diff -pruN 1:9.11.4+dfsg-3/bin/named/server.c 1:9.11.4.P2+dfsg-1/bin/named/server.c
--- 1:9.11.4+dfsg-3/bin/named/server.c	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/named/server.c	2018-09-04 04:04:41.000000000 +0000
@@ -11145,7 +11145,7 @@ ns_server_freeze(ns_server_t *server, is
 		 isc_lex_t *lex, isc_buffer_t **text)
 {
 	isc_result_t result, tresult;
-	dns_zone_t *zone = NULL, *raw = NULL;
+	dns_zone_t *mayberaw = NULL, *raw = NULL;
 	dns_zonetype_t type;
 	char classstr[DNS_RDATACLASS_FORMATSIZE];
 	char zonename[DNS_NAME_FORMATSIZE];
@@ -11154,11 +11154,11 @@ ns_server_freeze(ns_server_t *server, is
 	isc_boolean_t frozen;
 	const char *msg = NULL;
 
-	result = zone_from_args(server, lex, NULL, &zone, NULL,
+	result = zone_from_args(server, lex, NULL, &mayberaw, NULL,
 				text, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	if (zone == NULL) {
+	if (mayberaw == NULL) {
 		result = isc_task_beginexclusive(server->task);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		tresult = ISC_R_SUCCESS;
@@ -11178,26 +11178,26 @@ ns_server_freeze(ns_server_t *server, is
 			      isc_result_totext(tresult));
 		return (tresult);
 	}
-	dns_zone_getraw(zone, &raw);
+	dns_zone_getraw(mayberaw, &raw);
 	if (raw != NULL) {
-		dns_zone_detach(&zone);
-		dns_zone_attach(raw, &zone);
+		dns_zone_detach(&mayberaw);
+		dns_zone_attach(raw, &mayberaw);
 		dns_zone_detach(&raw);
 	}
-	type = dns_zone_gettype(zone);
+	type = dns_zone_gettype(mayberaw);
 	if (type != dns_zone_master) {
-		dns_zone_detach(&zone);
+		dns_zone_detach(&mayberaw);
 		return (DNS_R_NOTMASTER);
 	}
 
-	if (freeze && !dns_zone_isdynamic(zone, ISC_TRUE)) {
-		dns_zone_detach(&zone);
+	if (freeze && !dns_zone_isdynamic(mayberaw, ISC_TRUE)) {
+		dns_zone_detach(&mayberaw);
 		return (DNS_R_NOTDYNAMIC);
 	}
 
 	result = isc_task_beginexclusive(server->task);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	frozen = dns_zone_getupdatedisabled(zone);
+	frozen = dns_zone_getupdatedisabled(mayberaw);
 	if (freeze) {
 		if (frozen) {
 			msg = "WARNING: The zone was already frozen.\n"
@@ -11206,16 +11206,16 @@ ns_server_freeze(ns_server_t *server, is
 			result = DNS_R_FROZEN;
 		}
 		if (result == ISC_R_SUCCESS) {
-			result = dns_zone_flush(zone);
+			result = dns_zone_flush(mayberaw);
 			if (result != ISC_R_SUCCESS)
 				msg = "Flushing the zone updates to "
 				      "disk failed.";
 		}
 		if (result == ISC_R_SUCCESS)
-			dns_zone_setupdatedisabled(zone, freeze);
+			dns_zone_setupdatedisabled(mayberaw, freeze);
 	} else {
 		if (frozen) {
-			result = dns_zone_loadandthaw(zone);
+			result = dns_zone_loadandthaw(mayberaw);
 			switch (result) {
 			case ISC_R_SUCCESS:
 			case DNS_R_UPTODATE:
@@ -11238,7 +11238,7 @@ ns_server_freeze(ns_server_t *server, is
 		(void) putnull(text);
 	}
 
-	view = dns_zone_getview(zone);
+	view = dns_zone_getview(mayberaw);
 	if (strcmp(view->name, "_default") == 0 ||
 	    strcmp(view->name, "_bind") == 0)
 	{
@@ -11248,9 +11248,9 @@ ns_server_freeze(ns_server_t *server, is
 		vname = view->name;
 		sep = " ";
 	}
-	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
+	dns_rdataclass_format(dns_zone_getclass(mayberaw), classstr,
 			      sizeof(classstr));
-	dns_name_format(dns_zone_getorigin(zone),
+	dns_name_format(dns_zone_getorigin(mayberaw),
 			zonename, sizeof(zonename));
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
@@ -11258,7 +11258,7 @@ ns_server_freeze(ns_server_t *server, is
 		      freeze ? "freezing" : "thawing",
 		      zonename, classstr, sep, vname,
 		      isc_result_totext(result));
-	dns_zone_detach(&zone);
+	dns_zone_detach(&mayberaw);
 	return (result);
 }
 
diff -pruN 1:9.11.4+dfsg-3/bin/named/zoneconf.c 1:9.11.4.P2+dfsg-1/bin/named/zoneconf.c
--- 1:9.11.4+dfsg-3/bin/named/zoneconf.c	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/named/zoneconf.c	2018-09-04 04:04:41.000000000 +0000
@@ -1223,7 +1223,7 @@ ns_zone_configure(const cfg_obj_t *confi
 			dns_zone_setoption(raw, DNS_ZONEOPT_IXFRFROMDIFFS,
 					   ISC_TRUE);
 			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
-					   ISC_TRUE);
+					   ISC_FALSE);
 		} else
 			dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
 					   ixfrdiff);
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/chain/ns7/named.conf.in 1:9.11.4.P2+dfsg-1/bin/tests/system/chain/ns7/named.conf.in
--- 1:9.11.4+dfsg-3/bin/tests/system/chain/ns7/named.conf.in	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/chain/ns7/named.conf.in	2018-09-04 04:04:41.000000000 +0000
@@ -20,6 +20,12 @@ options {
 	listen-on-v6 { fd92:7065:b8e:ffff::7; };
 	recursion yes;
 	allow-recursion { any; };
+	dnssec-validation yes;
+	deny-answer-aliases {
+		"example";
+	} except-from {
+		"example";
+	};
 };
 
 key rndc_key {
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/chain/tests.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/chain/tests.sh
--- 1:9.11.4+dfsg-3/bin/tests/system/chain/tests.sh	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/chain/tests.sh	2018-09-04 04:04:41.000000000 +0000
@@ -248,5 +248,22 @@ $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking explicit DNAME query ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1
+grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking DNAME via ANY query ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1
+grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/clean.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/clean.sh
--- 1:9.11.4+dfsg-3/bin/tests/system/inline/clean.sh	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/clean.sh	2018-09-04 04:04:41.000000000 +0000
@@ -73,6 +73,10 @@ rm -f ns3/nsec3.db
 rm -f ns3/nsec3.db.jnl
 rm -f ns3/nsec3.db.signed
 rm -f ns3/nsec3.db.signed.jnl
+rm -f ns3/delayedkeys.db
+rm -f ns3/delayedkeys.db.jnl
+rm -f ns3/delayedkeys.db.signed
+rm -f ns3/delayedkeys.db.signed.jnl
 rm -f ns3/removedkeys-primary.db
 rm -f ns3/removedkeys-primary.db.jnl
 rm -f ns3/removedkeys-primary.db.signed
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/master5.db.in 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/master5.db.in
--- 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/master5.db.in	1970-01-01 00:00:00.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/master5.db.in	2018-09-04 04:04:41.000000000 +0000
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns3 . (
+				2000042411 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns3			A	10.53.0.3
+
+c			A	10.0.0.3
+e			A	10.0.0.5
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/named.conf.in 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/named.conf.in
--- 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/named.conf.in	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/named.conf.in	2018-09-04 04:04:41.000000000 +0000
@@ -58,6 +58,10 @@ zone "master" {
 	inline-signing yes;
 	auto-dnssec maintain;
 	file "master.db";
+	notify explicit;
+	also-notify {
+		10.53.0.3;
+	};
 };
 
 zone "dynamic" {
@@ -141,6 +145,13 @@ zone "nokeys" {
 	file "nokeys.bk";
 };
 
+zone "delayedkeys" {
+	type master;
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "delayedkeys.db";
+};
+
 zone "removedkeys-primary" {
 	type master;
 	inline-signing yes;
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/sign.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/sign.sh
--- 1:9.11.4+dfsg-3/bin/tests/system/inline/ns3/sign.sh	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/ns3/sign.sh	2018-09-04 04:04:41.000000000 +0000
@@ -96,6 +96,14 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSAS
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
+zone=delayedkeys
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+# Keys for the "delayedkeys" zone should not be initially accessible.
+mv K${zone}.+*+*.* ../
+
 zone=removedkeys-primary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/setup.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/setup.sh
--- 1:9.11.4+dfsg-3/bin/tests/system/inline/setup.sh	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/setup.sh	2018-09-04 04:04:41.000000000 +0000
@@ -33,6 +33,7 @@ cp ns3/master.db.in ns3/updated.db
 cp ns3/master.db.in ns3/expired.db
 cp ns3/master.db.in ns3/nsec3.db
 cp ns3/master.db.in ns3/externalkey.db
+cp ns3/master.db.in ns3/delayedkeys.db
 cp ns3/master.db.in ns3/removedkeys-primary.db
 
 mkdir ns3/removedkeys
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/inline/tests.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/tests.sh
--- 1:9.11.4+dfsg-3/bin/tests/system/inline/tests.sh	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/inline/tests.sh	2018-09-04 04:04:41.000000000 +0000
@@ -879,6 +879,31 @@ if [ $ret != 0 ]; then echo_i "failed";
 status=`expr $status + $ret`
 
