dig needs to access /etc/ssl/cert.pem, so add an unveil().
Index: Makefile
===================================================================
RCS file: /home/cvs/ports/net/isc-bind/Makefile,v
diff -u -p -r1.199 Makefile
--- Makefile 19 Mar 2025 13:56:14 -0000 1.199
+++ Makefile 20 Mar 2025 17:42:32 -0000
@@ -9,7 +9,7 @@ EXTRACT_SUFX= .tar.xz
EPOCH= 3
# keep above 7.6-stable; Python ver bumped
-REVISION= 0
+REVISION= 1
DISTNAME= bind-$V
PKGNAME= isc-bind-${V:S/-P/pl/}
Index: patches/patch-bin_dig_dig_c
===================================================================
RCS file: /home/cvs/ports/net/isc-bind/patches/patch-bin_dig_dig_c,v
diff -u -p -r1.39 patch-bin_dig_dig_c
--- patches/patch-bin_dig_dig_c 12 Dec 2024 10:20:04 -0000 1.39
+++ patches/patch-bin_dig_dig_c 20 Mar 2025 17:42:12 -0000
@@ -1,5 +1,6 @@
Patch to use pledge on OpenBSD.
locale is needed for idn2.
+cert.pem is needed for DoT.
Index: bin/dig/dig.c
--- bin/dig/dig.c.orig
@@ -28,7 +29,7 @@ Index: bin/dig/dig.c
debug("dig_setup()");
/* setup dighost callbacks */
-@@ -3399,6 +3409,21 @@ dig_query_setup(bool is_batchfile, bool config_only, i
+@@ -3399,6 +3409,25 @@ dig_query_setup(bool is_batchfile, bool config_only, i
} else if (keysecret[0] != 0) {
setup_text_key();
}
@@ -37,10 +38,14 @@ Index: bin/dig/dig.c
+ perror("unveil /usr/share/locale");
+ exit(1);
+ }
++ if (unveil("/etc/ssl/cert.pem", "r") == -1) {
++ perror("unveil /etc/ssl/cert.pem");
++ exit(1);
++ }
+ /*
+ * dns: resolv.conf, also allows port 53 sockets
+ * inet: needed if we query on port != 53
-+ * rpath: locale
++ * rpath: locale and cert.pem
+ */
+ if (pledge("stdio rpath inet dns", NULL) == -1) {
+ perror("pledge");
