Fri Aug 6 10:58:13 2010 UTC ()

Merge changes.


(christos)

diff -r1.4 -r1.5 src/external/bsd/bind/Makefile.inc
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/README.dnssec
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/README.libdns
diff -r1.1.1.3 -r0 src/external/bsd/bind/dist/README.pkcs11
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/README.rfc5011
diff -r1.2 -r1.3 src/external/bsd/bind/dist/binclude4netbsd
diff -r1.3 -r1.4 src/external/bsd/bind/dist/bind2netbsd
diff -r1.4 -r1.5 src/external/bsd/bind/dist/bin/dig/dighost.c
diff -r1.3 -r1.4 src/external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c
diff -r1.3 -r1.4 src/external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c
diff -r1.2 -r1.3 src/external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c
diff -r1.4 -r1.5 src/external/bsd/bind/dist/bin/named/main.c
diff -r1.4 -r1.5 src/external/bsd/bind/dist/bin/named/named.conf.5
diff -r1.4 -r1.5 src/external/bsd/bind/dist/bin/named/named.conf.docbook
diff -r1.4 -r1.5 src/external/bsd/bind/dist/bin/named/named.conf.html
diff -r1.4 -r1.5 src/external/bsd/bind/dist/bin/named/server.c
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/bin/tests/system/autosign/ns3/multiple.example.db.in
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/dnssec-signer.c
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/doc/KeyRollover.ps
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/doc/draft-gudmundsson-life-of-dnskey-00.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/doc/draft-ietf-dnsop-rfc4641bis-01.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/doc/rfc4641.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/dnssec-signer.sh
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/dnssec-zkt.sh
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dist.sh
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dnssec.conf
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/named.conf
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/zkt.log
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dnssec-signer.sh
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/zone.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+003+42138.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.depreciated
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+01355.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/Kdyn.example.net.+005+10643.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/dnskey.db
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/dnssec.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/dsset-dyn.example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/keyset-dyn.example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/zone.db
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/zone.db.dsigned
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/dyn.example.net/zone.org
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+07308.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+24545.published
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+33840.published
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.depreciated
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+34925.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/Kexample.net.+005+48089.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/kexample.net.+005+01764.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/kexample.net.+005+14829.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/kexample.net.+005+41151.private
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/dnskey.db
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/dsset-example.net.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/keyset-example.net.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/zone.db
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/example.net/zone.db.signed
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/keysets/dlvset-sub.example.net.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/keysets/dsset-example.net.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/keysets/dsset-sub.example.net.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/keysets/keyset-example.net.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/keysets/keyset-sub.example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/keysets/dsset-dyn.example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/keysets/keyset-dyn.example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.depreciated
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+14600.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+32345.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/Ksub.example.net.+007+48516.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/dlvset-sub.example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/dsset-sub.example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/keyset-sub.example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/maxhexsalt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/maxhexsalt+1
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/zone.db
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/dnskey.db
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/dnssec.conf
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/flat/sub.example.net/zone.db.signed
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/dnssec.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/named.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/zone.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/keyset-example.de.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/Kexample.de.+005+55529.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/dsset-example.de.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+17439.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+41145.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/kexample.de.+005+59244.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/keyset-example.de.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/zone.soa
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/dnskey.db
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/keyset-sub.example.de.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/zone.db
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/zone.db.signed
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+11091.published
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+38598.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+001+60332.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+24426.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+26451.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+37547.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+40956.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+57863.published
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+06903.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+31785.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+40998.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+56595.private
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dnskey.db
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/dnssec-extern.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/dnssec-intern.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/dnssec-signer-extern
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/dnssec-signer-intern
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/dnssec-zkt-extern
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/dnssec-zkt-intern
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/named.conf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/named.log
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/root.hint
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/viewtest.sh
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/zkt-ext.log
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+10367.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+14714.published
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+23553.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.depreciated
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/Kexample.net.+005+35744.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/dnskey.db
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/dsset-example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/keyset-example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/zone.db
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/extern/example.net/zone.db.signed
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/zkt-int.log
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+00126.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.depreciated
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+05972.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+23375.private
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.key
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/Kexample.net.+005+55745.published
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/dnskey.db
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/dsset-example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/keyset-example.net.
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/zone.db
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/examples/views/intern/example.net/zone.db.signed
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/man/dnssec-signer.8
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/man/dnssec-signer.8.html
diff -r1.1.1.2 -r0 src/external/bsd/bind/dist/contrib/zkt/man/dnssec-zkt.8.html
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/contrib/zkt/man/dnssec-signer.8.pdf
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-6man-text-addr-representation-01.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-behave-dns64-01.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-dnsext-axfr-clarify-11.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-dnsext-dns-tcp-requirements-01.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-dnsext-dnssec-gost-05.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-dnsext-rfc2672bis-dname-18.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-dnsext-rfc3597-bis-00.txt
diff -r1.1.1.1 -r0 src/external/bsd/bind/dist/doc/draft/draft-ietf-dnsop-default-local-zones-09.txt
diff -r1.3 -r1.4 src/external/bsd/bind/dist/lib/dns/keytable.c
diff -r1.4 -r1.5 src/external/bsd/bind/dist/lib/dns/message.c
diff -r1.4 -r1.5 src/external/bsd/bind/dist/lib/dns/rbtdb.c
diff -r1.5 -r1.6 src/external/bsd/bind/dist/lib/dns/resolver.c
diff -r1.3 -r1.4 src/external/bsd/bind/dist/lib/dns/include/dns/name.h
diff -r1.4 -r1.5 src/external/bsd/bind/dist/lib/dns/include/dns/zone.h
diff -r1.3 -r1.4 src/external/bsd/bind/dist/lib/isc/include/isc/mem.h
diff -r1.2 -r1.3 src/external/bsd/bind/dist/lib/isc/include/isc/util.h
diff -r1.3 -r1.4 src/external/bsd/bind/dist/lib/isc/unix/socket.c
diff -r1.3 -r1.4 src/external/bsd/bind/include/config.h
diff -r1.3 -r1.4 src/external/bsd/bind/include/dns/code.h
diff -r1.1 -r1.2 src/external/bsd/bind/include/dns/enumclass.h
diff -r1.2 -r1.3 src/external/bsd/bind/include/dns/enumtype.h
diff -r1.2 -r1.3 src/external/bsd/bind/include/dns/rdatastruct.h
diff -r1.4 -r1.5 src/external/bsd/bind/include/isc/platform.h

--- src/external/bsd/bind/Attic/Makefile.inc 2009/10/25 00:18:38	1.4
+++ src/external/bsd/bind/Attic/Makefile.inc 2010/08/06 10:58:03	1.5

 @@ -1,32 +1,34 @@
-#	$NetBSD: Makefile.inc,v 1.4 2009/10/25 00:18:38 christos Exp $
+#	$NetBSD: Makefile.inc,v 1.5 2010/08/06 10:58:03 christos Exp $
 .if !defined(BIND9_MAKEFILE_INC)
 BIND9_MAKEFILE_INC=yes
 #NAMED_DEBUG=1
 USE_FORT?= yes	# network client/server
 WARNS?=	1
 .include <bsd.own.mk>
 .if ${MKCRYPTO} == "no"
 NAMED_USE_OPENSSL?=no
 .else
 NAMED_USE_OPENSSL?=yes
 .endif
 NAMED_USE_PTHREADS?=yes
 NAMED_USE_OPENSSL?=yes
 IDIST=		${NETBSDSRCDIR}/external/bsd/bind/dist
 BIND_SRCDIR=	${NETBSDSRCDIR}/external/bsd/bind
 BIND_HTMLDIR=	/usr/share/doc/html/bind9
 .include "${IDIST}/version"
 VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}
 SYSCONFDIR=/etc
 LOCALSTATEDIR=/var
 CPPFLAGS+=-I${BIND_SRCDIR}/include \
 	-I${IDIST} \
 	-I${IDIST}/lib/dns/include -I${IDIST}/lib/dns/unix/include \
 @@ -39,31 +41,39 @@ CPPFLAGS+=-I${BIND_SRCDIR}/include \
 	-DNS_LOCALSTATEDIR=\"${LOCALSTATEDIR}\" \
 	-DNS_SYSCONFDIR=\"${SYSCONFDIR}\" \
 	-DSESSION_KEYFILE=\"${LOCALSTATEDIR}/run/named/session.key\" \
 	-DVERSION=\"${VERSION}\" -DBIND9
 .if (${USE_INET6} != "no")
 CPPFLAGS+=	-DWANT_IPV6
 .endif
 .if defined(HAVE_GCC) && ${HAVE_GCC} == 4
 COPTS+=	-Wno-pointer-sign
 .endif
 .if defined(NAMED_DEBUG)
 DBG=-g3 -gstabs
 .endif
 .if !defined(LIB) || empty(LIB)
 # NOTE: the order of these libraries is important...
 .if defined(NAMED_DEBUG)
 LDADD+=		-lbind9_g -ldns_g -llwres_g -lisccfg_g -lisccc_g -lisc_g
 .else
 LDADD+=		-lbind9 -ldns -llwres -lisccfg -lisccc -lisc
 DPADD+=		${LIBBIND9} ${LIBDNS} ${LIBLWRES}
 DPADD+=		${LIBISCCFG} ${LIBISCCC} ${LIBISC}
 .endif
 .else
 CPPFLAGS+= -DLIBINTERFACE=${LIBINTERFACE} \
 	   -DLIBREVISION=${LIBREVISION} -DLIBAGE=${LIBAGE}
 .endif
 #CPPFLAGS+= -DUSE_MEMIMPREGISTER -DUSE_APPIMPREGISTER -DUSE_SOCKETIMPREGISTER \
 #    -DUSE_TIMERIMPREGISTER
 .if ${NAMED_USE_PTHREADS} == "yes"
 # XXX: Not ready yet
 # CPPFLAGS+=	-DISC_PLATFORM_USE_NATIVE_RWLOCKS
 .if !defined (LIB) || empty(LIB)
 LDADD+= -lpthread
 DPADD+= ${LIBPTHREAD}

--- src/external/bsd/bind/dist/Attic/binclude4netbsd 2009/04/12 15:05:59	1.2
+++ src/external/bsd/bind/dist/Attic/binclude4netbsd 2010/08/06 10:58:03	1.3

 @@ -1,48 +1,56 @@
 #!/bin/sh
+#
 # Use this script to update the bind include files used in the nameserver,
 # after you've imported and built the latest bind code. After you run this,
 # cvs import the resulting directory
+#
-# $ cd /usr/src/external/bsd/bind/dist
+# $ cd bind-X.Y.Z
 # $ configure
 # $ make
 # $ ./binclude4netbsd . /tmp/include
 # Fix manually the config.h file to disable things controlled by the Makefiles
 # $ cd /tmp/include
-# $ cvs -d cvs.netbsd.org:/cvsroot import src/usr.sbin/bind/include \
+# $ cvs -d cvs.netbsd.org:/cvsroot import src/external/bsd/bind/include -m "Include files for bind-X-Y-Z" ISC bind-X-Y-Z
 #	ISC bind-X-Y-Z
+#
 PROG=$(basename $0)
 if [ \( -z "$1" \) -o \( -z "$2" \) ]
 then
 	echo "Usage: $PROG <bind-src> <include-dest>" 1>&2
 	exit 1
 fi
 BIND=$1
 INCLUDE=$2
 copy() {
 	f="$(basename "$1")"
 	sed -e 's/\$\(Id.*\) \$/\1/' \
 	    -e 's/\$\(Created.*\) \$/\1/' \
 	    -e 's/\$\(Header.*\) \$/\1/' \
 	    -e 's/\$\(Revision.*\) \$/\1/' \
 	    < "$1" > "$2/$f"
+}
 mkdir -p $INCLUDE
-cp $BIND/config.h $INCLUDE
+copy $BIND/config.h $INCLUDE
 mkdir -p $INCLUDE/dns
-cp $BIND/lib/dns/code.h $INCLUDE/dns
+copy $BIND/lib/dns/code.h $INCLUDE/dns
 for i in enumclass.h enumtype.h rdatastruct.h
 do
-	cp $BIND/lib/dns/include/dns/$i $INCLUDE/dns
+	copy $BIND/lib/dns/include/dns/$i $INCLUDE/dns
 done
 mkdir -p $INCLUDE/isc
-cp $BIND/lib/isc/include/isc/platform.h $INCLUDE/isc
+copy $BIND/lib/isc/include/isc/platform.h $INCLUDE/isc
 mkdir -p $INCLUDE/lwres
 for i in netdb.h platform.h
 do
-	cp $BIND/lib/lwres/include/lwres/$i $INCLUDE/lwres
+	copy $BIND/lib/lwres/include/lwres/$i $INCLUDE/lwres
 done

--- src/external/bsd/bind/dist/Attic/bind2netbsd 2009/04/12 15:23:22	1.3
+++ src/external/bsd/bind/dist/Attic/bind2netbsd 2010/08/06 10:58:03	1.4