 n=`expr $n + 1`
+echo_i "check that reloading all zones does not cause zone maintenance to cease for inline-signed zones ($n)"
+ret=1
+# Ensure "rndc reload" attempts to load ns3/master.db by waiting 1 second so
+# that the master file modification time has no possibility of being equal to
+# the one stored during server startup.
+sleep 1
+nextpart ns3/named.run > /dev/null
+cp ns3/master5.db.in ns3/master.db
+$RNDCCMD 10.53.0.3 reload 2>&1 | sed 's/^/ns3 /' | cat_i
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	if nextpart ns3/named.run | grep "zone master.*sending notifies" > /dev/null; then
+		ret=0
+		break
+	fi
+	sleep 1
+done
+# Sanity check: master file updates should be reflected in the signed zone,
+# i.e. SOA RNAME should no longer be set to "hostmaster".
+$DIG $DIGOPTS @10.53.0.3 master SOA > dig.out.ns3.test$n || ret=1
+grep "hostmaster" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
 echo_i "test add/del zone combinations ($n)"
 ret=0
 for zone in a b c d e f g h i j k l m n o p q r s t u v w x y z
@@ -1247,7 +1272,61 @@ grep "RRSIG" dig.out.ns3.test$n > /dev/n
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+# Check that the master file $2 for zone $1 does not contain RRSIG records
+# while the journal file for that zone does contain them.
+ensure_sigs_only_in_journal() {
+	origin="$1"
+	masterfile="$2"
+	$CHECKZONE -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null && ret=1
+	$CHECKZONE -j -i none -f raw -D -o - "$origin" "$masterfile" 2>&1 | grep -w RRSIG > /dev/null || ret=1
+}
+
 n=`expr $n + 1`
+echo_i "checking that records added from a journal are scheduled to be resigned ($n)"
+ret=0
+# Signing keys for the "delayedkeys" zone are not yet accessible.  Thus, the
+# zone file for the signed version of the zone will contain no DNSSEC records.
+# Move keys into place now and load them, which will cause DNSSEC records to
+# only be present in the journal for the signed version of the zone.
+mv Kdelayedkeys* ns3/
+$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
+# Wait until the zone is signed.
+ans=1
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	$RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1
+	num=`grep "Done signing with" signing.out.test$n | wc -l`
+	if [ $num -eq 2 ]; then
+		ans=0
+		break
+	fi
+	sleep 1
+done
+if [ $ans != 0 ]; then ret=1; fi
+# Halt rather than stopping the server to prevent the master file from being
+# flushed upon shutdown since we specifically want to avoid it.
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} . ns3
+ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns3
+# At this point, the raw zone journal will not have a source serial set.  Upon
+# server startup, receive_secure_serial() will rectify that, update SOA, resign
+# it, and schedule its future resign.  This will cause "rndc zonestatus" to
+# return delayedkeys/SOA as the next node to resign, so we restart the server
+# once again; with the raw zone journal now having a source serial set,
+# receive_secure_serial() should refrain from introducing any zone changes.
+$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --halt --port ${CONTROLPORT} . ns3
+ensure_sigs_only_in_journal delayedkeys ns3/delayedkeys.db.signed
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns3
+# We can now test whether the secure zone journal was correctly processed:
+# unless the records contained in it were scheduled for resigning, no resigning
+# event will be scheduled at all since the secure zone master file contains no
+# DNSSEC records.
+$RNDCCMD 10.53.0.3 zonestatus delayedkeys > rndc.out.ns3.post.test$n 2>&1 || ret=1
+grep "next resign node:" rndc.out.ns3.post.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
 echo_i "check that zonestatus reports 'type: master' for a inline master zone ($n)"
 ret=0
 $RNDCCMD 10.53.0.3 zonestatus master > rndc.out.ns3.test$n
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/resolver/tests.sh 1:9.11.4.P2+dfsg-1/bin/tests/system/resolver/tests.sh
--- 1:9.11.4+dfsg-3/bin/tests/system/resolver/tests.sh	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/resolver/tests.sh	2018-09-04 04:04:41.000000000 +0000
@@ -204,6 +204,7 @@ n=`expr $n + 1`
 echo_i "checking DNAME target filtering (deny) ($n)"
 ret=0
 $DIG $DIGOPTS +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1
 grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
diff -pruN 1:9.11.4+dfsg-3/bin/tests/system/stop.pl 1:9.11.4.P2+dfsg-1/bin/tests/system/stop.pl
--- 1:9.11.4+dfsg-3/bin/tests/system/stop.pl	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/bin/tests/system/stop.pl	2018-09-04 04:04:41.000000000 +0000
@@ -31,11 +31,12 @@ use Getopt::Long;
 #
 #   server          Name of the server directory.
 
-my $usage = "usage: $0 [--use-rndc [--port port]] test-directory [server-directory]";
+my $usage = "usage: $0 [--use-rndc [--halt] [--port port]] test-directory [server-directory]";
 
 my $use_rndc = 0;
+my $halt = 0;
 my $port = 9953;
-GetOptions('use-rndc' => \$use_rndc, 'port=i' => \$port) or die "$usage\n";
+GetOptions('use-rndc' => \$use_rndc, 'halt' => \$halt, 'port=i' => \$port) or die "$usage\n";
 
 my $errors = 0;
 
@@ -134,9 +135,10 @@ sub stop_rndc {
 
 	return unless ($server =~ /^ns(\d+)$/);
 	my $ip = "10.53.0.$1";
+	my $how = $halt ? "halt" : "stop";
 
 	# Ugly, but should work.
-	system("$ENV{RNDC} -c ../common/rndc.conf -s $ip -p $port stop | sed 's/^/I:$server /'");
+	system("$ENV{RNDC} -c ../common/rndc.conf -s $ip -p $port $how | sed 's/^/I:$server /'");
 	return;
 }
 
diff -pruN 1:9.11.4+dfsg-3/CHANGES 1:9.11.4.P2+dfsg-1/CHANGES
--- 1:9.11.4+dfsg-3/CHANGES	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/CHANGES	2018-09-04 04:04:41.000000000 +0000
@@ -1,3 +1,24 @@
+	--- 9.11.4-P2 released ---
+
+5022.	[doc]		Update ms-self, ms-subdomain, krb5-self, and
+			krb5-subdomain documentation. [GL !708]
+
+5015.	[bug]		Reloading all zones caused zone maintenance to cease
+			for inline-signed zones. [GL #435]
+
+5014.	[bug]		Signatures loaded from the journal for the signed
+			version of an inline-signed zone were not scheduled for
+			refresh. [GL #482]
+
+5004.	[bug]		'rndc reconfig' could cause inline zones to stop
+			re-signing. [GL #439]
+
+	--- 9.11.4-P1 released ---
+
+4997.	[security]	named could crash during recursive processing
+			of DNAME records when "deny-answer-aliases" was
+			in use. (CVE-2018-5740) [GL #387]
+
 	--- 9.11.4 released ---
 
 	--- 9.11.4rc2 released ---
diff -pruN 1:9.11.4+dfsg-3/debian/bind9.preinst 1:9.11.4.P2+dfsg-1/debian/bind9.preinst
--- 1:9.11.4+dfsg-3/debian/bind9.preinst	1970-01-01 00:00:00.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/bind9.preinst	2018-09-10 08:36:06.000000000 +0000
@@ -0,0 +1,49 @@
+#!/bin/sh
+# preinst script for bind9
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    install|upgrade)
+	if [ -n "$2" ] && dpkg --compare-versions "$2" lt "1:9.11.2+dfsg-6"; then
+	    theirs=$(md5sum /etc/bind/named.conf.options | sed 's/ .*$//')
+	    mine=56919cbc0d819c9a303a8bdeb306b5f1
+	    if [ "$mine" = "$theirs" ]; then
+		mv /etc/bind/named.conf.options /etc/bind/named.conf.options.dpkg-old
+	    fi
+	fi
+    ;;
+
+    abort-upgrade)
+	if [ ! -f "/etc/bind/named.conf.options" ] && [ -f "/etc/bind/named.conf.options.dpkg-old" ]; then
+	    theirs=$(md5sum /etc/bind/named.conf.options.dpkg-old | sed 's/ .*$//')
+	    mine=56919cbc0d819c9a303a8bdeb306b5f1
+	    if [ "$mine" = "$theirs" ]; then
+		mv /etc/bind/named.conf.options.dpkg-old /etc/bind/named.conf.options
+	    fi
+	fi
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff -pruN 1:9.11.4+dfsg-3/debian/bind9.service 1:9.11.4.P2+dfsg-1/debian/bind9.service
--- 1:9.11.4+dfsg-3/debian/bind9.service	2018-07-29 21:26:09.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/bind9.service	2018-09-10 08:36:06.000000000 +0000
@@ -7,7 +7,7 @@ Before=nss-lookup.target
 
