Thank you very much for this work, @twoerner!
Could you please split the patch into smaller commits so that they are easier to review and eventually get bisect if problems are to be investigated in future.

I have split it up. There are 24 patches now with one temporary to make build work with isc-bind in Fedora copr.

thanks for the patches! isc-config.sh has been removed upstream, how do you cope with that?

Ping, any progress here?

There is currently no progress. We have new bind 9.16 build in a COPR but I haven't had any time to look at it yet. I am working with Fedora infra to set up CI to be able to test all this automatically but still not there.

Is the packaging for that build available somewhere?

I have these for debian, but might have missed something as named-pkcs11 fails with an assert when starting up

@tjaalton Right now there are issues where code breaks when named starts due to one missing function rename and some issues with DNSSEC (and SELinux). That was the latest status from @twoerner yesterday evening. I think we'll see some update of this branch today, hopefully.

Additionally, you'd need changes in FreeIPA because bind 9.16 does not support integrated pkcs11 build and requires use of external PKCS#11 engine through openssl. This is handled in https://github.com/freeipa/freeipa/pull/3774

I was trying to make testing of the new code more reliable and added a support for testing against FreeIPA in Azure Pipelines (FreeIPA uses Azure Pipelines for about a year already). The setup is in tests/azure/, if you'd create own Azure DevOps organization, import bind-dyndb-ldap from external git there, then you can create a build pipeline using tests/azure/azure-pipelines.yml. It will run against Fedora 31 by default. I know you work on your own Ubuntu/Debian integration for FreeIPA Azure Pipelines, so may be that could be contributed here too.

Getting back to bind 9.16, my current run that actually tries to use bind 9.16 can be seen at https://dev.azure.com/vdali/bind-dyndb-ldap/_build/results?buildId=26&view=results. In https://dev.azure.com/vdali/bind-dyndb-ldap/_build/results?buildId=26&view=artifacts you can see the results. You might be interested in downloading logs from that place as they contain crashdumps. The crashes were already processed by coredumpctl, so there already detailed stack traces that could be analyzed. It would help to submit patches on top of https://pagure.io/bind-dyndb-ldap/pull-request/187 for the issues you could fix.

Since Pagure has no direct support in Azure Pipelines, I'm using my fork in Azure DevOpes for the runs in Azure Pipelines: https://dev.azure.com/vdali/bind-dyndb-ldap/_git/bind-dyndb-ldap.ab?version=GBbind-9.16-support. This is basically a version of this PR that has Azure Pipeline adoption on top of that, to allow use of customized bind 9.15 and FreeIPA builds from respective COPR repositories. Again, since I'm not using Ubuntu/Debian myself, these are for Fedora 31.

OpenSSL PKCS#11 engine does not work in FIPS mode yet. There is a problem with libp11 (aka openssl-pkcs11 engine), see https://bugzilla.redhat.com/show_bug.cgi?id=1827535 .

I propose to make BIND 9.16 support a FreeIPA 4.9 feature. It's a big change.