 @@ -1,16 +1,16 @@
 #! /bin/sh
+#
-#	$NetBSD: bind2netbsd,v 1.3 2009/04/12 15:23:22 christos Exp $
+#	$NetBSD: bind2netbsd,v 1.4 2010/08/06 10:58:03 christos Exp $
+#
 # Copyright (c) 2000 The NetBSD Foundation, Inc.
 # All rights reserved.
+#
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
 # 1. Redistributions of source code must retain the above copyright
 #    notice, this list of conditions and the following disclaimer.
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
+#
 @@ -26,32 +26,32 @@
 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
+#
 # bind2netbsd:  convert a bind tree into a
 # netbsd bind source tree, under src/external/bsd/bind/dist,
 # based on bind2netbsd by Bernd Ernesti and changes by Simon Burge
+#
 # Rough instructions for importing new bind release:
+#
 #	$ cd /some/where/temporary
 #	$ tar xpfz /new/bind/release/tar/file
 #	$ sh /usr/src/external/bsd/bind/dist/bind2netbsd bind-9.x.y `pwd`
 #	$ cd src/external/bsd/bind/dist
-#	$ cvs import -m "Import bind 9.x.y" src/external/bsd/bind/dist ISC bind-9-x-y
+#	$ cvs -d cvs.netbsd.org:/cvsroot import -m "Import bind 9.x.y" src/external/bsd/bind/dist ISC bind-9-x-y
 #	$ cd ../../../../../bind-9.x.y
 #	$ run ./configure
 #	$ run make
 #	- use the binclude4netbsd to create and import the new headers in
-#	  /usr/src/usr.sbin/bind/include
+#	  /usr/src/external/bsd/bind/include
 #	- check makefiles to see if any extra sources have been added.
 #	- update distrib/sets if necessary.
 if [ $# -ne 2 ]; then echo "bind2netbsd src dest"; exit 1; fi
 r=$1
 d=$2/src/external/bsd/bind/dist
 case "$d" in
 	/*)
 		;;
 	*)
 		d=`/bin/pwd`/$d

--- src/external/bsd/bind/dist/bin/dig/Attic/dighost.c 2009/12/26 23:08:21	1.4
+++ src/external/bsd/bind/dist/bin/dig/Attic/dighost.c 2010/08/06 10:58:03	1.5

 @@ -1,33 +1,33 @@
-/*	$NetBSD: dighost.c,v 1.4 2009/12/26 23:08:21 christos Exp $	*/
+/*	$NetBSD: dighost.c,v 1.5 2010/08/06 10:58:03 christos Exp $	*/
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: dighost.c,v 1.328 2009/11/10 17:27:40 each Exp */
+/* Id: dighost.c,v 1.328.22.3 2010/06/24 07:29:07 marka Exp */
 /*! \file
  *  \note
  * Notice to programmers:  Do not use this code as an example of how to
  * use the ISC library to perform DNS lookups.  Dig and Host both operate
  * on the request level, since they allow fine-tuning of output and are
  * intended as debugging tools.  As a result, they perform many of the
  * functions which could be better handled using the dns_resolver
  * functions in most applications.
  */
 #include <config.h>
 #include <stdlib.h>
 @@ -1154,32 +1154,41 @@ static dig_searchlist_t *
 make_searchlist_entry(char *domain) {
 	dig_searchlist_t *search;
 	search = isc_mem_allocate(mctx, sizeof(*search));
 	if (search == NULL)
 		fatal("memory allocation failure in %s:%d",
 		      __FILE__, __LINE__);
 	strncpy(search->origin, domain, MXNAME);
 	search->origin[MXNAME-1] = 0;
 	ISC_LINK_INIT(search, link);
 	return (search);
+}
 static void
 clear_searchlist(void) {
 	dig_searchlist_t *search;
 	while ((search = ISC_LIST_HEAD(search_list)) != NULL) {
 		ISC_LIST_UNLINK(search_list, search, link);
 		isc_mem_free(mctx, search);
+	}
+}
 static void
 create_search_list(lwres_conf_t *confdata) {
 	int i;
 	dig_searchlist_t *search;
 	debug("create_search_list()");
-	ISC_LIST_INIT(search_list);
+	clear_searchlist();
 	for (i = 0; i < confdata->searchnxt; i++) {
 		search = make_searchlist_entry(confdata->search[i]);
 		ISC_LIST_APPEND(search_list, search, link);
+	}
+}
 /*%
  * Setup the system as a whole, reading key information and resolv.conf
  * settings.
  */
 void
 setup_system(void) {
 @@ -1202,27 +1211,27 @@ setup_system(void) {
 	lwresult = lwres_conf_parse(lwctx, RESOLV_CONF);
 	if (lwresult != LWRES_R_SUCCESS && lwresult != LWRES_R_NOTFOUND)
 		fatal("parse of %s failed", RESOLV_CONF);
 	lwconf = lwres_conf_get(lwctx);
 	/* Make the search list */
 	if (lwconf->searchnxt > 0)
 		create_search_list(lwconf);
 	else { /* No search list. Use the domain name if any */
 		if (lwconf->domainname != NULL) {
 			domain = make_searchlist_entry(lwconf->domainname);
-			ISC_LIST_INITANDAPPEND(search_list, domain, link);
+			ISC_LIST_APPEND(search_list, domain, link);
 			domain  = NULL;
+		}
+	}
 	if (ndots == -1) {
 		ndots = lwconf->ndots;
 		debug("ndots is %d.", ndots);
+	}
 	/* If user doesn't specify server use nameservers from resolv.conf. */
 	if (ISC_LIST_EMPTY(server_list))
 		copy_server_list(lwconf, &server_list);
 @@ -1257,35 +1266,26 @@ setup_system(void) {
 	dns_name_init(&chase_name, NULL);
 #if DIG_SIGCHASE_TD
 	dns_name_init(&chase_current_name, NULL);
 	dns_name_init(&chase_authority_name, NULL);
 #endif
 #if DIG_SIGCHASE_BU
 	dns_name_init(&chase_signame, NULL);
 #endif
 #endif
+}
 static void
 clear_searchlist(void) {
 	dig_searchlist_t *search;
 	while ((search = ISC_LIST_HEAD(search_list)) != NULL) {
 		ISC_LIST_UNLINK(search_list, search, link);
 		isc_mem_free(mctx, search);
 /*%
  * Override the search list derived from resolv.conf by 'domain'.
  */
 void
 set_search_domain(char *domain) {
 	dig_searchlist_t *search;
 	clear_searchlist();
 	search = make_searchlist_entry(domain);
 	ISC_LIST_APPEND(search_list, search, link);
+}
 /*%
 @@ -2393,50 +2393,59 @@ bringup_timer(dig_query_t *query, unsign
 static void
 force_timeout(dig_lookup_t *l, dig_query_t *query) {
 	isc_event_t *event;
 	event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
 				   connect_timeout, l,
 				   sizeof(isc_event_t));
 	if (event == NULL) {
 		fatal("isc_event_allocate: %s",
 		      isc_result_totext(ISC_R_NOMEMORY));
+	}
 	isc_task_send(global_task, &event);
 	/*
 	 * The timer may have expired if, for example, get_address() takes
 	 * long time and the timer was running on a different thread.
 	 * We need to cancel the possible timeout event not to confuse
 	 * ourselves due to the duplicate events.
 	 */
 	if (l->timer != NULL)
 		isc_timer_detach(&l->timer);
+}
 static void
 connect_done(isc_task_t *task, isc_event_t *event);
 /*%
  * Unlike send_udp, this can't be called multiple times with the same
  * query.  When we retry TCP, we requeue the whole lookup, which should
  * start anew.
  */
 static void
 send_tcp_connect(dig_query_t *query) {
 	isc_result_t result;
 	dig_query_t *next;
 	dig_lookup_t *l;
 	debug("send_tcp_connect(%p)", query);
 	l = query->lookup;
 	query->waiting_connect = ISC_TRUE;
 	query->lookup->current_query = query;
 	result = get_address(query->servname, port, &query->sockaddr);
-	if (result == ISC_R_NOTFOUND) {
+	if (result != ISC_R_SUCCESS) {
 		/*
 		 * This servname doesn't have an address.  Try the next server
 		 * by triggering an immediate 'timeout' (we lie, but the effect
 		 * is the same).
 		 */
 		force_timeout(l, query);
 		return;
+	}
 	if (specified_source &&
 	    (isc_sockaddr_pf(&query->sockaddr) !=
 	     isc_sockaddr_pf(&bind_address))) {
 		printf(";; Skipping server %s, incompatible "
 @@ -2498,27 +2507,27 @@ send_udp(dig_query_t *query) {
 	dig_lookup_t *l = NULL;
 	isc_result_t result;
 	debug("send_udp(%p)", query);
 	l = query->lookup;
 	bringup_timer(query, UDP_TIMEOUT);
 	l->current_query = query;
 	debug("working on lookup %p, query %p", query->lookup, query);
 	if (!query->recv_made) {
 		/* XXX Check the sense of this, need assertion? */
 		query->waiting_connect = ISC_FALSE;
 		result = get_address(query->servname, port, &query->sockaddr);
-		if (result == ISC_R_NOTFOUND) {
+		if (result != ISC_R_SUCCESS) {
 			/* This servname doesn't have an address. */
 			force_timeout(l, query);
 			return;
+		}
 		result = isc_socket_create(socketmgr,
 					   isc_sockaddr_pf(&query->sockaddr),
 					   isc_sockettype_udp, &query->sock);
 		check_result(result, "isc_socket_create");
 		sockcount++;
 		debug("sockcount=%d", sockcount);
 		if (specified_source) {
 			result = isc_socket_bind(query->sock, &bind_address,

--- src/external/bsd/bind/dist/bin/dnssec/Attic/dnssec-keyfromlabel.c 2009/12/26 23:08:21	1.3
+++ src/external/bsd/bind/dist/bin/dnssec/Attic/dnssec-keyfromlabel.c 2010/08/06 10:58:03	1.4

 @@ -1,49 +1,50 @@
-/*	$NetBSD: dnssec-keyfromlabel.c,v 1.3 2009/12/26 23:08:21 christos Exp $	*/
+/*	$NetBSD: dnssec-keyfromlabel.c,v 1.4 2010/08/06 10:58:03 christos Exp $	*/
 /*
- * Copyright (C) 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2007-2010  Internet Systems Consortium, Inc. ("ISC")
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: dnssec-keyfromlabel.c,v 1.29 2009/11/25 23:00:32 marka Exp */
+/* Id: dnssec-keyfromlabel.c,v 1.29.8.2 2010/01/19 23:48:12 tbox Exp */
 /*! \file */
 #include <config.h>
 #include <ctype.h>
 #include <stdlib.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/entropy.h>
 #include <isc/mem.h>
 #include <isc/region.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/util.h>
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/result.h>
 #include <dns/secalg.h>
 #include <dst/dst.h>
 #include "dnssectool.h"
 #define MAX_RSA 4096 /* should be long enough... */
 @@ -74,33 +75,34 @@ usage(void) {
 	fprintf(stderr, "    -a algorithm: %s\n", algs);
 	fprintf(stderr, "       (default: RSASHA1, or "
 			       "NSEC3RSASHA1 if using -3)\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
 #ifdef USE_PKCS11
 	fprintf(stderr, "    -E enginename (default: pkcs11)\n");
 #else
 	fprintf(stderr, "    -E enginename\n");
 #endif
 	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
 	fprintf(stderr, "    -K directory: directory in which to place "
 			"key files\n");
-	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
+	fprintf(stderr, "    -k: generate a TYPE=KEY key\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
 	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
 	fprintf(stderr, "    -t type: "
 		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
 		"(default: AUTHCONF)\n");
 	fprintf(stderr, "    -y: permit keys that might collide\n");
 	fprintf(stderr, "    -v verbose level\n");
 	fprintf(stderr, "Date options:\n");
 	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
 	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
 	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
 	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
 	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
 	fprintf(stderr, "    -C: generate a backward-compatible key, omitting"
 			" all dates\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
 @@ -109,27 +111,27 @@ usage(void) {
+}
 int
 main(int argc, char **argv) {
 	char		*algname = NULL, *nametype = NULL, *type = NULL;
 	const char	*directory = NULL;
 #ifdef USE_PKCS11
 	const char	*engine = "pkcs11";
 #else
 	const char	*engine = NULL;
 #endif
 	char		*classname = NULL;
 	char		*endp;
-	dst_key_t	*key = NULL, *oldkey = NULL;
+	dst_key_t	*key = NULL;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
 	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
 	dns_secalg_t	alg;
 	isc_boolean_t	oldstyle = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
 	int		ch;
 	int		protocol = -1, signatory = 0;
 	isc_result_t	ret;
 	isc_textregion_t r;
 	char		filename[255];
 	isc_buffer_t	buf;
 	isc_log_t	*log = NULL;
 @@ -138,41 +140,43 @@ main(int argc, char **argv) {
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	char		*label = NULL;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
 	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
 	isc_boolean_t	unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
 	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
 	isc_boolean_t	genonly = ISC_FALSE;
 	isc_boolean_t	use_nsec3 = ISC_FALSE;
 	isc_boolean_t   avoid_collisions = ISC_TRUE;
 	isc_boolean_t	exact;
 	unsigned char	c;
 	if (argc == 1)
 		usage();
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 	dns_result_register();
 	isc_commandline_errprint = ISC_FALSE;
 	isc_stdtime_get(&now);
 	while ((ch = isc_commandline_parse(argc, argv,
-				"3a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
+				"3a:Cc:E:f:K:kl:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
+	{
 	    switch (ch) {
 		case '3':
 			use_nsec3 = ISC_TRUE;
 			break;
 		case 'a':
 			algname = isc_commandline_argument;
 			break;
 		case 'C':
 			oldstyle = ISC_TRUE;
 			break;
 		case 'c':
 			classname = isc_commandline_argument;
 @@ -210,26 +214,29 @@ main(int argc, char **argv) {
 			protocol = strtol(isc_commandline_argument, &endp, 10);
 			if (*endp != '\0' || protocol < 0 || protocol > 255)
 				fatal("-p must be followed by a number "
 				      "[0..255]");
 			break;
 		case 't':
 			type = isc_commandline_argument;
 			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')
 				fatal("-v must be followed by a number");
 			break;
 		case 'y':
 			avoid_collisions = ISC_FALSE;
 			break;
 		case 'G':
 			genonly = ISC_TRUE;
 			break;
 		case 'P':
 			if (setpub || unsetpub)
 				fatal("-P specified more than once");
 			if (strcasecmp(isc_commandline_argument, "none")) {
 				setpub = ISC_TRUE;
 				publish = strtotime(isc_commandline_argument,
 						    now, now);
 			} else {
 				unsetpub = ISC_TRUE;
 @@ -494,36 +501,46 @@ main(int argc, char **argv) {
 		if (setpub || setact || setrev || setinact ||
 		    setdel || unsetpub || unsetact ||
 		    unsetrev || unsetinact || unsetdel || genonly)
 			fatal("cannot use -C together with "
 			      "-P, -A, -R, -I, -D, or -G options");
 		/*
 		 * Compatibility mode: Private-key-format
 		 * should be set to 1.2.
 		 */
 		dst_key_setprivateformat(key, 1, 2);
+	}
 	/*
-	 * Try to read a key with the same name, alg and id from disk.
+	 * Do not overwrite an existing key.  Warn LOUDLY if there
-	 * If there is one we must return failure.
+	 * is a risk of ID collision due to this key or another key
 	 * being revoked.
 	 */
-	ret = dst_key_fromfile(name, dst_key_id(key), alg,
+	if (key_collision(dst_key_id(key), name, directory, alg, mctx, &exact))
 			       DST_TYPE_PRIVATE, directory, mctx, &oldkey);
 	/* do not overwrite an existing key  */
 	if (ret == ISC_R_SUCCESS) {
 		isc_buffer_clear(&buf);
 		ret = dst_key_buildfilename(key, 0, directory, &buf);
-		fatal("%s: %s already exists\n", program, filename);
+		if (exact)
 			fatal("%s: %s already exists\n", program, filename);
 		if (avoid_collisions)
 			fatal("%s: %s could collide with another key upon "
 			      "revokation\n", program, filename);
 		fprintf(stderr, "%s: WARNING: Key %s could collide with "
 				"another key upon revokation.  If you plan "
 				"to revoke keys, destroy this key and "
 				"generate a different one.\n",
 				program, filename);
+	}
 	ret = dst_key_tofile(key, options, directory);
 	if (ret != ISC_R_SUCCESS) {
 		char keystr[DST_KEY_FORMATSIZE];
 		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("failed to write key %s: %s\n", keystr,
 		      isc_result_totext(ret));
+	}
 	isc_buffer_clear(&buf);
 	ret = dst_key_buildfilename(key, 0, NULL, &buf);
 	printf("%s\n", filename);