 [Service]
 Type=forking
-EnvironmentFile=/etc/default/bind9
+EnvironmentFile=-/etc/default/bind9
 ExecStart=/usr/sbin/named $OPTIONS
 ExecReload=/usr/sbin/rndc reload
 ExecStop=/usr/sbin/rndc stop
diff -pruN 1:9.11.4+dfsg-3/debian/changelog 1:9.11.4.P2+dfsg-1/debian/changelog
--- 1:9.11.4+dfsg-3/debian/changelog	2018-07-29 21:26:09.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/changelog	2018-09-10 08:36:06.000000000 +0000
@@ -1,3 +1,40 @@
+bind9 (1:9.11.4.P2+dfsg-1) unstable; urgency=medium
+
+  [ Bernhard Schmidt ]
+  * Add a very simple autopkgtest (dig @127.0.0.1)
+
+  [ OndÅ™ej SurÃ½ ]
+  * New upstream version 9.11.4.P2+dfsg
+  * Rebase patches for BIND 9.11.4-P2
+
+ -- OndÅ™ej SurÃ½ <ondrej@debian.org>  Mon, 10 Sep 2018 08:36:06 +0000
+
+bind9 (1:9.11.4.P1+dfsg-1) unstable; urgency=medium
+
+  [ Timo Aaltonen ]
+  * skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
+    crashing on startup. (LP: #1769440)
+
+  [ Bernhard Schmidt ]
+  * Add gbp.conf for pristine-tar usage
+  * d/watch: Properly deal with -P patch releases
+
+  [ OndÅ™ej SurÃ½ ]
+  * Don't fail to start if /etc/default/bind9 doesn't exist
+  * New upstream version 9.11.4.P1+dfsg
+  * Rebase patches for BIND 9.11.4-P1
+  * Add new dst__openssleddsa_init optional symbol (it depends on OpenSSL version) (Closes: #897643)
+  * Put aside named.conf.option from stretch when upgrading (Closes: #905177)
+
+ -- OndÅ™ej SurÃ½ <ondrej@debian.org>  Fri, 31 Aug 2018 09:53:27 +0000
+
+bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
+
+  * Brown-paper-bag release :-(
+  * Fix missing colon in AppArmor profile (Closes: #904983)
+
+ -- Bernhard Schmidt <berni@debian.org>  Mon, 30 Jul 2018 16:28:21 +0200
+
 bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
 
   * Enable IDN support for dig+host using libidn2 (Closes: #459010)
diff -pruN 1:9.11.4+dfsg-3/debian/extras/apparmor.d/usr.sbin.named 1:9.11.4.P2+dfsg-1/debian/extras/apparmor.d/usr.sbin.named
--- 1:9.11.4+dfsg-3/debian/extras/apparmor.d/usr.sbin.named	2018-07-29 21:26:09.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/extras/apparmor.d/usr.sbin.named	2018-09-10 08:36:06.000000000 +0000
@@ -30,7 +30,7 @@
   /etc/ssl/openssl.cnf r,
 
