bind: bump to 9.20.23

Resolves several security issues:

- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
  received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.

Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html

Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit ea421564d3)

net/bind/Makefile

@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bind
-PKG_VERSION:=9.20.21
+PKG_VERSION:=9.20.23
 PKG_RELEASE:=1
 USERID:=bind=57:bind=57
 
@@ -22,7 +22,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:= \
 	https://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
 	https://ftp.isc.org/isc/bind9/$(PKG_VERSION)
-PKG_HASH:=15e1b5a227d2890f7c4e823a6ea018de70ee2f3a0e859cbff3d82aad8590de03
+PKG_HASH:=5d4475aed3f9e500ef554b2b14d972bdb83d33de214a9b3be92918ea46908371
 
 PKG_FIXUP:=autoreconf
 PKG_REMOVE_FILES:=aclocal.m4 libtool.m4

net/bind/patches/fix-usr-allow-rndc-addzone#1.patch

@@ -13,15 +13,15 @@ restore the automatic zone to the view.
 
 --- a/bin/named/server.c
 +++ b/bin/named/server.c
-@@ -13931,6 +13931,7 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13919,6 +13919,7 @@ do_addzone(named_server_t *server, ns_cf
  	   bool redirect, isc_buffer_t **text) {
  	isc_result_t result, tresult;
  	dns_zone_t *zone = NULL;
 +	dns_zone_t *oldzone = NULL;
+ 	bool locked = false;
  #ifndef HAVE_LMDB
  	FILE *fp = NULL;
- 	bool cleanup_config = false;
-@@ -13949,7 +13950,13 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13937,7 +13938,13 @@ do_addzone(named_server_t *server, ns_cf
  	} else {
  		result = dns_view_findzone(view, name, DNS_ZTFIND_EXACT, &zone);
  		if (result == ISC_R_SUCCESS) {
@@ -36,7 +36,7 @@ restore the automatic zone to the view.
  		}
  	}
  	if (result != ISC_R_NOTFOUND) {
-@@ -13958,6 +13965,10 @@ do_addzone(named_server_t *server, ns_cf
+@@ -13946,6 +13953,10 @@ do_addzone(named_server_t *server, ns_cf
  
  	isc_loopmgr_pause(named_g_loopmgr);
  
@@ -47,7 +47,7 @@ restore the automatic zone to the view.
  #ifndef HAVE_LMDB
  	/*
  	 * Make sure we can open the configuration save file
-@@ -14062,6 +14073,11 @@ do_addzone(named_server_t *server, ns_cf
+@@ -14050,6 +14061,11 @@ do_addzone(named_server_t *server, ns_cf
  		/* Remove the zone from the zone table */
  		dns_view_delzone(view, zone);
  		goto cleanup;
@@ -59,7 +59,7 @@ restore the automatic zone to the view.
  	}
  
  	/* Flag the zone as having been added at runtime */
-@@ -14078,6 +14094,22 @@ do_addzone(named_server_t *server, ns_cf
+@@ -14066,6 +14082,22 @@ do_addzone(named_server_t *server, ns_cf
  
  cleanup:
  

net/bind/patches/fix-usr-allow-rndc-addzone#2.patch

@@ -85,7 +85,7 @@ Subject: [PATCH 2/4] Check if adding new zone can replace an automatic empty
 +};
 --- a/bin/tests/system/addzone/tests.sh
 +++ b/bin/tests/system/addzone/tests.sh
-@@ -68,6 +68,35 @@ n=$((n + 1))
+@@ -88,6 +88,35 @@ n=$((n + 1))
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=$((status + ret))
  

net/bind/patches/fix-usr-allow-rndc-addzone#4.patch

@@ -10,7 +10,7 @@ Subject: [PATCH 4/4] fixup! Check if adding new zone can replace an automatic
 
 --- a/bin/tests/system/addzone/tests.sh
 +++ b/bin/tests/system/addzone/tests.sh
-@@ -84,6 +84,23 @@ n=$((n + 1))
+@@ -104,6 +104,23 @@ n=$((n + 1))
  if [ $ret != 0 ]; then echo_i "failed"; fi
  status=$((status + ret))