--- src/external/bsd/bind/dist/bin/dnssec/Attic/dnssec-keygen.c 2009/12/26 23:08:21	1.3
+++ src/external/bsd/bind/dist/bin/dnssec/Attic/dnssec-keygen.c 2010/08/06 10:58:03	1.4

 @@ -1,17 +1,17 @@
-/*	$NetBSD: dnssec-keygen.c,v 1.3 2009/12/26 23:08:21 christos Exp $	*/
+/*	$NetBSD: dnssec-keygen.c,v 1.4 2010/08/06 10:58:03 christos Exp $	*/
 /*
- * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
  * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
  * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
  * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 @@ -21,69 +21,65 @@
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
  * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
  * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
  * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: dnssec-keygen.c,v 1.108 2009/11/25 22:58:48 marka Exp */
+/* Id: dnssec-keygen.c,v 1.108.8.4 2010/01/19 23:48:12 tbox Exp */
 /*! \file */
 #include <config.h>
 #include <ctype.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <isc/buffer.h>
 #include <isc/commandline.h>
 #include <isc/entropy.h>
 #include <isc/mem.h>
 #include <isc/region.h>
 #include <isc/string.h>
 #include <isc/util.h>
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/result.h>
 #include <dns/secalg.h>
 #include <dst/dst.h>
 #include "dnssectool.h"
 #define MAX_RSA 4096 /* should be long enough... */
 const char *program = "dnssec-keygen";
 int verbose;
 #define DEFAULT_ALGORITHM "RSASHA1"
 #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
 static isc_boolean_t
 dsa_size_ok(int size) {
 	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
 ISC_PLATFORM_NORETURN_PRE static void
 usage(void) ISC_PLATFORM_NORETURN_POST;
 static void progress(int p);
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr, "    %s [options] name\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Options:\n");
 	fprintf(stderr, "    -K <directory>: write keys into directory\n");
 @@ -134,44 +130,51 @@ usage(void) {
 	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
 			"records with (default: 0)\n");
 	fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
 			"use KEY for SIG(0))\n");
 	fprintf(stderr, "    -t <type>: "
 			"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
 			"(default: AUTHCONF)\n");
 	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
 	fprintf(stderr, "    -h: print usage and exit\n");
 	fprintf(stderr, "    -m <memory debugging mode>:\n");
 	fprintf(stderr, "	usage | trace | record | size | mctx\n");
 	fprintf(stderr, "    -v <level>: set verbosity level (0 - 10)\n");
-	fprintf(stderr, "Date options:\n");
+	fprintf(stderr, "Timing options:\n");
-	fprintf(stderr, "    -P date/[+-]offset: set key publication date "
+	fprintf(stderr, "    -P date/[+-]offset/none: set key publication date "
 						"(default: now)\n");
-	fprintf(stderr, "    -A date/[+-]offset: set key activation date "
+	fprintf(stderr, "    -A date/[+-]offset/none: set key activation date "
 						"(default: now)\n");
-	fprintf(stderr, "    -R date/[+-]offset: set key revocation date\n");
+	fprintf(stderr, "    -R date/[+-]offset/none: set key "
-	fprintf(stderr, "    -I date/[+-]offset: set key inactivation date\n");
+						     "revocation date\n");
-	fprintf(stderr, "    -D date/[+-]offset: set key deletion date\n");
+	fprintf(stderr, "    -I date/[+-]offset/none: set key "
 						     "inactivation date\n");
 	fprintf(stderr, "    -D date/[+-]offset/none: set key deletion date\n");
 	fprintf(stderr, "    -G: generate key only; do not set -P or -A\n");
 	fprintf(stderr, "    -C: generate a backward-compatible key, omitting "
 			"all dates\n");
 	fprintf(stderr, "Output:\n");
 	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
 			"K<name>+<alg>+<id>.private\n");
 	exit (-1);
+}
 static isc_boolean_t
 dsa_size_ok(int size) {
 	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
 static void
 progress(int p)
+{
 	char c = '*';
 	switch (p) {
 	case 0:
 		c = '.';
 		break;
 	case 1:
 		c = '+';
 		break;
 	case 2:
 @@ -182,27 +185,27 @@ progress(int p)
 		break;
 	default:
 		break;
+	}
 	(void) putc(c, stderr);
 	(void) fflush(stderr);
+}
 int
 main(int argc, char **argv) {
 	char	        *algname = NULL, *nametype = NULL, *type = NULL;
 	char		*classname = NULL;
 	char		*endp;
-	dst_key_t	*key = NULL, *oldkey;
+	dst_key_t	*key = NULL;
 	dns_fixedname_t	fname;
 	dns_name_t	*name;
 	isc_uint16_t	flags = 0, kskflag = 0, revflag = 0;
 	dns_secalg_t	alg;
 	isc_boolean_t	conflict = ISC_FALSE, null_key = ISC_FALSE;
 	isc_boolean_t	oldstyle = ISC_FALSE;
 	isc_mem_t	*mctx = NULL;
 	int		ch, rsa_exp = 0, generator = 0, param = 0;
 	int		protocol = -1, size = -1, signatory = 0;
 	isc_result_t	ret;
 	isc_textregion_t r;
 	char		filename[255];
 	const char	*directory = NULL;
 @@ -720,27 +723,26 @@ main(int argc, char **argv) {
 	case DST_ALG_HMACSHA384:
 	case DST_ALG_HMACSHA512:
 		param = 0;
 		break;
+	}
 	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
 		null_key = ISC_TRUE;
 	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
 	do {
 		conflict = ISC_FALSE;
 		oldkey = NULL;
 		if (!quiet && show_progress) {
 			fprintf(stderr, "Generating key pair.");
 			ret = dst_key_generate2(name, alg, size, param, flags,
 						protocol, rdclass, mctx, &key,
 						&progress);
 			putc('\n', stderr);
 			fflush(stderr);
 		} else {
 			ret = dst_key_generate2(name, alg, size, param, flags,
 						protocol, rdclass, mctx, &key,
 						NULL);
+		}
 @@ -808,57 +810,55 @@ main(int argc, char **argv) {
 			if (setpub || setact || setrev || setinact ||
 			    setdel || unsetpub || unsetact ||
 			    unsetrev || unsetinact || unsetdel || genonly)
 				fatal("cannot use -C together with "
 				      "-P, -A, -R, -I, -D, or -G options");
 			/*
 			 * Compatibility mode: Private-key-format
 			 * should be set to 1.2.
 			 */
 			dst_key_setprivateformat(key, 1, 2);
+		}
 		/*
-		 * Try to read a key with the same name, alg and id from disk.
+		 * Do not overwrite an existing key, or create a key
-		 * If there is one we must continue generating a different
+		 * if there is a risk of ID collision due to this key
-		 * key unless we were asked to generate a null key, in which
+		 * or another key being revoked.
 		 * case we return failure.
 		 */
-		ret = dst_key_fromfile(name, dst_key_id(key), alg,
+		if (key_collision(dst_key_id(key), name, directory,
-				       DST_TYPE_PRIVATE, directory,
+				  alg, mctx, NULL)) {
 				       mctx, &oldkey);
 		/* do not overwrite an existing key  */
 		if (ret == ISC_R_SUCCESS) {
 			dst_key_free(&oldkey);
 			conflict = ISC_TRUE;
-			if (null_key)
+			if (null_key) {
 				dst_key_free(&key);
 				break;
+			}
 		if (conflict == ISC_TRUE) {
 			if (verbose > 0) {
 				isc_buffer_clear(&buf);
 				dst_key_buildfilename(key, 0, directory, &buf);
 				fprintf(stderr,
-					"%s: %s already exists, "
+					"%s: %s already exists, or might "
-					"generating a new key\n",
+					"collide with another key upon "
 					"revokation.  Generating a new key\n",
 					program, filename);
+			}
 			dst_key_free(&key);
+		}
 	} while (conflict == ISC_TRUE);
 	if (conflict)
-		fatal("cannot generate a null key when a key with id 0 "
+		fatal("cannot generate a null key due to possible key ID "
-		      "already exists");
+		      "collision");
 	ret = dst_key_tofile(key, options, directory);
 	if (ret != ISC_R_SUCCESS) {
 		char keystr[DST_KEY_FORMATSIZE];
 		dst_key_format(key, keystr, sizeof(keystr));
 		fatal("failed to write key %s: %s\n", keystr,
 		      isc_result_totext(ret));
+	}
 	isc_buffer_clear(&buf);
 	ret = dst_key_buildfilename(key, 0, NULL, &buf);
 	printf("%s\n", filename);
 	dst_key_free(&key);

--- src/external/bsd/bind/dist/bin/dnssec/Attic/dnssec-signzone.c 2009/12/26 23:08:21	1.2
+++ src/external/bsd/bind/dist/bin/dnssec/Attic/dnssec-signzone.c 2010/08/06 10:58:03	1.3