   # root hints from dns-data-root
-  /usr/share/dns/root.* r
+  /usr/share/dns/root.* r,
 
   # GeoIP data files for GeoIP ACLs
   /usr/share/GeoIP/** r,
diff -pruN 1:9.11.4+dfsg-3/debian/gbp.conf 1:9.11.4.P2+dfsg-1/debian/gbp.conf
--- 1:9.11.4+dfsg-3/debian/gbp.conf	1970-01-01 00:00:00.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/gbp.conf	2018-09-10 08:36:06.000000000 +0000
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+
diff -pruN 1:9.11.4+dfsg-3/debian/libdns1102.symbols 1:9.11.4.P2+dfsg-1/debian/libdns1102.symbols
--- 1:9.11.4+dfsg-3/debian/libdns1102.symbols	2018-07-29 21:26:09.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/libdns1102.symbols	2018-09-10 08:36:06.000000000 +0000
@@ -3063,6 +3063,7 @@ libdns.so.1102 libdns1102 #MINVER#
  dst__openssldh_init@Base 1:9.11.3+dfsg
  dst__openssldsa_init@Base 1:9.11.3+dfsg
  dst__opensslecdsa_init@Base 1:9.11.3+dfsg
+ (optional)dst__openssleddsa_init@Base 1:9.11.4.P1+dfsg
  dst__opensslrsa_init@Base 1:9.11.3+dfsg
  dst__privstruct_free@Base 1:9.11.3+dfsg
  dst__privstruct_parse@Base 1:9.11.3+dfsg
diff -pruN 1:9.11.4+dfsg-3/debian/patches/02_version.diff 1:9.11.4.P2+dfsg-1/debian/patches/02_version.diff
--- 1:9.11.4+dfsg-3/debian/patches/02_version.diff	2018-07-29 21:26:09.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/patches/02_version.diff	2018-09-10 08:36:06.000000000 +0000
@@ -8,12 +8,12 @@ Subject: _version
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/version b/version
-index 112781d..3a38745 100644
+index 83a92e8..7e8da78 100644
 --- a/version
 +++ b/version
 @@ -8,4 +8,4 @@ MINORVER=11
  PATCHVER=4
- RELEASETYPE=
- RELEASEVER=
+ RELEASETYPE=-P
+ RELEASEVER=2
 -EXTENSIONS=
 +EXTENSIONS="$(dpkg-parsechangelog --file=../debian/changelog | sed -n '/^Version/s/[^-]*//p')-$(dpkg-vendor --query Vendor)"
diff -pruN 1:9.11.4+dfsg-3/debian/patches/10_min-cache-ttl.diff 1:9.11.4.P2+dfsg-1/debian/patches/10_min-cache-ttl.diff
--- 1:9.11.4+dfsg-3/debian/patches/10_min-cache-ttl.diff	2018-07-29 21:26:09.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/patches/10_min-cache-ttl.diff	2018-09-10 08:36:06.000000000 +0000
@@ -35,7 +35,7 @@ index 54bc37f..9efd7a5 100644
  	minimal-any false;\n\
  	minimal-responses false;\n\
 diff --git a/bin/named/server.c b/bin/named/server.c
-index 59a8998..ced3e9be 100644
+index 0c8939d..ad84414 100644
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
 @@ -3703,6 +3703,18 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
@@ -164,7 +164,7 @@ index 2b6d134..74c6215 100644
  						trust = rdataset->trust;
  					/*
 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 8f674a2..511b34c 100644
+index 41d1385..dab2f70 100644
 --- a/lib/dns/resolver.c
 +++ b/lib/dns/resolver.c
 @@ -562,7 +562,9 @@ static isc_boolean_t fctx_unlink(fetchctx_t *fctx);
diff -pruN 1:9.11.4+dfsg-3/debian/patches/series 1:9.11.4.P2+dfsg-1/debian/patches/series
--- 1:9.11.4+dfsg-3/debian/patches/series	2018-07-29 21:26:09.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/patches/series	2018-09-10 08:36:06.000000000 +0000
@@ -8,3 +8,4 @@
 75_ctxstart_no_sighandling.diff
 80_reproducible_build.diff
 Add_--install-layout=deb_to_setup.py_call.patch
+skip-rtld-deepbind-for-dyndb.diff
diff -pruN 1:9.11.4+dfsg-3/debian/patches/skip-rtld-deepbind-for-dyndb.diff 1:9.11.4.P2+dfsg-1/debian/patches/skip-rtld-deepbind-for-dyndb.diff
--- 1:9.11.4+dfsg-3/debian/patches/skip-rtld-deepbind-for-dyndb.diff	1970-01-01 00:00:00.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/patches/skip-rtld-deepbind-for-dyndb.diff	2018-09-10 08:36:06.000000000 +0000
@@ -0,0 +1,24 @@
+From: BIND 9 Package <bind9@package.debian.org>
+Date: Fri, 31 Aug 2018 08:42:51 +0000
+Subject: skip-rtld-deepbind-for-dyndb
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1410433
+https://bugs.launchpad.net/bugs/1769440
+---
+ lib/dns/dyndb.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
+index e21a84c..ac18162 100644
+--- a/lib/dns/dyndb.c
++++ b/lib/dns/dyndb.c
+@@ -133,9 +133,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+ 		      instname, filename);
+ 
+ 	flags = RTLD_NOW|RTLD_LOCAL;
+-#ifdef RTLD_DEEPBIND
+-	flags |= RTLD_DEEPBIND;
+-#endif
+ 
+ 	handle = dlopen(filename, flags);
+ 	if (handle == NULL)
diff -pruN 1:9.11.4+dfsg-3/debian/tests/control 1:9.11.4.P2+dfsg-1/debian/tests/control
--- 1:9.11.4+dfsg-3/debian/tests/control	1970-01-01 00:00:00.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/tests/control	2018-09-10 08:36:06.000000000 +0000
@@ -0,0 +1,3 @@
+Tests: simpletest
+Restrictions: needs-root, isolation-container
+Depends: bind9, dnsutils
diff -pruN 1:9.11.4+dfsg-3/debian/tests/simpletest 1:9.11.4.P2+dfsg-1/debian/tests/simpletest
--- 1:9.11.4+dfsg-3/debian/tests/simpletest	1970-01-01 00:00:00.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/tests/simpletest	2018-09-10 08:36:06.000000000 +0000
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -e
+
+setup() {
+	service bind9 stop
+	service bind9 start
+}
+
+run() {
+	dig -x 127.0.0.1 @127.0.0.1
+}
+
+teardown() {
+	service bind9 stop
+}
+
+setup
+run
+teardown
+
diff -pruN 1:9.11.4+dfsg-3/debian/watch 1:9.11.4.P2+dfsg-1/debian/watch
--- 1:9.11.4+dfsg-3/debian/watch	2018-07-29 21:26:09.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/debian/watch	2018-09-10 08:36:06.000000000 +0000
@@ -4,8 +4,8 @@ opts=\
 repack,\
 compression=xz,\
 repacksuffix=+dfsg,\
-uversionmangle=s/((rc|b)\d+)$/~$1/,\
-dirversionmangle=s/((rc|b)\d+)$/~$1/,\
+uversionmangle=s/((rc|b)\d+)$/~$1/;s/-P(\d+)$/.P$1/,\
+dirversionmangle=s/((rc|b)\d+)$/~$1/;s/-P(\d+)$/.P$1/,\
 dversionmangle=s/\.dfsg\./-/;s/[\.\+]dfsg$//,\
 pgpsigurlmangle=s/$/.asc/ \
-  https://ftp.isc.org/isc/bind9/(9\.11\.\d\S+)/ bind-@ANY_VERSION@\.tar\.gz
+  https://ftp.isc.org/isc/bind9/(9\.11\.\d+(?:(?:rc|b|-P)\d)?)/ bind-@ANY_VERSION@\.tar\.gz
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM-book.xml 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM-book.xml
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM-book.xml	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM-book.xml	2018-09-04 04:04:41.000000000 +0000
@@ -12548,7 +12548,7 @@ example.com. NS ns2.example.net.
 	      has been used to create a shared secret, the identity of
 	      the key used to authenticate the TKEY exchange will be
 	      used as the identity of the shared secret.  Some rule types
-	      use indentities matching the client's Kerberos principal
+	      use identities matching the client's Kerberos principal
 	      (e.g, <userinput>"host/machine@REALM"</userinput>) or
 	      Windows realm (<userinput>machine$@REALM</userinput>).
 	    </para>
@@ -12709,12 +12709,26 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			This rule takes a Windows machine principal
-			(machine$@REALM) for machine in REALM and
-			and converts it machine.realm allowing the machine
-			to update machine.realm.  The REALM to be matched
-			is specified in the <replaceable>identity</replaceable>
-			field.  The name field should be set to "."
+			When a client sends an UPDATE using a Windows
+			machine principal (for example, 'machine$@REALM'),
+			this rule allows records with the absolute name
+			of 'machine.REALM' to be updated.
+		      </para>
+		      <para>
+			The realm to be matched is specified in the
+			<replaceable>identity</replaceable> field.
+		      </para>
+		      <para>
+			The <replaceable>name</replaceable> field has
+			no effect on this rule; it should be set to "."
+			as a placeholder.
+		      </para>
+		      <para>
+			For example,
+			<userinput>grant EXAMPLE.COM ms-self . A AAAA</userinput>
+			allows any machine with a valid principal in
+			the realm <userinput>EXAMPLE.COM</userinput> to update
+			its own address records.
 		      </para>
 		    </entry>
 		  </row>
@@ -12725,13 +12739,32 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			This rule takes a Windows machine principal
-			(machine$@REALM) for machine in REALM and
-			converts it to machine.realm allowing the machine
-			to update subdomains of machine.realm.  The REALM
-			to be matched is specified in the
+			When a client sends an UPDATE using a Windows
+			machine principal (for example, 'machine$@REALM'),
+			this rule allows any machine in the specified
+			realm to update any record in the zone or in a
+			specified subdomain of the zone.
+		      </para>
+		      <para>
+			The realm to be matched is specified in the
 			<replaceable>identity</replaceable> field.
 		      </para>
+		      <para>
+			The <replaceable>name</replaceable> field
+			specifies the subdomain that may be updated.
+			If set to "." (or any other name at or above
+			the zone apex), any name in the zone can be
+			updated.
+		      </para>
+		      <para>
+			For example, if <command>update-policy</command>
+			for the zone "example.com" includes
+			<userinput>grant EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA</userinput>,
+			any machine with a valid principal in
+			the realm <userinput>EXAMPLE.COM</userinput> will
+			be able to update address records at or below
+			"hosts.example.com".
+		      </para>
 		    </entry>
 		  </row>
 		  <row rowsep="0">
@@ -12741,12 +12774,32 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			This rule takes a Kerberos machine principal
-			(host/machine@REALM) for machine in REALM and
-			and converts it machine.realm allowing the machine
-			to update machine.realm.  The REALM to be matched
-			is specified in the <replaceable>identity</replaceable>
-			field. The name field should be set to "."
+			When a client sends an UPDATE using a
+			Kerberos machine principal (for example,
+			'host/machine@REALM'), this rule allows
+			records with the absolute name of 'machine'
+			to be updated provided it has been authenticated
+			by REALM.  This is similar but not identical
+			to <command>ms-self</command> due to the
+			'machine' part of the Kerberos principal
+			being an absolute name instead of a unqualified
+			name.
+		      </para>
+		      <para>
+			The realm to be matched is specified in the
+			<replaceable>identity</replaceable> field.
+		      </para>
+		      <para>
+			The <replaceable>name</replaceable> field has
+			no effect on this rule; it should be set to "."
+			as a placeholder.
+		      </para>
+		      <para>
+			For example,
+			<userinput>grant EXAMPLE.COM krb5-self . A AAAA</userinput>
+			allows any machine with a valid principal in
+			the realm <userinput>EXAMPLE.COM</userinput> to update
+			its own address records.
 		      </para>
 		    </entry>
 		  </row>
@@ -12757,13 +12810,11 @@ example.com. NS ns2.example.net.
 		      </para>
 		    </entry> <entry colname="2">
 		      <para>
-			This rule takes a Kerberos machine principal
-			(host/machine@REALM) for machine in REALM and
-			converts it to machine.realm allowing the machine
-			to update subdomains of machine.realm.  The REALM
-			to be matched is specified in the
-			<replaceable>identity</replaceable> field. The
-			name field should be set to "."
+			This rule is identical to
+			<command>ms-subdomain</command>, except that it works
+			with Kerberos machine principals (i.e.,
+			'host/machine@REALM') rather than Windows machine
+			principals.
 		      </para>
 		    </entry>
 		  </row>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch01.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch01.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch01.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch01.html	2018-09-04 04:04:41.000000000 +0000
@@ -616,6 +616,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch02.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch02.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch02.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch02.html	2018-09-04 04:04:41.000000000 +0000
@@ -151,6 +151,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch03.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch03.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch03.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch03.html	2018-09-04 04:04:41.000000000 +0000
@@ -759,6 +759,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch04.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch04.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch04.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch04.html	2018-09-04 04:04:41.000000000 +0000
@@ -2867,6 +2867,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch05.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch05.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch05.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch05.html	2018-09-04 04:04:41.000000000 +0000
@@ -142,6 +142,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch06.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch06.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch06.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch06.html	2018-09-04 04:04:41.000000000 +0000
@@ -10397,7 +10397,7 @@ example.com. NS ns2.example.net.
               has been used to create a shared secret, the identity of
               the key used to authenticate the TKEY exchange will be
               used as the identity of the shared secret.  Some rule types
-              use indentities matching the client's Kerberos principal
+              use identities matching the client's Kerberos principal
               (e.g, <strong class="userinput"><code>"host/machine@REALM"</code></strong>) or
               Windows realm (<strong class="userinput"><code>machine$@REALM</code></strong>).
             </p>
@@ -10567,12 +10567,26 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        This rule takes a Windows machine principal
-                        (machine$@REALM) for machine in REALM and
-                        and converts it machine.realm allowing the machine
-                        to update machine.realm.  The REALM to be matched
-                        is specified in the <em class="replaceable"><code>identity</code></em>
-                        field.  The name field should be set to "."
+                        When a client sends an UPDATE using a Windows
+                        machine principal (for example, 'machine$@REALM'),
+                        this rule allows records with the absolute name
+                        of 'machine.REALM' to be updated.
+                      </p>
+                      <p>
+                        The realm to be matched is specified in the
+                        <em class="replaceable"><code>identity</code></em> field.
+                      </p>
+                      <p>
+                        The <em class="replaceable"><code>name</code></em> field has
+                        no effect on this rule; it should be set to "."
+                        as a placeholder.
+                      </p>
+                      <p>
+                        For example,
+                        <strong class="userinput"><code>grant EXAMPLE.COM ms-self . A AAAA</code></strong>
+                        allows any machine with a valid principal in
+                        the realm <strong class="userinput"><code>EXAMPLE.COM</code></strong> to update
+                        its own address records.
                       </p>
                     </td>
 </tr>
