ht->count--;
+	dresult = isc__ht_delete(ht, dnode->key, dnode->keysize, dnode->hashval,
+				 dindex);
+	INSIST(dresult == ISC_R_SUCCESS);
 
 	return (result);
 }
@@ -332,8 +614,8 @@ isc_ht_iter_currentkey(isc_ht_iter_t *it
 	*keysize = it->cur->keysize;
 }
 
-unsigned int
-isc_ht_count(isc_ht_t *ht) {
+size_t
+isc_ht_count(const isc_ht_t *ht) {
 	REQUIRE(ISC_HT_VALID(ht));
 
 	return (ht->count);
Index: bind-9.16.6/lib/isc/include/isc/ht.h
===================================================================
--- bind-9.16.6.orig/lib/isc/include/isc/ht.h
+++ bind-9.16.6/lib/isc/include/isc/ht.h
@@ -11,8 +11,7 @@
 
 /* ! \file */
 
-#ifndef ISC_HT_H
-#define ISC_HT_H 1
+#pragma once
 
 #include <inttypes.h>
 #include <string.h>
@@ -23,9 +22,15 @@
 typedef struct isc_ht	   isc_ht_t;
 typedef struct isc_ht_iter isc_ht_iter_t;
 
+enum { ISC_HT_CASE_SENSITIVE = 0x00, ISC_HT_CASE_INSENSITIVE = 0x01 };
+
 /*%
  * Initialize hashtable at *htp, using memory context and size of (1<<bits)
  *
+ * If 'options' contains ISC_HT_CASE_INSENSITIVE, then upper- and lower-case
+ * letters in key values will generate the same hash values; this can be used
+ * when the key for a hash table is a DNS name.
+ *
  * Requires:
  *\li	'htp' is not NULL and '*htp' is NULL.
  *\li	'mctx' is a valid memory context.
@@ -36,7 +41,8 @@ typedef struct isc_ht_iter isc_ht_iter_t
  *\li	#ISC_R_SUCCESS		-- all is well.
  */
 isc_result_t
-isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits);
+isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits,
+	    unsigned int options);
 
 /*%
  * Destroy hashtable, freeing everything
@@ -53,6 +59,7 @@ isc_ht_destroy(isc_ht_t **htp);
  *
  * Requires:
  *\li	'ht' is a valid hashtable
+ *\li   write-lock
  *
  * Returns:
  *\li	#ISC_R_NOMEMORY		-- not enough memory to create pool
@@ -60,7 +67,7 @@ isc_ht_destroy(isc_ht_t **htp);
  *\li	#ISC_R_SUCCESS		-- all is well.
  */
 isc_result_t
-isc_ht_add(isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
+isc_ht_add(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize,
 	   void *value);
 
 /*%
@@ -71,27 +78,29 @@ isc_ht_add(isc_ht_t *ht, const unsigned
  *
  * Requires:
  * \li	'ht' is a valid hashtable
+ * \li  read-lock
  *
  * Returns:
  * \li	#ISC_R_SUCCESS		-- success
  * \li	#ISC_R_NOTFOUND		-- key not found
  */
 isc_result_t
-isc_ht_find(const isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
-	    void **valuep);
+isc_ht_find(const isc_ht_t *ht, const unsigned char *key,
+	    const uint32_t keysize, void **valuep);
 
 /*%
  * Delete node from hashtable
  *
  * Requires:
  *\li	ht is a valid hashtable
+ *\li   write-lock
  *
  * Returns:
  *\li	#ISC_R_NOTFOUND		-- key not found
  *\li	#ISC_R_SUCCESS		-- all is well
  */
 isc_result_t
-isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize);
+isc_ht_delete(isc_ht_t *ht, const unsigned char *key, const uint32_t keysize);
 
 /*%
  * Create an iterator for the hashtable; point '*itp' to it.
@@ -179,6 +188,5 @@ isc_ht_iter_currentkey(isc_ht_iter_t *it
  * Requires:
  *\li	'ht' is a valid hashtable
  */
-unsigned int
-isc_ht_count(isc_ht_t *ht);
-#endif /* ifndef ISC_HT_H */
+size_t
+isc_ht_count(const isc_ht_t *ht);
Index: bind-9.16.6/lib/isc/tests/ht_test.c
===================================================================
--- bind-9.16.6.orig/lib/isc/tests/ht_test.c
+++ bind-9.16.6/lib/isc/tests/ht_test.c
@@ -59,7 +59,7 @@ test_ht_full(int bits, uintptr_t count)
 	isc_result_t result;
 	uintptr_t i;
 
-	result = isc_ht_init(&ht, test_mctx, bits);
+	result = isc_ht_init(&ht, test_mctx, bits, ISC_HT_CASE_SENSITIVE);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_non_null(ht);
 
@@ -205,7 +205,7 @@ test_ht_iterator() {
 	unsigned char key[16];
 	size_t tksize;
 
-	result = isc_ht_init(&ht, test_mctx, 16);
+	result = isc_ht_init(&ht, test_mctx, 16, ISC_HT_CASE_SENSITIVE);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_non_null(ht);
 	for (i = 1; i <= count; i++) {
openSUSE Build Service is sponsored by