 @@ -1,17 +1,17 @@
-/*	$NetBSD: dnssec-signzone.c,v 1.2 2009/12/26 23:08:21 christos Exp $	*/
+/*	$NetBSD: dnssec-signzone.c,v 1.3 2010/08/06 10:58:03 christos Exp $	*/
 /*
- * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
  * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
  * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
  * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 @@ -21,27 +21,27 @@
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
  * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
  * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
  * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: dnssec-signzone.c,v 1.258 2009/12/04 22:06:37 tbox Exp */
+/* Id: dnssec-signzone.c,v 1.258.4.4 2010/06/03 23:49:23 tbox Exp */
 /*! \file */
 #include <config.h>
 #include <stdlib.h>
 #include <time.h>
 #include <isc/app.h>
 #include <isc/base32.h>
 #include <isc/commandline.h>
 #include <isc/entropy.h>
 #include <isc/event.h>
 @@ -1647,26 +1647,35 @@ verifyzone(void) {
 	zonecut = NULL;
 	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 	result = dns_dbiterator_first(dbiter);
 	check_result(result, "dns_dbiterator_first()");
 	while (!done) {
 		isc_boolean_t isdelegation = ISC_FALSE;
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
 		if (!dns_name_issubdomain(name, gorigin)) {
 			dns_db_detachnode(gdb, &node);
 			result = dns_dbiterator_next(dbiter);
 			if (result == ISC_R_NOMORE)
 				done = ISC_TRUE;
 			else
 				check_result(result, "dns_dbiterator_next()");
 			continue;
+		}
 		if (delegation(name, node, NULL)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
 			isdelegation = ISC_TRUE;
+		}
 		verifynode(name, node, isdelegation, &rdataset,
 			   ksk_algorithms, bad_algorithms);
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
 			check_dns_dbiterator_current(result);
 @@ -1982,26 +1991,66 @@ add_ds(dns_name_t *name, dns_dbnode_t *n
 		check_result(result, "dns_db_addrdataset");
 		dns_rdataset_disassociate(&dsset);
 		if (dns_rdataset_isassociated(&sigdsset))
 			dns_rdataset_disassociate(&sigdsset);
 	} else if (dns_rdataset_isassociated(&sigdsset)) {
 		result = dns_db_deleterdataset(gdb, node, gversion,
 					       dns_rdatatype_rrsig,
 					       dns_rdatatype_ds);
 		check_result(result, "dns_db_deleterdataset");
 		dns_rdataset_disassociate(&sigdsset);
+	}
+}
 /*
  * Remove records of the given type and their signatures.
  */
 static void
 remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
 	isc_result_t result;
 	dns_rdatatype_t type, covers;
 	dns_rdatasetiter_t *rdsiter = NULL;
 	dns_rdataset_t rdataset;
 	dns_rdataset_init(&rdataset);
 	/*
 	 * Delete any records of the given type at the apex.
 	 */
 	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets()");
 	for (result = dns_rdatasetiter_first(rdsiter);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdatasetiter_next(rdsiter)) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 		type = rdataset.type;
 		covers = rdataset.covers;
 		dns_rdataset_disassociate(&rdataset);
 		if (type == which || covers == which) {
 			if (which == dns_rdatatype_nsec && !update_chain)
 				fatal("Zone contains NSEC records.  Use -u "
 				      "to update to NSEC3.");
 			if (which == dns_rdatatype_nsec3param && !update_chain)
 				fatal("Zone contains NSEC3 chains.  Use -u "
 				      "to update to NSEC.");
 			result = dns_db_deleterdataset(gdb, node, gversion,
 						       type, covers);
 			check_result(result, "dns_db_deleterdataset()");
 			continue;
+		}
+	}
 	dns_rdatasetiter_destroy(&rdsiter);
+}
 /*%
  * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
  */
 static void
 nsecify(void) {
 	dns_dbiterator_t *dbiter = NULL;
 	dns_dbnode_t *node = NULL, *nextnode = NULL;
 	dns_fixedname_t fname, fnextname, fzonecut;
 	dns_name_t *name, *nextname, *zonecut;
 	dns_rdataset_t rdataset;
 	dns_rdatasetiter_t *rdsiter = NULL;
 	dns_rdatatype_t type, covers;
 	isc_boolean_t done = ISC_FALSE;
 @@ -2041,56 +2090,45 @@ nsecify(void) {
 				     "dns_db_deleterdataset(nsec3param/rrsig)");
+		}
 		dns_rdatasetiter_destroy(&rdsiter);
 		dns_db_detachnode(gdb, &node);
+	}
 	dns_dbiterator_destroy(&dbiter);
 	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 	result = dns_dbiterator_first(dbiter);
 	check_result(result, "dns_dbiterator_first()");
 	result = dns_dbiterator_current(dbiter, &node, name);
 	check_dns_dbiterator_current(result);
 	/*
 	 * Delete any NSEC3PARAM records at the apex.
 	 */
 	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets()");
 	for (result = dns_rdatasetiter_first(rdsiter);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdatasetiter_next(rdsiter)) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 		type = rdataset.type;
 		covers = rdataset.covers;
 		dns_rdataset_disassociate(&rdataset);
 		if (type == dns_rdatatype_nsec3param ||
 		    covers == dns_rdatatype_nsec3param) {
 			result = dns_db_deleterdataset(gdb, node, gversion,
 						       type, covers);
 			check_result(result,
 				     "dns_db_deleterdataset(nsec3param/rrsig)");
 			continue;
 	dns_rdatasetiter_destroy(&rdsiter);
 	dns_db_detachnode(gdb, &node);
 	while (!done) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
 		/*
 		 * Skip out-of-zone records.
 		 */
 		if (!dns_name_issubdomain(name, gorigin)) {
 			result = dns_dbiterator_next(dbiter);
 			if (result == ISC_R_NOMORE)
 				done = ISC_TRUE;
 			else
 				check_result(result, "dns_dbiterator_next()");
 			dns_db_detachnode(gdb, &node);
 			continue;
+		}
 		if (dns_name_equal(name, gorigin))
 			remove_records(node, dns_rdatatype_nsec3param);
 		if (delegation(name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
 			if (generateds)
 				add_ds(name, node, nsttl);
+		}
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
 			isc_boolean_t active = ISC_FALSE;
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
 			check_dns_dbiterator_current(result);
 @@ -2443,86 +2481,69 @@ remove_duplicates(void) {
 /*
  * Generate NSEC3 records for the zone.
  */
 static void
 nsec3ify(unsigned int hashalg, unsigned int iterations,
 	 const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
+{
 	dns_dbiterator_t *dbiter = NULL;
 	dns_dbnode_t *node = NULL, *nextnode = NULL;
 	dns_fixedname_t fname, fnextname, fzonecut;
 	dns_name_t *name, *nextname, *zonecut;
 	dns_rdataset_t rdataset;
 	dns_rdatasetiter_t *rdsiter = NULL;
 	dns_rdatatype_t type, covers;
 	int order;
 	isc_boolean_t active;
 	isc_boolean_t done = ISC_FALSE;
 	isc_result_t result;
 	isc_uint32_t nsttl = 0;
 	unsigned int count, nlabels;
 	dns_rdataset_init(&rdataset);
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
 	dns_fixedname_init(&fnextname);
 	nextname = dns_fixedname_name(&fnextname);
 	dns_fixedname_init(&fzonecut);
 	zonecut = NULL;
 	/*
 	 * Walk the zone generating the hash names.
 	 */
 	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 	result = dns_dbiterator_first(dbiter);
 	check_result(result, "dns_dbiterator_first()");
 	result = dns_dbiterator_current(dbiter, &node, name);
 	check_dns_dbiterator_current(result);
 	/*
 	 * Delete any NSEC records at the apex.
 	 */
 	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
 	check_result(result, "dns_db_allrdatasets()");
 	for (result = dns_rdatasetiter_first(rdsiter);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdatasetiter_next(rdsiter)) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 		type = rdataset.type;
 		covers = rdataset.covers;
 		dns_rdataset_disassociate(&rdataset);
 		if (type == dns_rdatatype_nsec ||
 		    covers == dns_rdatatype_nsec) {
 			if (!update_chain)
 				fatal("Zone contains NSEC records.  Use -u "
 				      "to update to NSEC3.");
 			result = dns_db_deleterdataset(gdb, node, gversion,
 						       type, covers);
 			check_result(result,
 				     "dns_db_deleterdataset(nsec3param/rrsig)");
 			continue;
 	dns_rdatasetiter_destroy(&rdsiter);
 	dns_db_detachnode(gdb, &node);
 	while (!done) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
 		/*
 		 * Skip out-of-zone records.
 		 */
 		if (!dns_name_issubdomain(name, gorigin)) {
 			result = dns_dbiterator_next(dbiter);
 			if (result == ISC_R_NOMORE)
 				done = ISC_TRUE;
 			else
 				check_result(result, "dns_dbiterator_next()");
 			dns_db_detachnode(gdb, &node);
 			continue;
+		}
 		if (dns_name_equal(name, gorigin))
 			remove_records(node, dns_rdatatype_nsec);
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
 			check_dns_dbiterator_current(result);
 			active = active_node(nextnode);
 			if (!active) {
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
+			}
 			if (!dns_name_issubdomain(nextname, gorigin) ||
 @@ -2619,26 +2640,38 @@ nsec3ify(unsigned int hashalg, unsigned
 	/*
 	 * Generate / complete the new chain.
 	 */
 	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 	result = dns_dbiterator_first(dbiter);
 	check_result(result, "dns_dbiterator_first()");
 	while (!done) {
 		result = dns_dbiterator_current(dbiter, &node, name);
 		check_dns_dbiterator_current(result);
 		/*
 		 * Skip out-of-zone records.
 		 */
 		if (!dns_name_issubdomain(name, gorigin)) {
 			result = dns_dbiterator_next(dbiter);
 			if (result == ISC_R_NOMORE)
 				done = ISC_TRUE;
 			else
 				check_result(result, "dns_dbiterator_next()");
 			dns_db_detachnode(gdb, &node);
 			continue;
+		}
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
 			result = dns_dbiterator_current(dbiter, &nextnode,
 							nextname);
 			check_dns_dbiterator_current(result);
 			active = active_node(nextnode);
 			if (!active) {
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
+			}
 			if (!dns_name_issubdomain(nextname, gorigin) ||
 @@ -3248,27 +3281,27 @@ usage(void) {
 	fprintf(stderr, "verify generated signatures\n");
 	fprintf(stderr, "\t-c class (IN)\n");
 	fprintf(stderr, "\t-E engine:\n");
 #ifdef USE_PKCS11
 	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
 				"(default is \"pkcs11\")\n");
 #else
 	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
 #endif
 	fprintf(stderr, "\t-p:\t");
 	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
 	fprintf(stderr, "\t-P:\t");
 	fprintf(stderr, "disable post-sign verification\n");
-	fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs");
+	fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n");
 	fprintf(stderr, "\t-t:\t");
 	fprintf(stderr, "print statistics\n");
 	fprintf(stderr, "\t-u:\t");
 	fprintf(stderr, "update or replace an existing NSEC/NSEC3 chain\n");
 	fprintf(stderr, "\t-x:\tsign DNSKEY record with KSKs only, not ZSKs\n");
 	fprintf(stderr, "\t-z:\tsign all records with KSKs\n");
 	fprintf(stderr, "\t-C:\tgenerate a keyset file, for compatibility\n"
 			"\t\twith older versions of dnssec-signzone -g\n");
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
 	fprintf(stderr, "\t-k key_signing_key\n");
 	fprintf(stderr, "\t-l lookasidezone\n");
 	fprintf(stderr, "\t-3 NSEC3 salt\n");
 	fprintf(stderr, "\t-H NSEC3 iterations (10)\n");

--- src/external/bsd/bind/dist/bin/named/Attic/main.c 2009/10/25 00:14:31	1.4
+++ src/external/bsd/bind/dist/bin/named/Attic/main.c 2010/08/06 10:58:04	1.5

 @@ -1,33 +1,33 @@
-/*	$NetBSD: main.c,v 1.4 2009/10/25 00:14:31 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.5 2010/08/06 10:58:04 christos Exp $	*/
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: main.c,v 1.175 2009/10/05 17:30:49 fdupont Exp */
+/* Id: main.c,v 1.175.60.3 2010/06/26 23:46:27 tbox Exp */
 /*! \file */
 #include <config.h>
 #include <ctype.h>
 #include <stdlib.h>
 #include <string.h>
 #include <isc/app.h>
 #include <isc/backtrace.h>
 #include <isc/commandline.h>
 #include <isc/dir.h>
 @@ -492,33 +492,35 @@ parse_command_line(int argc, char *argv[
 			break;
 		case 's':
 			/* XXXRTH temporary syntax */
 			want_stats = ISC_TRUE;
 			break;
 		case 'S':
 			maxsocks = parse_int(isc_commandline_argument,
 					     "max number of sockets");
 			break;
 		case 't':
 			/* XXXJAB should we make a copy? */
 			ns_g_chrootdir = isc_commandline_argument;
 			break;
-		case 'T':
+		case 'T':	/* NOT DOCUMENTED */
 			/*
 			 * clienttest: make clients single shot with their
 			 * 	       own memory context.
 			 */
 			if (!strcmp(isc_commandline_argument, "clienttest"))
 				ns_g_clienttest = ISC_TRUE;
 			else if (!strcmp(isc_commandline_argument, "nosoa"))
 				ns_g_nosoa = ISC_TRUE;
 			else if (!strcmp(isc_commandline_argument, "maxudp512"))
 				maxudp = 512;
 			else if (!strcmp(isc_commandline_argument, "maxudp1460"))
 				maxudp = 1460;
 			else
 				fprintf(stderr, "unknown -T flag '%s\n",
 					isc_commandline_argument);
 			break;
 		case 'u':
 			ns_g_username = isc_commandline_argument;
 			break;
 		case 'v':
 			printf("BIND %s\n", ns_g_version);

--- src/external/bsd/bind/dist/bin/named/Attic/named.conf.5 2009/12/26 23:08:21	1.4
+++ src/external/bsd/bind/dist/bin/named/Attic/named.conf.5 2010/08/06 10:58:04	1.5

 @@ -1,30 +1,30 @@
-.\"	$NetBSD: named.conf.5,v 1.4 2009/12/26 23:08:21 christos Exp $
+.\"	$NetBSD: named.conf.5,v 1.5 2010/08/06 10:58:04 christos Exp $
 .\"
-.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
 .\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
 .\"
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 .\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" Id: named.conf.5,v 1.41 2009/12/04 01:13:44 tbox Exp
+.\" Id: named.conf.5,v 1.41.4.1 2010/05/15 02:41:59 tbox Exp
 .\"
 .hy 0
 .ad l
 .\"     Title: \fInamed.conf\fR
 .\"    Author:
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Aug 13, 2004
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
 .TH "\fINAMED.CONF\fR" "5" "Aug 13, 2004" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 @@ -302,26 +302,27 @@ options {
 	sig\-signing\-signatures \fIinteger\fR;
 	sig\-signing\-type \fIinteger\fR;
 	transfer\-source ( \fIipv4_address\fR | * )
 		[ port ( \fIinteger\fR | * ) ];
 	transfer\-source\-v6 ( \fIipv6_address\fR | * )
 		[ port ( \fIinteger\fR | * ) ];
 	alt\-transfer\-source ( \fIipv4_address\fR | * )
 		[ port ( \fIinteger\fR | * ) ];
 	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
 		[ port ( \fIinteger\fR | * ) ];
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
 	managed\-keys\-directory \fIquoted_string\fR;
 	auto\-dnssec \fBallow\fR|\fBmaintain\fR|\fBcreate\fR|\fBoff\fR;
 	try\-tcp\-refresh \fIboolean\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
 	deny\-answer\-addresses {
 		\fIaddress_match_list\fR
 	} [ except\-from { \fInamelist\fR } ];
 	deny\-answer\-aliases {
 		\fInamelist\fR
 	} [ except\-from { \fInamelist\fR } ];
 	nsec3\-test\-zone \fIboolean\fR;  // testing only
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 @@ -561,15 +562,15 @@ zone \fIstring\fR \fIoptional_class\fR {
 };
 .fi
 .RE
 .SH "FILES"
 .PP
 \fI/etc/named.conf\fR
 .SH "SEE ALSO"
 .PP
 \fBnamed\fR(8),
 \fBnamed\-checkconf\fR(8),
 \fBrndc\fR(8),
 BIND 9 Administrator Reference Manual.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2010 Internet Systems Consortium, Inc. ("ISC")
 .br

--- src/external/bsd/bind/dist/bin/named/Attic/named.conf.docbook 2009/12/26 23:08:21	1.4
+++ src/external/bsd/bind/dist/bin/named/Attic/named.conf.docbook 2010/08/06 10:58:04	1.5