@@ -10584,13 +10598,32 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        This rule takes a Windows machine principal
-                        (machine$@REALM) for machine in REALM and
-                        converts it to machine.realm allowing the machine
-                        to update subdomains of machine.realm.  The REALM
-                        to be matched is specified in the
+                        When a client sends an UPDATE using a Windows
+                        machine principal (for example, 'machine$@REALM'),
+                        this rule allows any machine in the specified
+                        realm to update any record in the zone or in a
+                        specified subdomain of the zone.
+                      </p>
+                      <p>
+                        The realm to be matched is specified in the
                         <em class="replaceable"><code>identity</code></em> field.
                       </p>
+                      <p>
+                        The <em class="replaceable"><code>name</code></em> field
+                        specifies the subdomain that may be updated.
+                        If set to "." (or any other name at or above
+                        the zone apex), any name in the zone can be
+                        updated.
+                      </p>
+                      <p>
+                        For example, if <span class="command"><strong>update-policy</strong></span>
+                        for the zone "example.com" includes
+                        <strong class="userinput"><code>grant EXAMPLE.COM ms-subdomain hosts.example.com. A AAAA</code></strong>,
+                        any machine with a valid principal in
+                        the realm <strong class="userinput"><code>EXAMPLE.COM</code></strong> will
+                        be able to update address records at or below
+                        "hosts.example.com".
+                      </p>
                     </td>
 </tr>
 <tr>
@@ -10601,12 +10634,32 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        This rule takes a Kerberos machine principal
-                        (host/machine@REALM) for machine in REALM and
-                        and converts it machine.realm allowing the machine
-                        to update machine.realm.  The REALM to be matched
-                        is specified in the <em class="replaceable"><code>identity</code></em>
-                        field. The name field should be set to "."
+                        When a client sends an UPDATE using a
+                        Kerberos machine principal (for example,
+                        'host/machine@REALM'), this rule allows
+                        records with the absolute name of 'machine'
+                        to be updated provided it has been authenticated
+                        by REALM.  This is similar but not identical
+                        to <span class="command"><strong>ms-self</strong></span> due to the
+                        'machine' part of the Kerberos principal
+                        being an absolute name instead of a unqualified
+                        name.
+                      </p>
+                      <p>
+                        The realm to be matched is specified in the
+                        <em class="replaceable"><code>identity</code></em> field.
+                      </p>
+                      <p>
+                        The <em class="replaceable"><code>name</code></em> field has
+                        no effect on this rule; it should be set to "."
+                        as a placeholder.
+                      </p>
+                      <p>
+                        For example,
+                        <strong class="userinput"><code>grant EXAMPLE.COM krb5-self . A AAAA</code></strong>
+                        allows any machine with a valid principal in
+                        the realm <strong class="userinput"><code>EXAMPLE.COM</code></strong> to update
+                        its own address records.
                       </p>
                     </td>
 </tr>
@@ -10618,13 +10671,11 @@ example.com. NS ns2.example.net.
                     </td>
 <td>
                       <p>
-                        This rule takes a Kerberos machine principal
-                        (host/machine@REALM) for machine in REALM and
-                        converts it to machine.realm allowing the machine
-                        to update subdomains of machine.realm.  The REALM
-                        to be matched is specified in the
-                        <em class="replaceable"><code>identity</code></em> field. The
-                        name field should be set to "."
+                        This rule is identical to
+                        <span class="command"><strong>ms-subdomain</strong></span>, except that it works
+                        with Kerberos machine principals (i.e.,
+                        'host/machine@REALM') rather than Windows machine
+                        principals.
                       </p>
                     </td>
 </tr>
@@ -14573,6 +14624,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch07.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch07.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch07.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch07.html	2018-09-04 04:04:41.000000000 +0000
@@ -399,6 +399,6 @@ allow-query { !{ !10/8; any; }; key exam
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch08.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch08.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch08.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch08.html	2018-09-04 04:04:41.000000000 +0000
@@ -136,6 +136,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch09.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch09.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch09.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch09.html	2018-09-04 04:04:41.000000000 +0000
@@ -36,7 +36,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.4-P2</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -44,7 +44,6 @@
 <dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
@@ -54,7 +53,7 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.4</h2></div></div></div>
+<a name="id-1.10.2"></a>Release Notes for BIND Version 9.11.4-P2</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -122,50 +121,27 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-	<p>
-	  When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
-	  and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
-	  should be limited to local networks, but they were inadvertently set
-	  to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
-	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-	</p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate
-	  which trust anchors are configured for the root, so that
-	  information about root key rollover status can be gathered.
-	  To disable this feature, add
-	  <span class="command"><strong>root-key-sentinel no;</strong></span> to
-	  <code class="filename">named.conf</code>.
+	  There was a long-existing flaw in the documentation for
+	  <span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
+	  <span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
+	  rules in <span class="command"><strong>update-policy</strong></span> statements.  Though
+	  the policies worked as intended, operators who configured their
+	  servers according to the misleading documentation may have
+	  thought zone updates were more restricted than they were;
+	  users of these rule types are advised to review the documentation
+	  and correct their configurations if necessary.  New rule types
+	  matching the previously documented behavior will be introduced
+	  in a future maintenance release. [GL !708]
 	</p>
       </li>
 <li class="listitem">
 	<p>
-	  Added the ability not to return a DNS COOKIE option when one
-	  is present in the request.  To prevent a cookie being returned,
-	  add <span class="command"><strong>answer-cookie no;</strong></span> to
-	  <code class="filename">named.conf</code>. [GL #173]
-	</p>
-	<p>
-	  <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
-	  temporary measure, for use when <span class="command"><strong>named</strong></span>
-	  shares an IP address with other servers that do not yet
-	  support DNS COOKIE.  A mismatch between servers on the
-	  same address is not expected to cause operational problems,
-	  but the option to disable COOKIE responses so that all
-	  servers have the same behavior is provided out of an
-	  abundance of caution. DNS COOKIE is an important security
-	  mechanism, and should not be disabled unless absolutely
-	  necessary.
+	  <span class="command"><strong>named</strong></span> could crash during recursive processing
+	  of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
+	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
 	</p>
       </li>
 </ul></div>
@@ -173,13 +149,10 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> will now log a warning if the old
-	  BIND now can be compiled against libidn2 library to add
-	  IDNA2008 support.  Previously BIND only supported IDNA2003
-	  using (now obsolete) idnkit-1 library.
+	  None.
 	</p>
       </li></ul></div>
   </div>
@@ -187,25 +160,11 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
-	  processing on the input domain name, when BIND is compiled
-	  with IDN support.
-	</p>
-      </li>
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
-	  supported.  The first <span class="command"><strong>cookie-secret</strong></span> in
-	  <code class="filename">named.conf</code> is used to generate new
-	  server cookies.  Any others are used to accept old server
-	  cookies or those generated by other servers using the
-	  matching <span class="command"><strong>cookie-secret</strong></span>.
+	  None.
 	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
@@ -214,18 +173,28 @@
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> now rejects excessively large
-	  incremental (IXFR) zone transfers in order to prevent
-	  possible corruption of journal files which could cause
-	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
-	</p>
+         Running <span class="command"><strong>rndc reconfig</strong></span> could cause
+         <span class="command"><strong>inline-signing</strong></span> to stop signing. [GL #439]
+       </p>
       </li>
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc reload</strong></span> could cause <span class="command"><strong>named</strong></span>
-	  to leak memory if it was invoked before the zone loading actions
-	  from a previous <span class="command"><strong>rndc reload</strong></span> command were
-	  completed. [RT #47076]
+       <p>
+         Reloading all zones caused zone maintenance to stop for
+         <span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
+       </p>
+      </li>
+<li class="listitem">
+       <p>
+         Signatures loaded from the journal for the signed version
+         <span class="command"><strong>inline-signing</strong></span> zone were not scheduled for
+         refresh. [GL #482]
+       </p>
+      </li>
+<li class="listitem">
+       <p>
+         A referral response with a non-empty ANSWER section was
+         incorrectly treated as an error; this caused certain domains
+         to be non-resolvable. [GL #390]
 	</p>
       </li>
 </ul></div>
@@ -271,6 +240,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch10.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch10.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch10.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch10.html	2018-09-04 04:04:41.000000000 +0000
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch11.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch11.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch11.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch11.html	2018-09-04 04:04:41.000000000 +0000
@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch12.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch12.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch12.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch12.html	2018-09-04 04:04:41.000000000 +0000
@@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch13.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch13.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.ch13.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.ch13.html	2018-09-04 04:04:41.000000000 +0000
@@ -213,6 +213,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.html 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.html
--- 1:9.11.4+dfsg-3/doc/arm/Bv9ARM.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/Bv9ARM.html	2018-09-04 04:04:41.000000000 +0000
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.11.4</p></div>
+<div><p class="releaseinfo">BIND Version 9.11.4-P2</p></div>
 <div><p class="copyright">Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -241,7 +241,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.11.4-P2</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt>
@@ -249,7 +249,6 @@
 <dt><span class="section"><a href="Bv9ARM.ch09.html#win_support">Legacy Windows No Longer Supported</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_removed">Removed Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch09.html#end_of_life">End of Life</a></span></dt>
@@ -443,6 +442,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.arpaname.html 1:9.11.4.P2+dfsg-1/doc/arm/man.arpaname.html
--- 1:9.11.4+dfsg-3/doc/arm/man.arpaname.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.arpaname.html	2018-09-04 04:04:41.000000000 +0000
@@ -91,6 +91,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.ddns-confgen.html 1:9.11.4.P2+dfsg-1/doc/arm/man.ddns-confgen.html
--- 1:9.11.4+dfsg-3/doc/arm/man.ddns-confgen.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.ddns-confgen.html	2018-09-04 04:04:41.000000000 +0000
@@ -236,6 +236,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.delv.html 1:9.11.4.P2+dfsg-1/doc/arm/man.delv.html
--- 1:9.11.4+dfsg-3/doc/arm/man.delv.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.delv.html	2018-09-04 04:04:41.000000000 +0000
@@ -624,6 +624,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dig.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dig.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dig.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dig.html	2018-09-04 04:04:41.000000000 +0000
@@ -1108,6 +1108,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-checkds.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-checkds.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-checkds.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-checkds.html	2018-09-04 04:04:41.000000000 +0000
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-coverage.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-coverage.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-coverage.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-coverage.html	2018-09-04 04:04:41.000000000 +0000