 @@ -1,57 +1,58 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
+ -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- Id: named.conf.docbook,v 1.44 2009/12/03 23:18:16 each Exp -->
+<!-- Id: named.conf.docbook,v 1.44.4.2 2010/05/14 23:49:18 tbox Exp -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
   </refentryinfo>
   <refmeta>
     <refentrytitle><filename>named.conf</filename></refentrytitle>
     <manvolnum>5</manvolnum>
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
   <refnamediv>
     <refname><filename>named.conf</filename></refname>
     <refpurpose>configuration file for named</refpurpose>
   </refnamediv>
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
       <year>2007</year>
       <year>2008</year>
       <year>2009</year>
       <year>2010</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>named.conf</command>
     </cmdsynopsis>
   </refsynopsisdiv>
   <refsect1>
     <title>DESCRIPTION</title>
     <para><filename>named.conf</filename> is the configuration file
 @@ -339,26 +340,27 @@ options {
 	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
 		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
 		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
 		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
 		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 	zone-statistics <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
 	managed-keys-directory <replaceable>quoted_string</replaceable>;
 	auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>create</constant>|<constant>off</constant>;
 	try-tcp-refresh <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
 	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
 	deny-answer-addresses {
 		<replaceable>address_match_list</replaceable>
 	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
 	deny-answer-aliases {
 		<replaceable>namelist</replaceable>
 	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
 	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only

--- src/external/bsd/bind/dist/bin/named/Attic/named.conf.html 2009/12/26 23:08:21	1.4
+++ src/external/bsd/bind/dist/bin/named/Attic/named.conf.html 2010/08/06 10:58:04	1.5

 @@ -1,172 +1,172 @@
 <!--
- - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
+ -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
+ -
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- Id: named.conf.html,v 1.50 2009/12/04 01:13:44 tbox Exp -->
+<!-- Id: named.conf.html,v 1.50.4.1 2010/05/15 02:41:59 tbox Exp -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>named.conf</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
 <a name="id2476275"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p><code class="filename">named.conf</code> &#8212; configuration file for named</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
 <div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543346"></a><h2>DESCRIPTION</h2>
+<a name="id2543349"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">named.conf</code> is the configuration file
       for
       <span><strong class="command">named</strong></span>.  Statements are enclosed
       in braces and terminated with a semi-colon.  Clauses in
       the statements are also semi-colon terminated.  The usual
       comment styles are supported:
     </p>
 <p>
       C style: /* */
     </p>
 <p>
       C++ style: // to end of line
     </p>
 <p>
       Unix style: # to end of line
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543373"></a><h2>ACL</h2>
+<a name="id2543377"></a><h2>ACL</h2>
 <div class="literallayout"><p><br>
 acl�<em class="replaceable"><code>string</code></em>�{�<em class="replaceable"><code>address_match_element</code></em>;�...�};<br>
 <br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543389"></a><h2>KEY</h2>
+<a name="id2543393"></a><h2>KEY</h2>
 <div class="literallayout"><p><br>
 key�<em class="replaceable"><code>domain_name</code></em>�{<br>
 	algorithm�<em class="replaceable"><code>string</code></em>;<br>
 	secret�<em class="replaceable"><code>string</code></em>;<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543409"></a><h2>MASTERS</h2>
+<a name="id2543412"></a><h2>MASTERS</h2>
 <div class="literallayout"><p><br>
 masters�<em class="replaceable"><code>string</code></em>�[<span class="optional">�port�<em class="replaceable"><code>integer</code></em>�</span>]�{<br>
 	(�<em class="replaceable"><code>masters</code></em>�|�<em class="replaceable"><code>ipv4_address</code></em>�[<span class="optional">port�<em class="replaceable"><code>integer</code></em></span>]�|<br>
 	<em class="replaceable"><code>ipv6_address</code></em>�[<span class="optional">port�<em class="replaceable"><code>integer</code></em></span>]�)�[<span class="optional">�key�<em class="replaceable"><code>string</code></em>�</span>];�...<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543454"></a><h2>SERVER</h2>
+<a name="id2543458"></a><h2>SERVER</h2>
 <div class="literallayout"><p><br>
 server�(�<em class="replaceable"><code>ipv4_address[<span class="optional">/prefixlen</span>]</code></em>�|�<em class="replaceable"><code>ipv6_address[<span class="optional">/prefixlen</span>]</code></em>�)�{<br>
 	bogus�<em class="replaceable"><code>boolean</code></em>;<br>
 	edns�<em class="replaceable"><code>boolean</code></em>;<br>
 	edns-udp-size�<em class="replaceable"><code>integer</code></em>;<br>
 	max-udp-size�<em class="replaceable"><code>integer</code></em>;<br>
 	provide-ixfr�<em class="replaceable"><code>boolean</code></em>;<br>
 	request-ixfr�<em class="replaceable"><code>boolean</code></em>;<br>
 	keys�<em class="replaceable"><code>server_key</code></em>;<br>
 	transfers�<em class="replaceable"><code>integer</code></em>;<br>
 	transfer-format�(�many-answers�|�one-answer�);<br>
 	transfer-source�(�<em class="replaceable"><code>ipv4_address</code></em>�|�*�)<br>
 		[<span class="optional">�port�(�<em class="replaceable"><code>integer</code></em>�|�*�)�</span>];<br>
 	transfer-source-v6�(�<em class="replaceable"><code>ipv6_address</code></em>�|�*�)<br>
 		[<span class="optional">�port�(�<em class="replaceable"><code>integer</code></em>�|�*�)�</span>];<br>
 <br>
 	support-ixfr�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543523"></a><h2>TRUSTED-KEYS</h2>
+<a name="id2543526"></a><h2>TRUSTED-KEYS</h2>
 <div class="literallayout"><p><br>
 trusted-keys�{<br>
 	<em class="replaceable"><code>domain_name</code></em>�<em class="replaceable"><code>flags</code></em>�<em class="replaceable"><code>protocol</code></em>�<em class="replaceable"><code>algorithm</code></em>�<em class="replaceable"><code>key</code></em>;�...�<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543548"></a><h2>MANAGED-KEYS</h2>
+<a name="id2543552"></a><h2>MANAGED-KEYS</h2>
 <div class="literallayout"><p><br>
 managed-keys�{<br>
 	<em class="replaceable"><code>domain_name</code></em>�<code class="constant">initial-key</code>�<em class="replaceable"><code>flags</code></em>�<em class="replaceable"><code>protocol</code></em>�<em class="replaceable"><code>algorithm</code></em>�<em class="replaceable"><code>key</code></em>;�...�<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543577"></a><h2>CONTROLS</h2>
+<a name="id2543580"></a><h2>CONTROLS</h2>
 <div class="literallayout"><p><br>
 controls�{<br>
 	inet�(�<em class="replaceable"><code>ipv4_address</code></em>�|�<em class="replaceable"><code>ipv6_address</code></em>�|�*�)<br>
 		[<span class="optional">�port�(�<em class="replaceable"><code>integer</code></em>�|�*�)�</span>]<br>
 		allow�{�<em class="replaceable"><code>address_match_element</code></em>;�...�}<br>
 		[<span class="optional">�keys�{�<em class="replaceable"><code>string</code></em>;�...�}�</span>];<br>
 	unix�<em class="replaceable"><code>unsupported</code></em>;�//�not�implemented<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543612"></a><h2>LOGGING</h2>
+<a name="id2543616"></a><h2>LOGGING</h2>
 <div class="literallayout"><p><br>
 logging�{<br>
 	channel�<em class="replaceable"><code>string</code></em>�{<br>
 		file�<em class="replaceable"><code>log_file</code></em>;<br>
 		syslog�<em class="replaceable"><code>optional_facility</code></em>;<br>
 		null;<br>
 		stderr;<br>
 		severity�<em class="replaceable"><code>log_severity</code></em>;<br>
 		print-time�<em class="replaceable"><code>boolean</code></em>;<br>
 		print-severity�<em class="replaceable"><code>boolean</code></em>;<br>
 		print-category�<em class="replaceable"><code>boolean</code></em>;<br>
 	};<br>
 	category�<em class="replaceable"><code>string</code></em>�{�<em class="replaceable"><code>string</code></em>;�...�};<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543651"></a><h2>LWRES</h2>
+<a name="id2543654"></a><h2>LWRES</h2>
 <div class="literallayout"><p><br>
 lwres�{<br>
 	listen-on�[<span class="optional">�port�<em class="replaceable"><code>integer</code></em>�</span>]�{<br>
 		(�<em class="replaceable"><code>ipv4_address</code></em>�|�<em class="replaceable"><code>ipv6_address</code></em>�)�[<span class="optional">�port�<em class="replaceable"><code>integer</code></em>�</span>];�...<br>
 	};<br>
 	view�<em class="replaceable"><code>string</code></em>�<em class="replaceable"><code>optional_class</code></em>;<br>
 	search�{�<em class="replaceable"><code>string</code></em>;�...�};<br>
 	ndots�<em class="replaceable"><code>integer</code></em>;<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543692"></a><h2>OPTIONS</h2>
+<a name="id2543696"></a><h2>OPTIONS</h2>
 <div class="literallayout"><p><br>
 options�{<br>
 	avoid-v4-udp-ports�{�<em class="replaceable"><code>port</code></em>;�...�};<br>
 	avoid-v6-udp-ports�{�<em class="replaceable"><code>port</code></em>;�...�};<br>
 	blackhole�{�<em class="replaceable"><code>address_match_element</code></em>;�...�};<br>
 	coresize�<em class="replaceable"><code>size</code></em>;<br>
 	datasize�<em class="replaceable"><code>size</code></em>;<br>
 	directory�<em class="replaceable"><code>quoted_string</code></em>;<br>
 	dump-file�<em class="replaceable"><code>quoted_string</code></em>;<br>
 	files�<em class="replaceable"><code>size</code></em>;<br>
 	heartbeat-interval�<em class="replaceable"><code>integer</code></em>;<br>
 	host-statistics�<em class="replaceable"><code>boolean</code></em>;�//�not�implemented<br>
 	host-statistics-max�<em class="replaceable"><code>number</code></em>;�//�not�implemented<br>
 @@ -307,26 +307,27 @@ options�{
 	transfer-source�(�<em class="replaceable"><code>ipv4_address</code></em>�|�*�)<br>
 		[<span class="optional">�port�(�<em class="replaceable"><code>integer</code></em>�|�*�)�</span>];<br>
 	transfer-source-v6�(�<em class="replaceable"><code>ipv6_address</code></em>�|�*�)<br>
 		[<span class="optional">�port�(�<em class="replaceable"><code>integer</code></em>�|�*�)�</span>];<br>
 <br>
 	alt-transfer-source�(�<em class="replaceable"><code>ipv4_address</code></em>�|�*�)<br>
 		[<span class="optional">�port�(�<em class="replaceable"><code>integer</code></em>�|�*�)�</span>];<br>
 	alt-transfer-source-v6�(�<em class="replaceable"><code>ipv6_address</code></em>�|�*�)<br>
 		[<span class="optional">�port�(�<em class="replaceable"><code>integer</code></em>�|�*�)�</span>];<br>
 	use-alt-transfer-source�<em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	zone-statistics�<em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory�<em class="replaceable"><code>quoted_string</code></em>;<br>
 	managed-keys-directory�<em class="replaceable"><code>quoted_string</code></em>;<br>
 	auto-dnssec�<code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">create</code>|<code class="constant">off</code>;<br>
 	try-tcp-refresh�<em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl�<em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache�<em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-secure-to-insecure�<em class="replaceable"><code>boolean</code></em>;<br>
 	deny-answer-addresses�{<br>
 		<em class="replaceable"><code>address_match_list</code></em><br>
 	}�[<span class="optional">�except-from�{�<em class="replaceable"><code>namelist</code></em>�}�</span>];<br>
 	deny-answer-aliases�{<br>
 		<em class="replaceable"><code>namelist</code></em><br>
 	}�[<span class="optional">�except-from�{�<em class="replaceable"><code>namelist</code></em>�}�</span>];<br>
 <br>
 	nsec3-test-zone�<em class="replaceable"><code>boolean</code></em>;��//�testing�only<br>
 @@ -337,27 +338,27 @@ options�{
 	fetch-glue�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 	has-old-clients�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 	maintain-ixfr-base�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 	max-ixfr-log-size�<em class="replaceable"><code>size</code></em>;�//�obsolete<br>
 	multiple-cnames�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 	named-xfer�<em class="replaceable"><code>quoted_string</code></em>;�//�obsolete<br>
 	serial-queries�<em class="replaceable"><code>integer</code></em>;�//�obsolete<br>
 	treat-cr-as-space�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 	use-id-pool�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544532"></a><h2>VIEW</h2>
+<a name="id2544538"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view�<em class="replaceable"><code>string</code></em>�<em class="replaceable"><code>optional_class</code></em>�{<br>
 	match-clients�{�<em class="replaceable"><code>address_match_element</code></em>;�...�};<br>
 	match-destinations�{�<em class="replaceable"><code>address_match_element</code></em>;�...�};<br>
 	match-recursive-only�<em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	key�<em class="replaceable"><code>string</code></em>�{<br>
 		algorithm�<em class="replaceable"><code>string</code></em>;<br>
 		secret�<em class="replaceable"><code>string</code></em>;<br>
 	};<br>
 <br>
 	zone�<em class="replaceable"><code>string</code></em>�<em class="replaceable"><code>optional_class</code></em>�{<br>
 		...<br>
 @@ -488,27 +489,27 @@ view�strin
 	key-directory�<em class="replaceable"><code>quoted_string</code></em>;<br>
 	zero-no-soa-ttl�<em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache�<em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-secure-to-insecure�<em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	allow-v6-synthesis�{�<em class="replaceable"><code>address_match_element</code></em>;�...�};�//�obsolete<br>
 	fetch-glue�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 	maintain-ixfr-base�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 	max-ixfr-log-size�<em class="replaceable"><code>size</code></em>;�//�obsolete<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545203"></a><h2>ZONE</h2>
+<a name="id2545209"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone�<em class="replaceable"><code>string</code></em>�<em class="replaceable"><code>optional_class</code></em>�{<br>
 	type�(�master�|�slave�|�stub�|�hint�|<br>
 		forward�|�delegation-only�);<br>
 	file�<em class="replaceable"><code>quoted_string</code></em>;<br>
 <br>
 	masters�[<span class="optional">�port�<em class="replaceable"><code>integer</code></em>�</span>]�{<br>
 		(�<em class="replaceable"><code>masters</code></em>�|<br>
 		<em class="replaceable"><code>ipv4_address</code></em>�[<span class="optional">port�<em class="replaceable"><code>integer</code></em></span>]�|<br>
 		<em class="replaceable"><code>ipv6_address</code></em>�[<span class="optional">�port�<em class="replaceable"><code>integer</code></em>�</span>]�)�[<span class="optional">�key�<em class="replaceable"><code>string</code></em>�</span>];�...<br>
 	};<br>
 <br>
 	database�<em class="replaceable"><code>string</code></em>;<br>
 @@ -583,27 +584,27 @@ zone�strin
 	key-directory�<em class="replaceable"><code>quoted_string</code></em>;<br>
 <br>
 	nsec3-test-zone�<em class="replaceable"><code>boolean</code></em>;��//�testing�only<br>
 <br>
 	ixfr-base�<em class="replaceable"><code>quoted_string</code></em>;�//�obsolete<br>
 	ixfr-tmp-file�<em class="replaceable"><code>quoted_string</code></em>;�//�obsolete<br>
 	maintain-ixfr-base�<em class="replaceable"><code>boolean</code></em>;�//�obsolete<br>
 	max-ixfr-log-size�<em class="replaceable"><code>size</code></em>;�//�obsolete<br>
 	pubkey�<em class="replaceable"><code>integer</code></em>�<em class="replaceable"><code>integer</code></em>�<em class="replaceable"><code>integer</code></em>�<em class="replaceable"><code>quoted_string</code></em>;�//�obsolete<br>
 };<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545514"></a><h2>FILES</h2>
+<a name="id2545521"></a><h2>FILES</h2>
 <p><code class="filename">/etc/named.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545526"></a><h2>SEE ALSO</h2>
+<a name="id2545601"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 </div></body>
 </html>

--- src/external/bsd/bind/dist/bin/named/Attic/server.c 2009/12/26 23:08:21	1.4
+++ src/external/bsd/bind/dist/bin/named/Attic/server.c 2010/08/06 10:58:04	1.5

 @@ -1,53 +1,58 @@
-/*	$NetBSD: server.c,v 1.4 2009/12/26 23:08:21 christos Exp $	*/
+/*	$NetBSD: server.c,v 1.5 2010/08/06 10:58:04 christos Exp $	*/
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: server.c,v 1.556 2009/11/28 15:57:36 vjs Exp */
+/* Id: server.c,v 1.556.8.20 2010/07/19 06:14:11 marka Exp */
 /*! \file */
 #include <config.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <limits.h>
 #include <ctype.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <isc/app.h>
 #include <isc/base64.h>
 #include <isc/dir.h>
 #include <isc/entropy.h>
 #include <isc/file.h>
 #include <isc/hash.h>
 #include <isc/httpd.h>
 #include <isc/lex.h>
 #include <isc/parseint.h>
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/resource.h>
 #include <isc/sha2.h>
 #include <isc/socket.h>
 #include <isc/stat.h>
 #include <isc/stats.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
 #include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 #include <isc/xml.h>
 #include <isccfg/namedconf.h>
 #include <bind9/check.h>
 @@ -96,26 +101,30 @@
 #include <named/lwresd.h>
 #include <named/main.h>
 #include <named/os.h>
 #include <named/server.h>
 #include <named/statschannel.h>
 #include <named/tkeyconf.h>
 #include <named/tsigconf.h>
 #include <named/zoneconf.h>
 #ifdef HAVE_LIBSCF
 #include <named/ns_smf_globals.h>
 #include <stdlib.h>
 #endif
 #ifndef PATH_MAX
 #define PATH_MAX 1024
 #endif
 /*%
  * Check an operation for failure.  Assumes that the function
  * using it has a 'result' variable and a 'cleanup' label.
  */
 #define CHECK(op) \
 	do { result = (op);					 \
 	       if (result != ISC_R_SUCCESS) goto cleanup;	 \
 	} while (0)
 #define CHECKM(op, msg) \
 	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS) {			  \
 			isc_log_write(ns_g_lctx,		  \
 @@ -215,43 +224,51 @@ static const struct {
 	{ "22.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "23.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "24.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "25.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "26.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "27.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "28.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "29.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "30.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "31.172.IN-ADDR.ARPA", ISC_TRUE },
 	{ "168.192.IN-ADDR.ARPA", ISC_TRUE },
 #endif
-	/* RFC 3330 */
+	/* RFC 5735 and RFC 5737 */
 	{ "0.IN-ADDR.ARPA", ISC_FALSE },	/* THIS NETWORK */
 	{ "127.IN-ADDR.ARPA", ISC_FALSE },	/* LOOPBACK */
 	{ "254.169.IN-ADDR.ARPA", ISC_FALSE },	/* LINK LOCAL */
 	{ "2.0.192.IN-ADDR.ARPA", ISC_FALSE },	/* TEST NET */
 	{ "100.51.198.IN-ADDR.ARPA", ISC_FALSE },	/* TEST NET 2 */
 	{ "113.0.203.IN-ADDR.ARPA", ISC_FALSE },	/* TEST NET 3 */
 	{ "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE },	/* BROADCAST */
 	/* Local IPv6 Unicast Addresses */
 	{ "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
 	{ "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
 	/* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
 	{ "D.F.IP6.ARPA", ISC_FALSE },
 	{ "8.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
 	{ "9.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
 	{ "A.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
 	{ "B.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
 	/* Example Prefix, RFC 3849. */
 	{ "8.B.D.0.1.0.0.2.IP6.ARPA", ISC_FALSE },
 	/* ORCHID Prefix, RFC 4843. */
 	{ "0.1.1.0.0.2.IP6.ARPA", ISC_FALSE },
 	{ NULL, ISC_FALSE }
 };
 ISC_PLATFORM_NORETURN_PRE static void
 fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;
 static void
 ns_server_reload(isc_task_t *task, isc_event_t *event);
 static isc_result_t
 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 			cfg_aclconfctx_t *actx,
 			isc_mem_t *mctx, ns_listenelt_t **target);
 @@ -264,31 +281,40 @@ static isc_result_t
 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
 static isc_result_t
 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
 		     const cfg_obj_t *alternates);
 static isc_result_t
 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
 	       cfg_aclconfctx_t *aclconf);
 static isc_result_t
-add_keydata_zone(dns_view_t *view, isc_mem_t *mctx);
+add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
 static void
 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
 /*
  * Stores config for building zones after the fact
  */
 static cfg_obj_t *nzf_config = NULL;
 static cfg_parser_t *nzf_parser = NULL;
 static const char *nzf_file = NULL;
 static const cfg_obj_t *nzf_option = NULL;
 static cfg_aclconfctx_t nzf_actx;
 /*%
  * Configure a single view ACL at '*aclp'.  Get its configuration from
  * 'vconfig' (for per-view configuration) and maybe from 'config'
  */
 static isc_result_t
 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 		   const char *aclname, const char *acltuplename,
 		   cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
+{
 	isc_result_t result;
 	const cfg_obj_t *maps[3];
 	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
 @@ -471,27 +497,27 @@ dstkey_fromconfig(const cfg_obj_t *vconf
 	INSIST(target != NULL && *target == NULL);
 	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
 	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
 	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
 	keyname = dns_fixedname_name(&fkeyname);
 	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
 	if (managed) {
 		const char *initmethod;
 		initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
-		if (strcmp(initmethod, "initial-key") != 0) {
+		if (strcasecmp(initmethod, "initial-key") != 0) {
 			cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
 				    "managed key '%s': "
 				    "invalid initialization method '%s'",
 				    keynamestr, initmethod);
 			result = ISC_R_FAILURE;
 			goto cleanup;
+		}
+	}
 	if (vconfig == NULL)
 		viewclass = dns_rdataclass_in;
 	else {
 		const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
 @@ -619,114 +645,120 @@ load_view_keys(const cfg_obj_t *keys, co
  * Configure DNSSEC keys for a view.
+ *
  * The per-view configuration values and the server-global defaults are read
  * from 'vconfig' and 'config'.
  */
 static isc_result_t
 configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
 			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
 			  isc_boolean_t auto_dlv, isc_mem_t *mctx)
+{
 	isc_result_t result = ISC_R_SUCCESS;
 	const cfg_obj_t *view_keys = NULL;
 	const cfg_obj_t *global_keys = NULL;
 	const cfg_obj_t *view_managed_keys = NULL;
 	const cfg_obj_t *global_managed_keys = NULL;
 	const cfg_obj_t *builtin_keys = NULL;
 	const cfg_obj_t *builtin_managed_keys = NULL;
 	const cfg_obj_t *maps[4];
 	const cfg_obj_t *voptions = NULL;
 	const cfg_obj_t *options = NULL;
-	isc_boolean_t meta;
+	const cfg_obj_t *obj = NULL;
 	const char *directory;
 	int i = 0;
 	/* We don't need trust anchors for the _bind view */
 	if (strcmp(view->name, "_bind") == 0 &&
 	    view->rdclass == dns_rdataclass_chaos) {
 		return (ISC_R_SUCCESS);
+	}
 	meta = ISC_TF(strcmp(view->name, "_meta") == 0 &&
 		      view->rdclass == dns_rdataclass_in);
 	if (vconfig != NULL) {
 		voptions = cfg_tuple_get(vconfig, "options");
 		if (voptions != NULL) {
 			(void) cfg_map_get(voptions, "trusted-keys",
 					   &view_keys);
 			(void) cfg_map_get(voptions, "managed-keys",
 					   &view_managed_keys);
 			maps[i++] = voptions;
+		}
+	}
 	if (config != NULL) {
 		(void)cfg_map_get(config, "trusted-keys", &global_keys);
 		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
 		(void)cfg_map_get(config, "options", &options);
 		if (options != NULL) {
 			maps[i++] = options;
+		}
+	}
 	maps[i++] = ns_g_defaults;
 	maps[i] = NULL;
 	result = dns_view_initsecroots(view, mctx);
 	if (result != ISC_R_SUCCESS) {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "couldn't create keytable");
 		return (ISC_R_UNEXPECTED);
+	}
-	if (global_managed_keys != NULL)
+	if (auto_dlv && view->rdclass == dns_rdataclass_in) {
 		ns_g_server->managedkeys = ISC_TRUE;
 	if (auto_dlv) {
 		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
 			      "using built-in trusted-keys for view %s",
 			      view->name);
 		/*
 		 * If bind.keys exists, it overrides the managed-keys
 		 * clause hard-coded in ns_g_config.
 		 */
 		if (bindkeys != NULL) {
 			(void)cfg_map_get(bindkeys, "trusted-keys",
 					  &builtin_keys);
 			(void)cfg_map_get(bindkeys, "managed-keys",
 					  &builtin_managed_keys);
 		} else {
 			(void)cfg_map_get(ns_g_config, "trusted-keys",
 					  &builtin_keys);
 			(void)cfg_map_get(ns_g_config, "managed-keys",
 					  &builtin_managed_keys);
+		}
 		if (builtin_keys != NULL)
 			CHECK(load_view_keys(builtin_keys, vconfig, view,
 					     ISC_FALSE, mctx));
 		if (builtin_managed_keys != NULL)
 			ns_g_server->managedkeys = ISC_TRUE;
 		CHECK(load_view_keys(builtin_keys, vconfig, view,
 				     ISC_FALSE, mctx));
 		if (meta)
 			CHECK(load_view_keys(builtin_managed_keys, vconfig,
 					     view, ISC_TRUE, mctx));
+	}
 	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
-	CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE, mctx));
+	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, mctx));
 	if (view->rdclass == dns_rdataclass_in) {
-	if (meta)
+		CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
 				     mctx));
 		CHECK(load_view_keys(global_managed_keys, vconfig, view,
-			       ISC_TRUE, mctx));
+				     ISC_TRUE, mctx));
+	}
 	/*
 	 * Add key zone for managed-keys.
 	 */
 	obj = NULL;
 	(void)ns_config_get(maps, "managed-keys-directory", &obj);
 	directory = obj != NULL ? cfg_obj_asstring(obj) : NULL;
 	CHECK(add_keydata_zone(view, directory, ns_g_mctx));
   cleanup:
 	return (result);
+}
 static isc_result_t
 mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
 	const cfg_listelt_t *element;
 	const cfg_obj_t *obj;
 	const char *str;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
 	isc_boolean_t value;
 @@ -2100,28 +2132,30 @@ configure_view(dns_view_t *view, const c
 	INSIST(result == ISC_R_SUCCESS);
 	if (cfg_obj_isboolean(obj)) {
 		if (cfg_obj_asboolean(obj))
 			view->v4_aaaa = dns_v4_aaaa_filter;
 		else
 			view->v4_aaaa = dns_v4_aaaa_ok;
 	} else {
 		const char *v4_aaaastr = cfg_obj_asstring(obj);
 		if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
 			view->v4_aaaa = dns_v4_aaaa_break_dnssec;
 		else
 			INSIST(0);
+	}
 	CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
 				 actx, ns_g_mctx, &view->v4_aaaa_acl));
 #endif
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-enable", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	view->enablednssec = cfg_obj_asboolean(obj);
 	obj = NULL;
 	result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {
 		/* If set to "auto", use the version from the defaults */
 		const cfg_obj_t *dlvobj;
 		dlvobj = cfg_listelt_value(cfg_list_first(obj));
 		if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")),
 			    "auto") &&
 @@ -2913,78 +2947,84 @@ configure_zone(const cfg_obj_t *config,
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 	if (pview != NULL)
 		dns_view_detach(&pview);
 	return (result);
+}
 /*
  * Configure built-in zone for storing managed-key data.
  */
 #define KEYZONE "managed-keys.bind"
 #define MKEYS ".mkeys"
 static isc_result_t
-add_keydata_zone(dns_view_t *view, isc_mem_t *mctx) {
+add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	dns_acl_t *none = NULL;
-	dns_name_t zname;
+	char filename[PATH_MAX];
 	char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
-	if (!ns_g_server->managedkeys)
+	int n;
 		return (ISC_R_SUCCESS);
 	REQUIRE(view != NULL);
 	CHECK(dns_zone_create(&zone, mctx));
-	dns_name_init(&zname, NULL);
+	CHECK(dns_zone_setorigin(zone, dns_rootname));
 	CHECK(dns_name_fromstring(&zname, KEYZONE, 0, mctx));