@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-dsfromkey.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-dsfromkey.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-dsfromkey.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-dsfromkey.html	2018-09-04 04:04:41.000000000 +0000
@@ -289,6 +289,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-importkey.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-importkey.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-importkey.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-importkey.html	2018-09-04 04:04:41.000000000 +0000
@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keyfromlabel.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keyfromlabel.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keyfromlabel.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keyfromlabel.html	2018-09-04 04:04:41.000000000 +0000
@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keygen.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keygen.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keygen.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keygen.html	2018-09-04 04:04:41.000000000 +0000
@@ -579,6 +579,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keymgr.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keymgr.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-keymgr.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-keymgr.html	2018-09-04 04:04:41.000000000 +0000
@@ -398,6 +398,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-revoke.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-revoke.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-revoke.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-revoke.html	2018-09-04 04:04:41.000000000 +0000
@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-settime.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-settime.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-settime.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-settime.html	2018-09-04 04:04:41.000000000 +0000
@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-signzone.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-signzone.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-signzone.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-signzone.html	2018-09-04 04:04:41.000000000 +0000
@@ -708,6 +708,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnssec-verify.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-verify.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnssec-verify.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnssec-verify.html	2018-09-04 04:04:41.000000000 +0000
@@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.dnstap-read.html 1:9.11.4.P2+dfsg-1/doc/arm/man.dnstap-read.html
--- 1:9.11.4+dfsg-3/doc/arm/man.dnstap-read.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.dnstap-read.html	2018-09-04 04:04:41.000000000 +0000
@@ -134,6 +134,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.genrandom.html 1:9.11.4.P2+dfsg-1/doc/arm/man.genrandom.html
--- 1:9.11.4+dfsg-3/doc/arm/man.genrandom.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.genrandom.html	2018-09-04 04:04:41.000000000 +0000
@@ -127,6 +127,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.host.html 1:9.11.4.P2+dfsg-1/doc/arm/man.host.html
--- 1:9.11.4+dfsg-3/doc/arm/man.host.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.host.html	2018-09-04 04:04:41.000000000 +0000
@@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.isc-hmac-fixup.html 1:9.11.4.P2+dfsg-1/doc/arm/man.isc-hmac-fixup.html
--- 1:9.11.4+dfsg-3/doc/arm/man.isc-hmac-fixup.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.isc-hmac-fixup.html	2018-09-04 04:04:41.000000000 +0000
@@ -126,6 +126,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.lwresd.html 1:9.11.4.P2+dfsg-1/doc/arm/man.lwresd.html
--- 1:9.11.4+dfsg-3/doc/arm/man.lwresd.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.lwresd.html	2018-09-04 04:04:41.000000000 +0000
@@ -329,6 +329,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.mdig.html 1:9.11.4.P2+dfsg-1/doc/arm/man.mdig.html
--- 1:9.11.4+dfsg-3/doc/arm/man.mdig.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.mdig.html	2018-09-04 04:04:41.000000000 +0000
@@ -609,6 +609,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-checkconf.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-checkconf.html
--- 1:9.11.4+dfsg-3/doc/arm/man.named-checkconf.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-checkconf.html	2018-09-04 04:04:41.000000000 +0000
@@ -192,6 +192,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-checkzone.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-checkzone.html
--- 1:9.11.4+dfsg-3/doc/arm/man.named-checkzone.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-checkzone.html	2018-09-04 04:04:41.000000000 +0000
@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named.conf.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named.conf.html
--- 1:9.11.4+dfsg-3/doc/arm/man.named.conf.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named.conf.html	2018-09-04 04:04:41.000000000 +0000
@@ -1035,6 +1035,6 @@ zone <em class="replaceable"><code>strin
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named.html
--- 1:9.11.4+dfsg-3/doc/arm/man.named.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named.html	2018-09-04 04:04:41.000000000 +0000
@@ -490,6 +490,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-journalprint.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-journalprint.html
--- 1:9.11.4+dfsg-3/doc/arm/man.named-journalprint.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-journalprint.html	2018-09-04 04:04:41.000000000 +0000
@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-nzd2nzf.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-nzd2nzf.html
--- 1:9.11.4+dfsg-3/doc/arm/man.named-nzd2nzf.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-nzd2nzf.html	2018-09-04 04:04:41.000000000 +0000
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.named-rrchecker.html 1:9.11.4.P2+dfsg-1/doc/arm/man.named-rrchecker.html
--- 1:9.11.4+dfsg-3/doc/arm/man.named-rrchecker.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.named-rrchecker.html	2018-09-04 04:04:41.000000000 +0000
@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.nsec3hash.html 1:9.11.4.P2+dfsg-1/doc/arm/man.nsec3hash.html
--- 1:9.11.4+dfsg-3/doc/arm/man.nsec3hash.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.nsec3hash.html	2018-09-04 04:04:41.000000000 +0000
@@ -131,6 +131,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.nslookup.html 1:9.11.4.P2+dfsg-1/doc/arm/man.nslookup.html
--- 1:9.11.4+dfsg-3/doc/arm/man.nslookup.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.nslookup.html	2018-09-04 04:04:41.000000000 +0000
@@ -419,6 +419,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.nsupdate.html 1:9.11.4.P2+dfsg-1/doc/arm/man.nsupdate.html
--- 1:9.11.4+dfsg-3/doc/arm/man.nsupdate.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.nsupdate.html	2018-09-04 04:04:41.000000000 +0000
@@ -817,6 +817,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-destroy.html 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-destroy.html
--- 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-destroy.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-destroy.html	2018-09-04 04:04:41.000000000 +0000
@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-keygen.html 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-keygen.html
--- 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-keygen.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-keygen.html	2018-09-04 04:04:41.000000000 +0000
@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-list.html 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-list.html
--- 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-list.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-list.html	2018-09-04 04:04:41.000000000 +0000
@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-tokens.html 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-tokens.html
--- 1:9.11.4+dfsg-3/doc/arm/man.pkcs11-tokens.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.pkcs11-tokens.html	2018-09-04 04:04:41.000000000 +0000
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.rndc-confgen.html 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc-confgen.html
--- 1:9.11.4+dfsg-3/doc/arm/man.rndc-confgen.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc-confgen.html	2018-09-04 04:04:41.000000000 +0000
@@ -277,6 +277,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.rndc.conf.html 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc.conf.html
--- 1:9.11.4+dfsg-3/doc/arm/man.rndc.conf.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc.conf.html	2018-09-04 04:04:41.000000000 +0000
@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/man.rndc.html 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc.html
--- 1:9.11.4+dfsg-3/doc/arm/man.rndc.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/man.rndc.html	2018-09-04 04:04:41.000000000 +0000
@@ -889,6 +889,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4 (Extended Support Version)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.4-P2 (Extended Support Version)</p>
 </body>
 </html>
diff -pruN 1:9.11.4+dfsg-3/doc/arm/notes.html 1:9.11.4.P2+dfsg-1/doc/arm/notes.html
--- 1:9.11.4+dfsg-3/doc/arm/notes.html	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/notes.html	2018-09-04 04:04:41.000000000 +0000
@@ -15,7 +15,7 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.11.4</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.11.4-P2</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -83,50 +83,27 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-	<p>
-	  When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
-	  and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
-	  should be limited to local networks, but they were inadvertently set
-	  to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
-	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-	</p>
-      </li></ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate
-	  which trust anchors are configured for the root, so that
-	  information about root key rollover status can be gathered.
-	  To disable this feature, add
-	  <span class="command"><strong>root-key-sentinel no;</strong></span> to
-	  <code class="filename">named.conf</code>.
+	  There was a long-existing flaw in the documentation for
+	  <span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
+	  <span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
+	  rules in <span class="command"><strong>update-policy</strong></span> statements.  Though
+	  the policies worked as intended, operators who configured their
+	  servers according to the misleading documentation may have
+	  thought zone updates were more restricted than they were;
+	  users of these rule types are advised to review the documentation
+	  and correct their configurations if necessary.  New rule types
+	  matching the previously documented behavior will be introduced
+	  in a future maintenance release. [GL !708]
 	</p>
       </li>
 <li class="listitem">
 	<p>
-	  Added the ability not to return a DNS COOKIE option when one
-	  is present in the request.  To prevent a cookie being returned,
-	  add <span class="command"><strong>answer-cookie no;</strong></span> to
-	  <code class="filename">named.conf</code>. [GL #173]
-	</p>
-	<p>
-	  <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
-	  temporary measure, for use when <span class="command"><strong>named</strong></span>
-	  shares an IP address with other servers that do not yet
-	  support DNS COOKIE.  A mismatch between servers on the
-	  same address is not expected to cause operational problems,
-	  but the option to disable COOKIE responses so that all
-	  servers have the same behavior is provided out of an
-	  abundance of caution. DNS COOKIE is an important security
-	  mechanism, and should not be disabled unless absolutely
-	  necessary.
+	  <span class="command"><strong>named</strong></span> could crash during recursive processing
+	  of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
+	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
 	</p>
       </li>
 </ul></div>
@@ -134,13 +111,10 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
+<a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> will now log a warning if the old
-	  BIND now can be compiled against libidn2 library to add
-	  IDNA2008 support.  Previously BIND only supported IDNA2003
-	  using (now obsolete) idnkit-1 library.
+	  None.
 	</p>
       </li></ul></div>
   </div>
@@ -148,25 +122,11 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
-	  processing on the input domain name, when BIND is compiled
-	  with IDN support.
-	</p>
-      </li>
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  Multiple <span class="command"><strong>cookie-secret</strong></span> clause are now
-	  supported.  The first <span class="command"><strong>cookie-secret</strong></span> in
-	  <code class="filename">named.conf</code> is used to generate new
-	  server cookies.  Any others are used to accept old server
-	  cookies or those generated by other servers using the
-	  matching <span class="command"><strong>cookie-secret</strong></span>.
+	  None.
 	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
@@ -175,18 +135,28 @@
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> now rejects excessively large
-	  incremental (IXFR) zone transfers in order to prevent
-	  possible corruption of journal files which could cause
-	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
-	</p>
+         Running <span class="command"><strong>rndc reconfig</strong></span> could cause
+         <span class="command"><strong>inline-signing</strong></span> to stop signing. [GL #439]
+       </p>
       </li>
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>rndc reload</strong></span> could cause <span class="command"><strong>named</strong></span>
-	  to leak memory if it was invoked before the zone loading actions
-	  from a previous <span class="command"><strong>rndc reload</strong></span> command were
-	  completed. [RT #47076]
+       <p>
+         Reloading all zones caused zone maintenance to stop for
+         <span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
+       </p>
+      </li>
+<li class="listitem">
+       <p>
+         Signatures loaded from the journal for the signed version
+         <span class="command"><strong>inline-signing</strong></span> zone were not scheduled for
+         refresh. [GL #482]
+       </p>
+      </li>
+<li class="listitem">
+       <p>
+         A referral response with a non-empty ANSWER section was
+         incorrectly treated as an error; this caused certain domains
+         to be non-resolvable. [GL #390]
 	</p>
       </li>
 </ul></div>
Binary files 1:9.11.4+dfsg-3/doc/arm/notes.pdf and 1:9.11.4.P2+dfsg-1/doc/arm/notes.pdf differ
diff -pruN 1:9.11.4+dfsg-3/doc/arm/notes.txt 1:9.11.4.P2+dfsg-1/doc/arm/notes.txt
--- 1:9.11.4+dfsg-3/doc/arm/notes.txt	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/notes.txt	2018-09-04 04:04:41.000000000 +0000
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.11.4
+Release Notes for BIND Version 9.11.4-P2
 
 Introduction
 
@@ -41,58 +41,42 @@ from ISC.
 
 Security Fixes
 
-  * When recursion is enabled but the allow-recursion and
-    allow-query-cache ACLs are not specified, they should be limited to
-    local networks, but they were inadvertently set to match the default
-    allow-query, thus allowing remote queries. This flaw is disclosed in
-    CVE-2018-5738. [GL #309]
+  * There was a long-existing flaw in the documentation for ms-self,
+    krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy
+    statements. Though the policies worked as intended, operators who
+    configured their servers according to the misleading documentation may
+    have thought zone updates were more restricted than they were; users
+    of these rule types are advised to review the documentation and
+    correct their configurations if necessary. New rule types matching the
+    previously documented behavior will be introduced in a future
+    maintenance release. [GL !708]
+
+  * named could crash during recursive processing of DNAME records when
+    deny-answer-aliases was in use. This flaw is disclosed in
+    CVE-2018-5740. [GL #387]
 
 New Features
 
-  * named now supports the "root key sentinel" mechanism. This enables
-    validating resolvers to indicate which trust anchors are configured
-    for the root, so that information about root key rollover status can
-    be gathered. To disable this feature, add root-key-sentinel no; to
-    named.conf.
-
-  * Added the ability not to return a DNS COOKIE option when one is
-    present in the request. To prevent a cookie being returned, add
-    answer-cookie no; to named.conf. [GL #173]
-
-    answer-cookie no is only intended as a temporary measure, for use when
-    named shares an IP address with other servers that do not yet support
-    DNS COOKIE. A mismatch between servers on the same address is not
-    expected to cause operational problems, but the option to disable
-    COOKIE responses so that all servers have the same behavior is
-    provided out of an abundance of caution. DNS COOKIE is an important
-    security mechanism, and should not be disabled unless absolutely
-    necessary.
-
-Removed Features
-
-  * named will now log a warning if the old BIND now can be compiled
-    against libidn2 library to add IDNA2008 support. Previously BIND only
-    supported IDNA2003 using (now obsolete) idnkit-1 library.
+  * None.
 
 Feature Changes
 
-  * dig +noidnin can be used to disable IDN processing on the input domain
-    name, when BIND is compiled with IDN support.
-
-  * Multiple cookie-secret clause are now supported. The first
-    cookie-secret in named.conf is used to generate new server cookies.
-    Any others are used to accept old server cookies or those generated by
-    other servers using the matching cookie-secret.
+  * None.
 
 Bug Fixes
 
-  * named now rejects excessively large incremental (IXFR) zone transfers
-    in order to prevent possible corruption of journal files which could
-    cause named to abort when loading zones. [GL #339]
-
-  * rndc reload could cause named to leak memory if it was invoked before
-    the zone loading actions from a previous rndc reload command were
-    completed. [RT #47076]
+  * Running rndc reconfig could cause inline-signing to stop signing. [GL
+    #439]
+
+  * Reloading all zones caused zone maintenance to stop for inline-signing
+    zones. [GL #435]
+
+  * Signatures loaded from the journal for the signed version
+    inline-signing zone were not scheduled for refresh. [GL #482]
+
+  * A referral response with a non-empty ANSWER section was incorrectly
+    treated as an error; this caused certain domains to be non-resolvable.
+    [GL #390]
 
 End of Life
 
diff -pruN 1:9.11.4+dfsg-3/doc/arm/notes.xml 1:9.11.4.P2+dfsg-1/doc/arm/notes.xml
--- 1:9.11.4+dfsg-3/doc/arm/notes.xml	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/doc/arm/notes.xml	2018-09-04 04:04:41.000000000 +0000
@@ -78,60 +78,34 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  When recursion is enabled but the <command>allow-recursion</command>
-	  and <command>allow-query-cache</command> ACLs are not specified, they
-	  should be limited to local networks, but they were inadvertently set
-	  to match the default <command>allow-query</command>, thus allowing
-	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
+	  There was a long-existing flaw in the documentation for
+	  <command>ms-self</command>, <command>krb5-self</command>,
+	  <command>ms-subdomain</command>, and <command>krb5-subdomain</command>
+	  rules in <command>update-policy</command> statements.  Though
+	  the policies worked as intended, operators who configured their
+	  servers according to the misleading documentation may have
+	  thought zone updates were more restricted than they were;
+	  users of these rule types are advised to review the documentation
+	  and correct their configurations if necessary.  New rule types
+	  matching the previously documented behavior will be introduced
+	  in a future maintenance release. [GL !708]
 	</para>
       </listitem>
-    </itemizedlist>
-  </section>
-
-  <section xml:id="relnotes_features"><info><title>New Features</title></info>
-    <itemizedlist>
       <listitem>
 	<para>
-	  <command>named</command> now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate
-	  which trust anchors are configured for the root, so that
-	  information about root key rollover status can be gathered.
-	  To disable this feature, add
-	  <command>root-key-sentinel no;</command> to
-	  <filename>named.conf</filename>.
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Added the ability not to return a DNS COOKIE option when one
-	  is present in the request.  To prevent a cookie being returned,
-	  add <command>answer-cookie no;</command> to
-	  <filename>named.conf</filename>. [GL #173]
-	</para>
-	<para>
-	  <command>answer-cookie no</command> is only intended as a
-	  temporary measure, for use when <command>named</command>
-	  shares an IP address with other servers that do not yet
-	  support DNS COOKIE.  A mismatch between servers on the
-	  same address is not expected to cause operational problems,
-	  but the option to disable COOKIE responses so that all
-	  servers have the same behavior is provided out of an
-	  abundance of caution. DNS COOKIE is an important security
-	  mechanism, and should not be disabled unless absolutely
-	  necessary.
+	  <command>named</command> could crash during recursive processing
+	  of DNAME records when <command>deny-answer-aliases</command> was
+	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
 	</para>
       </listitem>
     </itemizedlist>
   </section>
 
-  <section xml:id="relnotes_removed"><info><title>Removed Features</title></info>
+  <section xml:id="relnotes_features"><info><title>New Features</title></info>
     <itemizedlist>
       <listitem>
 	<para>
-	  <command>named</command> will now log a warning if the old
-	  BIND now can be compiled against libidn2 library to add
-	  IDNA2008 support.  Previously BIND only supported IDNA2003
-	  using (now obsolete) idnkit-1 library.
+	  None.
 	</para>
       </listitem>
     </itemizedlist>
@@ -141,19 +115,7 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  <command>dig +noidnin</command> can be used to disable IDN
-	  processing on the input domain name, when BIND is compiled
-	  with IDN support.
-	</para>
-      </listitem>
-      <listitem>
-	<para>
-	  Multiple <command>cookie-secret</command> clause are now
-	  supported.  The first <command>cookie-secret</command> in
-	  <filename>named.conf</filename> is used to generate new
-	  server cookies.  Any others are used to accept old server
-	  cookies or those generated by other servers using the
-	  matching <command>cookie-secret</command>.
+	  None.
 	</para>
       </listitem>
     </itemizedlist>
@@ -163,18 +125,28 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  <command>named</command> now rejects excessively large
-	  incremental (IXFR) zone transfers in order to prevent
-	  possible corruption of journal files which could cause
-	  <command>named</command> to abort when loading zones. [GL #339]
-	</para>
+         Running <command>rndc reconfig</command> could cause
+         <command>inline-signing</command> to stop signing. [GL #439]
+       </para>
       </listitem>
       <listitem>
-	<para>
-	  <command>rndc reload</command> could cause <command>named</command>
-	  to leak memory if it was invoked before the zone loading actions
-	  from a previous <command>rndc reload</command> command were
-	  completed. [RT #47076]
+       <para>
+         Reloading all zones caused zone maintenance to stop for
+         <command>inline-signing</command> zones. [GL #435]
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+         Signatures loaded from the journal for the signed version
+         <command>inline-signing</command> zone were not scheduled for
+         refresh. [GL #482]
+       </para>
+      </listitem>
+      <listitem>
+       <para>
+         A referral response with a non-empty ANSWER section was
+         incorrectly treated as an error; this caused certain domains
+         to be non-resolvable. [GL #390]
 	</para>
       </listitem>
     </itemizedlist>
diff -pruN 1:9.11.4+dfsg-3/lib/dns/api 1:9.11.4.P2+dfsg-1/lib/dns/api
--- 1:9.11.4+dfsg-3/lib/dns/api	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/lib/dns/api	2018-09-04 04:04:41.000000000 +0000
@@ -9,5 +9,5 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 LIBINTERFACE = 1103
-LIBREVISION = 0
+LIBREVISION = 2
 LIBAGE = 1
diff -pruN 1:9.11.4+dfsg-3/lib/dns/resolver.c 1:9.11.4.P2+dfsg-1/lib/dns/resolver.c
--- 1:9.11.4+dfsg-3/lib/dns/resolver.c	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/lib/dns/resolver.c	2018-09-04 04:04:41.000000000 +0000
@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx
 	unsigned int nlabels;
 	dns_fixedname_t fixed;
 	dns_name_t prefix;
+	int order;
 