 	CHECK(dns_zone_setorigin(zone, &zname));
 	dns_name_free(&zname, mctx);
 	CHECK(dns_zone_setfile(zone, KEYZONE));
-	if (view->hints == NULL)
+	isc_sha256_data((void *)view->name, strlen(view->name), buffer);
-		dns_view_sethints(view, ns_g_server->in_roothints);
+	strcat(buffer, MKEYS);
 	n = snprintf(filename, sizeof(filename), "%s%s%s",
 		     directory ? directory : "", directory ? "/" : "",
 		     strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
 	if (n < 0 || (size_t)n >= sizeof(filename)) {
 		result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
 		goto cleanup;
+	}
 	CHECK(dns_zone_setfile(zone, filename));
 	dns_zone_setview(zone, view);
 	dns_zone_settype(zone, dns_zone_key);
 	dns_zone_setclass(zone, view->rdclass);
 	CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
 	if (view->acache != NULL)
 		dns_zone_setacache(zone, view->acache);
 	CHECK(dns_acl_none(mctx, &none));
 	dns_zone_setqueryacl(zone, none);
 	dns_zone_setqueryonacl(zone, none);
 	dns_acl_detach(&none);
 	dns_zone_setdialup(zone, dns_dialuptype_no);
 	dns_zone_setnotifytype(zone, dns_notifytype_no);
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
 	dns_zone_setjournalsize(zone, 0);
 	dns_zone_setstats(zone, ns_g_server->zonestats);
 	CHECK(setquerystats(zone, mctx, ISC_FALSE));
-	CHECK(dns_view_addzone(view, zone));
+	if (view->managed_keys != NULL)
 		dns_zone_detach(&view->managed_keys);
 	dns_zone_attach(zone, &view->managed_keys);
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "set up %s meta-zone", KEYZONE);
+		      "set up managed keys zone for view %s, file '%s'",
 		      view->name, filename);
 cleanup:
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 	if (none != NULL)
 		dns_acl_detach(&none);
 	return (result);
+}
 /*
  * Configure a single server quota.
  */
 @@ -3963,26 +4003,37 @@ load_configuration(const char *filename,
 			 * Not specified, use default.
 			 */
 			enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
 			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
 						    enable, &listenon));
+		}
 		if (listenon != NULL) {
 			ns_interfacemgr_setlistenon6(server->interfacemgr,
 						     listenon);
 			ns_listenlist_detach(&listenon);
+		}
+	}
 	/* Are we preserving config for adding zones dynamically? */
 	obj = NULL;
 	result = cfg_map_get(options, "new-zone-file", &obj);
 	if (obj && nzf_option == NULL) {
 		nzf_file = cfg_obj_asstring(obj);
 		if (nzf_file && *nzf_file) {
 			/* Remember this configuration */
 			nzf_option = config;
+		}
+	}
 	/*
 	 * Rescan the interface list to pick up changes in the
 	 * listen-on option.  It's important that we do this before we try
 	 * to configure the query source, since the dispatcher we use might
 	 * be shared with an interface.
 	 */
 	scan_interfaces(server, ISC_TRUE);
 	/*
 	 * Arrange for further interface scanning to occur periodically
 	 * as specified by the "interface-interval" option.
 	 */
 	obj = NULL;
 @@ -4058,72 +4109,79 @@ load_configuration(const char *filename,
 	(void)cfg_map_get(config, "view", &views);
 	for (element = cfg_list_first(views);
 	     element != NULL;
 	     element = cfg_list_next(element))
+	{
 		const cfg_obj_t *vconfig = cfg_listelt_value(element);
 		view = NULL;
 		CHECK(create_view(vconfig, &viewlist, &view));
 		INSIST(view != NULL);
 		CHECK(configure_view(view, config, vconfig,
 				     &cachelist, bindkeys,
 				     ns_g_mctx, &aclconfctx, ISC_TRUE));
 		if (vconfig != NULL) {
 			/*
 			 * Are we preserving config for dynamically added
 			 * zones?
 			 */
 			const cfg_obj_t *voptions;
 			voptions = cfg_tuple_get(vconfig, "options");
 			obj = NULL;
 			result = cfg_map_get(voptions, "new-zone-file", &obj);
 			if (obj && nzf_option == NULL)
 				nzf_option = config;
+		}
 		dns_view_freeze(view);
 		dns_view_detach(&view);
+	}
 	/*
 	 * Make sure we have a default view if and only if there
 	 * were no explicit views.
 	 */
 	if (views == NULL) {
 		/*
 		 * No explicit views; there ought to be a default view.
 		 * There may already be one created as a side effect
 		 * of zone statements, or we may have to create one.
 		 * In either case, we need to configure and freeze it.
 		 */
 		CHECK(create_view(NULL, &viewlist, &view));
 		CHECK(configure_view(view, config, NULL,
 				     &cachelist, bindkeys,
 				     ns_g_mctx, &aclconfctx, ISC_TRUE));
 		dns_view_freeze(view);
 		dns_view_detach(&view);
+	}
 	/*
-	 * Create (or recreate) the built-in views.  Currently
+	 * Create (or recreate) the built-in views.
 	 * there is only one, the _bind view, but allow for others.
 	 */
 	builtin_views = NULL;
 	RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
 				  &builtin_views) == ISC_R_SUCCESS);
 	for (element = cfg_list_first(builtin_views);
 	     element != NULL;
 	     element = cfg_list_next(element))
+	{
 		const cfg_obj_t *vconfig = cfg_listelt_value(element);
 		CHECK(create_view(vconfig, &builtin_viewlist, &view));
 		CHECK(configure_view(view, config, vconfig,
 				     &cachelist, bindkeys,
 				     ns_g_mctx, &aclconfctx, ISC_FALSE));
 		if (!strcmp(view->name, "_meta")) {
 			result = add_keydata_zone(view, ns_g_mctx);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		dns_view_freeze(view);
 		dns_view_detach(&view);
 		view = NULL;
+	}
 	/* Now combine the two viewlists into one */
 	ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
 	/* Swap our new view list with the production one. */
 	tmpviewlist = server->viewlist;
 	server->viewlist = viewlist;
 	viewlist = tmpviewlist;
 @@ -4326,26 +4384,32 @@ load_configuration(const char *filename,
 	obj = NULL;
 	result = ns_config_get(maps, "statistics-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
 	       "strdup");
 	obj = NULL;
 	result = ns_config_get(maps, "dump-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
 	       "strdup");
 	obj = NULL;
 	result = ns_config_get(maps, "secroots-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
 	       "strdup");
 	obj = NULL;
 	result = ns_config_get(maps, "recursing-file", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
 	       "strdup");
 	obj = NULL;
 	result = ns_config_get(maps, "version", &obj);
 	if (result == ISC_R_SUCCESS) {
 		CHECKM(setoptstring(server, &server->version, obj), "strdup");
 		server->version_set = ISC_TRUE;
 	} else {
 		server->version_set = ISC_FALSE;
+	}
 @@ -4382,27 +4446,36 @@ load_configuration(const char *filename,
 	} else {
 		server->flushonshutdown = ISC_FALSE;
+	}
 	result = ISC_R_SUCCESS;
  cleanup:
 	if (v4portset != NULL)
 		isc_portset_destroy(ns_g_mctx, &v4portset);
 	if (v6portset != NULL)
 		isc_portset_destroy(ns_g_mctx, &v6portset);
-	cfg_aclconfctx_destroy(&aclconfctx);
+	/* Preserve config, we'll need it when adding zones */
 	if (nzf_option != NULL) {
 		nzf_parser = conf_parser;
 		conf_parser = NULL;
 		nzf_config = config;
 		config = NULL;
 		memcpy(&nzf_actx, &aclconfctx, sizeof(cfg_aclconfctx_t));
 	} else {
 		cfg_aclconfctx_destroy(&aclconfctx);
+	}
 	if (conf_parser != NULL) {
 		if (config != NULL)
 			cfg_obj_destroy(conf_parser, &config);
 		cfg_parser_destroy(&conf_parser);
+	}
 	if (bindkeys_parser != NULL) {
 		if (bindkeys  != NULL)
 			cfg_obj_destroy(bindkeys_parser, &bindkeys);
 		cfg_parser_destroy(&bindkeys_parser);
+	}
 @@ -4456,26 +4529,28 @@ load_zones(ns_server_t *server, isc_bool
 	dns_view_t *view;
 	result = isc_task_beginexclusive(server->task);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	/*
 	 * Load zone data from disk.
 	 */
 	for (view = ISC_LIST_HEAD(server->viewlist);
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link))
+	{
 		CHECK(dns_view_load(view, stop));
 		if (view->managed_keys != NULL)
 			CHECK(dns_zone_load(view->managed_keys));
+	}
 	/*
 	 * Force zone maintenance.  Do this after loading
 	 * so that we know when we need to force AXFR of
 	 * slave zones whose master files are missing.
 	 */
 	CHECK(dns_zonemgr_forcemaint(server->zonemgr));
  cleanup:
 	isc_task_endexclusive(server->task);
 	return (result);
+}
 @@ -4588,26 +4663,32 @@ shutdown_server(isc_task_t *task, isc_ev
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
 		      ISC_LOG_INFO, "shutting down%s",
 		      flush ? ": flushing changes" : "");
 	ns_statschannels_shutdown(server);
 	ns_controls_shutdown(server->controls);
 	end_reserved_dispatches(server, ISC_TRUE);
 	cleanup_session_key(server, server->mctx);
 	cfg_obj_destroy(ns_g_parser, &ns_g_config);
 	cfg_parser_destroy(&ns_g_parser);
 	if (nzf_config) {
 		cfg_aclconfctx_destroy(&nzf_actx);
 		cfg_obj_destroy(nzf_parser, &nzf_config);
 		cfg_parser_destroy(&nzf_parser);
+	}
 	for (view = ISC_LIST_HEAD(server->viewlist);
 	     view != NULL;
 	     view = view_next) {
 		view_next = ISC_LIST_NEXT(view, link);
 		ISC_LIST_UNLINK(server->viewlist, view, link);
 		if (flush)
 			dns_view_flushanddetach(&view);
 		else
 			dns_view_detach(&view);
+	}
 	while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
 		ISC_LIST_UNLINK(server->cachelist, nsc, link);
 @@ -4730,32 +4811,35 @@ ns_server_create(isc_mem_t *mctx, ns_ser
 	server->zonestats = NULL;
 	server->resolverstats = NULL;
 	server->sockstats = NULL;
 	CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
 				    isc_sockstatscounter_max),
 		   "isc_stats_create");
 	isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
 	server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
 	CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
 						  ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 	server->managedkeys = ISC_FALSE;
 	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
 	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 	server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
 	CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
 						  ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
 	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
 	server->hostname_set = ISC_FALSE;
 	server->hostname = NULL;
 	server->version_set = ISC_FALSE;
 	server->version = NULL;
 	server->server_usehostname = ISC_FALSE;
 	server->server_id = NULL;
 	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
 				    dns_nsstatscounter_max),
 @@ -4806,26 +4890,27 @@ ns_server_destroy(ns_server_t **serverp)
 	ns_controls_destroy(&server->controls);
 	isc_stats_detach(&server->nsstats);
 	dns_stats_detach(&server->rcvquerystats);
 	dns_stats_detach(&server->opcodestats);
 	isc_stats_detach(&server->zonestats);
 	isc_stats_detach(&server->resolverstats);
 	isc_stats_detach(&server->sockstats);
 	isc_mem_free(server->mctx, server->statsfile);
 	isc_mem_free(server->mctx, server->bindkeysfile);
 	isc_mem_free(server->mctx, server->dumpfile);
 	isc_mem_free(server->mctx, server->secrootsfile);
 	isc_mem_free(server->mctx, server->recfile);
 	if (server->version != NULL)
 		isc_mem_free(server->mctx, server->version);
 	if (server->hostname != NULL)
 		isc_mem_free(server->mctx, server->hostname);
 	if (server->server_id != NULL)
 		isc_mem_free(server->mctx, server->server_id);
 	dns_zonemgr_detach(&server->zonemgr);
 	if (server->tkeyctx != NULL)
 		dns_tkeyctx_destroy(&server->tkeyctx);
 @@ -5057,50 +5142,54 @@ next_token(char **stringp, const char *d
 		res = strsep(stringp, delim);
 		if (res == NULL)
 			break;
 	} while (*res == '\0');
 	return (res);
+}
 /*
  * Find the zone specified in the control channel command 'args',
  * if any.  If a zone is specified, point '*zonep' at it, otherwise
  * set '*zonep' to NULL.
  */
 static isc_result_t
-zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
+zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
 	       const char **zonename)
+{
 	char *input, *ptr;
 	const char *zonetxt;
 	char *classtxt;
 	const char *viewtxt = NULL;
 	dns_fixedname_t name;
 	isc_result_t result;
 	isc_buffer_t buf;
 	dns_view_t *view = NULL;
 	dns_rdataclass_t rdclass;
 	REQUIRE(zonep != NULL && *zonep == NULL);
 	input = args;
 	/* Skip the command name. */
 	ptr = next_token(&input, " \t");