 	REQUIRE(rdataset != NULL);
 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx
 		tname = &cname.cname;
 		break;
 	case dns_rdatatype_dname:
+		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
+		    dns_namereln_subdomain)
+		{
+			return (ISC_TRUE);
+		}
 		result = dns_rdata_tostruct(&rdata, &dname, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		dns_name_init(&prefix, NULL);
 		tname = dns_fixedname_initname(&fixed);
-		nlabels = dns_name_countlabels(qname) -
-			  dns_name_countlabels(rname);
+		nlabels = dns_name_countlabels(rname);
 		dns_name_split(qname, nlabels, &prefix, NULL);
 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
 					      NULL);
-		if (result == DNS_R_NAMETOOLONG)
+		if (result == DNS_R_NAMETOOLONG) {
+			if (chainingp != NULL) {
+				*chainingp = ISC_TRUE;
+			}
 			return (ISC_TRUE);
+		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		break;
 	default:
@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) {
 		}
 		if ((ardataset->type == dns_rdatatype_cname ||
 		     ardataset->type == dns_rdatatype_dname) &&
-		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
+		    type != ardataset->type &&
+		    type != dns_rdatatype_any &&
+		    !is_answertarget_allowed(fctx, qname, aname, ardataset,
 					      NULL))
 		{
 			return (DNS_R_SERVFAIL);
diff -pruN 1:9.11.4+dfsg-3/lib/dns/zone.c 1:9.11.4.P2+dfsg-1/lib/dns/zone.c
--- 1:9.11.4+dfsg-3/lib/dns/zone.c	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/lib/dns/zone.c	2018-09-04 04:04:41.000000000 +0000
@@ -1774,6 +1774,10 @@ dns_zone_isdynamic(dns_zone_t *zone, isc
 	    (zone->type == dns_zone_redirect && zone->masters != NULL))
 		return (ISC_TRUE);
 
+	/* Inline zones are always dynamic. */
+	if (zone->type == dns_zone_master && zone->raw != NULL)
+		return (ISC_TRUE);
+
 	/* If !ignore_freeze, we need check whether updates are disabled.  */
 	if (zone->type == dns_zone_master &&
 	    (!zone->update_disabled || ignore_freeze) &&
@@ -1910,6 +1914,11 @@ zone_touched(dns_zone_t *zone) {
 	return (ISC_FALSE);
 }
 
+/*
+ * Note: when dealing with inline-signed zones, external callers will always
+ * call zone_load() for the secure zone; zone_load() calls itself recursively
+ * in order to load the raw zone.
+ */
 static isc_result_t
 zone_load(dns_zone_t *zone, unsigned int flags, isc_boolean_t locked) {
 	isc_result_t result;
@@ -1926,6 +1935,28 @@ zone_load(dns_zone_t *zone, unsigned int
 	INSIST(zone != zone->raw);
 	hasraw = inline_secure(zone);
 	if (hasraw) {
+		/*
+		 * We are trying to load an inline-signed zone.  First call
+		 * self recursively to try loading the raw version of the zone.
+		 * Assuming the raw zone file is readable, there are two
+		 * possibilities:
+		 *
+		 *  a) the raw zone was not yet loaded and thus it will be
+		 *     loaded now, synchronously; if this succeeds, a
+		 *     subsequent attempt to load the signed zone file will
+		 *     take place and thus zone_postload() will be called
+		 *     twice: first for the raw zone and then for the secure
+		 *     zone; the latter call will take care of syncing the raw
+		 *     version with the secure version,
+		 *
+		 *  b) the raw zone was already loaded and we are trying to
+		 *     reload it, which will happen asynchronously; this means
+		 *     zone_postload() will only be called for the raw zone
+		 *     because "result" returned by the zone_load() call below
+		 *     will not be ISC_R_SUCCESS but rather DNS_R_CONTINUE;
+		 *     zone_postload() called for the raw zone will take care
+		 *     of syncing the raw version with the secure version.
+		 */
 		result = zone_load(zone->raw, flags, ISC_FALSE);
 		if (result != ISC_R_SUCCESS) {
 			if (!locked)
@@ -1965,7 +1996,7 @@ zone_load(dns_zone_t *zone, unsigned int
 		 * zone being reloaded.  Do nothing - the database
 		 * we already have is guaranteed to be up-to-date.
 		 */
-		if (zone->type == dns_zone_master)
+		if (zone->type == dns_zone_master && !hasraw)
 			result = DNS_R_DYNAMIC;
 		else
 			result = ISC_R_SUCCESS;
@@ -2008,7 +2039,6 @@ zone_load(dns_zone_t *zone, unsigned int
 			goto cleanup;
 		}
 
-
 		/*
 		 * If the file modification time is in the past
 		 * set loadtime to that value.
@@ -4496,11 +4526,13 @@ zone_postload(dns_zone_t *zone, dns_db_t
 	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
 	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
 	{
-		if (zone->type == dns_zone_master &&
-		    (zone->update_acl != NULL || zone->ssutable != NULL))
+		if (zone->type == dns_zone_master && (inline_secure(zone) ||
+		    (zone->update_acl != NULL || zone->ssutable != NULL)))
+		{
 			options = DNS_JOURNALOPT_RESIGN;
-		else
+		} else {
 			options = 0;
+		}
 		result = dns_journal_rollforward(zone->mctx, db, options,
 						 zone->journal);
 		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
@@ -4643,13 +4675,14 @@ zone_postload(dns_zone_t *zone, dns_db_t
 				isc_uint32_t serialmin, serialmax;
 
 				INSIST(zone->type == dns_zone_master);
+				INSIST(zone->raw == NULL);
 
 				if (serial == oldserial &&
 				    zone_unchanged(zone->db, db, zone->mctx)) {
 					dns_zone_log(zone, ISC_LOG_INFO,
 						     "ixfr-from-differences: "
 						     "unchanged");
-					return(ISC_R_SUCCESS);
+					goto done;
 				}
 
 				serialmin = (oldserial + 1) & 0xffffffffU;
@@ -4872,8 +4905,7 @@ zone_postload(dns_zone_t *zone, dns_db_t
 			     dns_db_issecure(db) ? " (DNSSEC signed)" : "");
 
 	zone->loadtime = loadtime;
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
-	return (result);
+	goto done;
 
  cleanup:
 	for (inc = ISC_LIST_HEAD(zone->newincludes);
@@ -4910,6 +4942,23 @@ zone_postload(dns_zone_t *zone, dns_db_t
 			result = ISC_R_SUCCESS;
 	}
 
+ done:
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	/*
+	 * If this is an inline-signed zone and we were called for the raw
+	 * zone, we need to clear DNS_ZONEFLG_LOADPENDING for the secure zone
+	 * as well, but only if this is a reload, not an initial zone load: in
+	 * the former case, zone_postload() will not be run for the secure
+	 * zone; in the latter case, it will be.  Check which case we are
+	 * dealing with by consulting the DNS_ZONEFLG_LOADED flag for the
+	 * secure zone: if it is set, this must be a reload.
+	 */
+	if (inline_raw(zone) &&
+	    DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
+	{
+		DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
+	}
+
 	return (result);
 }
 
diff -pruN 1:9.11.4+dfsg-3/README 1:9.11.4.P2+dfsg-1/README
--- 1:9.11.4+dfsg-3/README	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/README	2018-09-04 04:04:41.000000000 +0000
@@ -250,6 +250,15 @@ BIND 9.11.4
 BIND 9.11.4 is a maintenance release, and addresses the security flaw
 disclosed in CVE-2018-5738.
 
+BIND 9.11.4-P1
+
+BIND 9.11.4-P1 addresses the security flaw disclosed in CVE-2018-5740.
+
+BIND 9.11.4-P2
+
+BIND 9.11.4-P2 fixes several operationally significant bugs with
+inline-signing zones.
+
 Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff -pruN 1:9.11.4+dfsg-3/README.md 1:9.11.4.P2+dfsg-1/README.md
--- 1:9.11.4+dfsg-3/README.md	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/README.md	2018-09-04 04:04:41.000000000 +0000
@@ -266,6 +266,15 @@ disclosed in CVE-2017-3145.
 BIND 9.11.4 is a maintenance release, and addresses the security flaw
 disclosed in CVE-2018-5738.
 
+#### BIND 9.11.4-P1
+
+BIND 9.11.4-P1 addresses the security flaw disclosed in CVE-2018-5740.
+
+#### BIND 9.11.4-P2
+
+BIND 9.11.4-P2 fixes several operationally significant bugs with
+inline-signing zones.
+
 ### <a name="build"/> Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff -pruN 1:9.11.4+dfsg-3/srcid 1:9.11.4.P2+dfsg-1/srcid
--- 1:9.11.4+dfsg-3/srcid	2018-07-03 18:41:50.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/srcid	2018-09-04 17:05:19.000000000 +0000
@@ -1 +1 @@
-SRCID=2fe4344
+SRCID=7107deb
diff -pruN 1:9.11.4+dfsg-3/version 1:9.11.4.P2+dfsg-1/version
--- 1:9.11.4+dfsg-3/version	2018-07-03 06:56:55.000000000 +0000
+++ 1:9.11.4.P2+dfsg-1/version	2018-09-04 04:04:41.000000000 +0000
@@ -6,6 +6,6 @@ DESCRIPTION="(Extended Support Version)"
 MAJORVER=9
 MINORVER=11
 PATCHVER=4
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=2
 EXTENSIONS=