 	if (ptr == NULL)
 		return (ISC_R_UNEXPECTEDEND);
 	/* Look for the zone name. */
 	zonetxt = next_token(&input, " \t");
 	if (zonetxt == NULL)
 		return (ISC_R_SUCCESS);
 	if (zonename)
 		*zonename = zonetxt;
 	/* Look for the optional class name. */
 	classtxt = next_token(&input, " \t");
 	if (classtxt != NULL) {
 		/* Look for the optional view name. */
 		viewtxt = next_token(&input, " \t");
+	}
 	isc_buffer_init(&buf, zonetxt, strlen(zonetxt));
 	isc_buffer_add(&buf, strlen(zonetxt));
 	dns_fixedname_init(&name);
 	result = dns_name_fromtext(dns_fixedname_name(&name),
 				   &buf, dns_rootname, 0, NULL);
 @@ -5126,64 +5215,66 @@ zone_from_args(ns_server_t *server, char
 		result = dns_viewlist_find(&server->viewlist, viewtxt,
 					   rdclass, &view);
 		if (result != ISC_R_SUCCESS)
 			goto fail1;
 		result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
 , NULL, zonep);
 		dns_view_detach(&view);
+	}
 	/* Partial match? */
 	if (result != ISC_R_SUCCESS && *zonep != NULL)
 		dns_zone_detach(zonep);
 	if (result == DNS_R_PARTIALMATCH)
 		result = ISC_R_NOTFOUND;
  fail1:
 	return (result);
+}
 /*
  * Act on a "retransfer" command from the command channel.
  */
 isc_result_t
 ns_server_retransfercommand(ns_server_t *server, char *args) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
 		return (ISC_R_UNEXPECTEDEND);
 	type = dns_zone_gettype(zone);
 	if (type == dns_zone_slave || type == dns_zone_stub)
 		dns_zone_forcereload(zone);
 	else
 		result = ISC_R_NOTFOUND;
 	dns_zone_detach(&zone);
 	return (result);
+}
 /*
  * Act on a "reload" command from the command channel.
  */
 isc_result_t
 ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
 	const char *msg = NULL;
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
 		result = reload(server);
 		if (result == ISC_R_SUCCESS)
 			msg = "server reload successful";
 	} else {
 		type = dns_zone_gettype(zone);
 		if (type == dns_zone_slave || type == dns_zone_stub) {
 			dns_zone_refresh(zone);
 			dns_zone_detach(&zone);
 			msg = "zone refresh queued";
 		} else {
 @@ -5223,52 +5314,52 @@ ns_server_reconfigcommand(ns_server_t *s
 	reconfig(server);
 	return (ISC_R_SUCCESS);
+}
 /*
  * Act on a "notify" command from the command channel.
  */
 isc_result_t
 ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	const unsigned char msg[] = "zone notify queued";
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
 		return (ISC_R_UNEXPECTEDEND);
 	dns_zone_notify(zone);
 	dns_zone_detach(&zone);
 	if (sizeof(msg) <= isc_buffer_availablelength(text))
 		isc_buffer_putmem(text, msg, sizeof(msg));
 	return (ISC_R_SUCCESS);
+}
 /*
  * Act on a "refresh" command from the command channel.
  */
 isc_result_t
 ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	const unsigned char msg1[] = "zone refresh queued";
 	const unsigned char msg2[] = "not a slave or stub zone";
 	dns_zonetype_t type;
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
 		return (ISC_R_UNEXPECTEDEND);
 	type = dns_zone_gettype(zone);
 	if (type == dns_zone_slave || type == dns_zone_stub) {
 		dns_zone_refresh(zone);
 		dns_zone_detach(&zone);
 		if (sizeof(msg1) <= isc_buffer_availablelength(text))
 			isc_buffer_putmem(text, msg1, sizeof(msg1));
 		return (ISC_R_SUCCESS);
+	}
 @@ -5521,26 +5612,28 @@ dumpdone(void *arg, isc_result_t result)
 							    dumpdone, dctx,
 							    &dctx->mdctx);
 			if (result == DNS_R_CONTINUE)
 				return;
 			if (result == ISC_R_NOTIMPLEMENTED)
 				fprintf(dctx->fp, "; %s\n",
 					dns_result_totext(result));
 			else if (result != ISC_R_SUCCESS)
 				goto cleanup;
+		}
+	}
 	if (dctx->cache != NULL) {
 		dns_adb_dump(dctx->view->view->adb, dctx->fp);
 		dns_resolver_printbadcache(dctx->view->view->resolver,
 					   dctx->fp);
 		dns_db_detach(&dctx->cache);
+	}
 	if (dctx->dumpzones) {
 		style = &dns_master_style_full;
  nextzone:
 		if (dctx->version != NULL)
 			dns_db_closeversion(dctx->db, &dctx->version,
 					    ISC_FALSE);
 		if (dctx->db != NULL)
 			dns_db_detach(&dctx->db);
 		if (dctx->zone == NULL)
 			dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
 		else
 @@ -5663,26 +5756,88 @@ ns_server_dumpdb(ns_server_t *server, ch
 		if (ptr != NULL)
 			goto nextview;
+	}
 	dumpdone(dctx, ISC_R_SUCCESS);
 	return (ISC_R_SUCCESS);
  cleanup:
 	if (dctx != NULL)
 		dumpcontext_destroy(dctx);
 	return (result);
+}
 isc_result_t
 ns_server_dumpsecroots(ns_server_t *server, char *args) {
 	dns_view_t *view;
 	dns_keytable_t *secroots = NULL;
 	isc_result_t result;
 	char *ptr;
 	FILE *fp = NULL;
 	isc_time_t now;
 	char tbuf[64];
 	/* Skip the command name. */
 	ptr = next_token(&args, " \t");
 	if (ptr == NULL)
 		return (ISC_R_UNEXPECTEDEND);
 	ptr = next_token(&args, " \t");
 	CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
 		"could not open secroots dump file", server->secrootsfile);
 	TIME_NOW(&now);
 	isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
 	fprintf(fp, "%s\n", tbuf);
  nextview:
 	for (view = ISC_LIST_HEAD(server->viewlist);
 	     view != NULL;
 	     view = ISC_LIST_NEXT(view, link))
+	{
 		if (ptr != NULL && strcmp(view->name, ptr) != 0)
 			continue;
 		if (secroots != NULL)
 			dns_keytable_detach(&secroots);
 		result = dns_view_getsecroots(view, &secroots);
 		if (result == ISC_R_NOTFOUND) {
 			result = ISC_R_SUCCESS;
 			continue;
+		}
 		fprintf(fp, "\n Start view %s\n\n", view->name);
 		CHECK(dns_keytable_dump(secroots, fp));
+	}
 	if (ptr != NULL) {
 		ptr = next_token(&args, " \t");
 		if (ptr != NULL)
 			goto nextview;
+	}
  cleanup:
 	if (secroots != NULL)
 		dns_keytable_detach(&secroots);
 	if (fp != NULL)
 		(void)isc_stdio_close(fp);
 	if (result == ISC_R_SUCCESS)
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 			      "dumpsecroots complete");
 	else
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "dumpsecroots failed: %s",
 			      dns_result_totext(result));
 	return (result);
+}
 isc_result_t
 ns_server_dumprecursing(ns_server_t *server) {
 	FILE *fp = NULL;
 	isc_result_t result;
 	CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
 		"could not open dump file", server->recfile);
 	fprintf(fp,";\n; Recursing Queries\n;\n");
 	ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
 	fprintf(fp, "; Dump complete\n");
  cleanup:
 	if (fp != NULL)
 		result = isc_stdio_close(fp);
 @@ -6145,30 +6300,28 @@ ns_server_tsigdelete(ns_server_t *server
 			RWUNLOCK(&view->dynamickeys->lock,
 				 isc_rwlocktype_write);
 			if (result != ISC_R_SUCCESS) {
 				isc_task_endexclusive(server->task);
 				return (result);
+			}
+		}
+	}
 	isc_task_endexclusive(server->task);
 	n = snprintf((char *)isc_buffer_used(text),
 		     isc_buffer_availablelength(text),
 		     "%d tsig keys deleted.\n", foundkeys);
-	if (n >= isc_buffer_availablelength(text)) {
+	if (n >= isc_buffer_availablelength(text))
 		isc_task_endexclusive(server->task);
 		return (ISC_R_NOSPACE);
 	isc_buffer_add(text, n);
 	return (ISC_R_SUCCESS);
+}
 static isc_result_t
 list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
 	     unsigned int *foundkeys)
+{
 	char namestr[DNS_NAME_FORMATSIZE];
 	char creatorstr[DNS_NAME_FORMATSIZE];
 	isc_result_t result;
 	dns_rbtnodechain_t chain;
 @@ -6264,87 +6417,85 @@ ns_server_tsiglist(ns_server_t *server,
 				       &foundkeys);
 		RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
 		if (result != ISC_R_SUCCESS) {
 			isc_task_endexclusive(server->task);
 			return (result);
+		}
+	}
 	isc_task_endexclusive(server->task);
 	if (foundkeys == 0) {
 		n = snprintf((char *)isc_buffer_used(text),
 			     isc_buffer_availablelength(text),
 			     "no tsig keys found.\n");
-		if (n >= isc_buffer_availablelength(text)) {
+		if (n >= isc_buffer_availablelength(text))
 			isc_task_endexclusive(server->task);
 			return (ISC_R_NOSPACE);
 		isc_buffer_add(text, n);
+	}
 	return (ISC_R_SUCCESS);
+}
 /*
  * Act on a "sign" command from the command channel.
  */
 isc_result_t
 ns_server_sign(ns_server_t *server, char *args) {
 	isc_result_t result;
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
 	isc_uint16_t keyopts;
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
 		return (ISC_R_UNEXPECTEDEND);   /* XXX: or do all zones? */
 	type = dns_zone_gettype(zone);
 	if (type != dns_zone_master) {
 		dns_zone_detach(&zone);
 		return (DNS_R_NOTMASTER);
+	}
 	keyopts = dns_zone_getkeyopts(zone);
 	if ((keyopts & DNS_ZONEKEY_ALLOW) != 0)
-		result = dns_zone_rekey(zone);
+		dns_zone_rekey(zone);
 	else
 		result = ISC_R_NOPERM;
 	dns_zone_detach(&zone);
 	return (result);
+}
 /*
  * Act on a "freeze" or "thaw" command from the command channel.
  */
 isc_result_t
 ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 		 isc_buffer_t *text)
+{
 	isc_result_t result, tresult;
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;
 	char classstr[DNS_RDATACLASS_FORMATSIZE];
 	char zonename[DNS_NAME_FORMATSIZE];
 	dns_view_t *view;
 	char *journal;
 	const char *vname, *sep;
 	isc_boolean_t frozen;
 	const char *msg = NULL;
-	result = zone_from_args(server, args, &zone);
+	result = zone_from_args(server, args, &zone, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
 		result = isc_task_beginexclusive(server->task);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		tresult = ISC_R_SUCCESS;
 		for (view = ISC_LIST_HEAD(server->viewlist);
 		     view != NULL;
 		     view = ISC_LIST_NEXT(view, link)) {
 			result = dns_view_freezezones(view, freeze);
 			if (result != ISC_R_SUCCESS &&
 			    tresult == ISC_R_SUCCESS)
 				tresult = result;
 @@ -6353,26 +6504,28 @@ ns_server_freeze(ns_server_t *server, is
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 			      "%s all zones: %s",
 			      freeze ? "freezing" : "thawing",
 			      isc_result_totext(tresult));
 		return (tresult);
+	}
 	type = dns_zone_gettype(zone);
 	if (type != dns_zone_master) {
 		dns_zone_detach(&zone);
 		return (DNS_R_NOTMASTER);
+	}
 	result = isc_task_beginexclusive(server->task);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	frozen = dns_zone_getupdatedisabled(zone);
 	if (freeze) {
 		if (frozen) {
 			msg = "WARNING: The zone was already frozen.\n"
 			      "Someone else may be editing it or "
 			      "it may still be re-loading.";
 			result = DNS_R_FROZEN;
+		}
 		if (result == ISC_R_SUCCESS) {
 			result = dns_zone_flush(zone);
 			if (result != ISC_R_SUCCESS)
 				msg = "Flushing the zone updates to "
 				      "disk failed.";
 @@ -6392,35 +6545,35 @@ ns_server_freeze(ns_server_t *server, is
 			case DNS_R_UPTODATE:
 				msg = "The zone reload and thaw was "
 				      "successful.";
 				result = ISC_R_SUCCESS;
 				break;
 			case DNS_R_CONTINUE:
 				msg = "A zone reload and thaw was started.\n"
 				      "Check the logs to see the result.";
 				result = ISC_R_SUCCESS;
 				break;
+			}
+		}
+	}
 	isc_task_endexclusive(server->task);
 	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
 		isc_buffer_putmem(text, (const unsigned char *)msg,
 				  strlen(msg) + 1);
 	view = dns_zone_getview(zone);
 	if (strcmp(view->name, "_default") == 0 ||
-	    strcmp(view->name, "_bind") == 0 ||
+	    strcmp(view->name, "_bind") == 0)
 	    strcmp(view->name, "_meta"))
+	{
 		vname = "";
 		sep = "";
 	} else {
 		vname = view->name;
 		sep = " ";
+	}
 	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
 			      sizeof(classstr));
 	dns_name_format(dns_zone_getorigin(zone),
 			zonename, sizeof(zonename));
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 @@ -6440,13 +6593,516 @@ ns_server_freeze(ns_server_t *server, is
 isc_result_t
 ns_smf_add_message(isc_buffer_t *text) {
 	unsigned int n;
 	n = snprintf((char *)isc_buffer_used(text),
 		isc_buffer_availablelength(text),
 		"use svcadm(1M) to manage named");
 	if (n >= isc_buffer_availablelength(text))
 		return (ISC_R_NOSPACE);
 	isc_buffer_add(text, n);
 	return (ISC_R_SUCCESS);
+}
 #endif /* HAVE_LIBSCF */
 /*
  * Act on an "addzone" command from the command channel.
  */
 isc_result_t
 ns_server_add_zone(ns_server_t *server, char *args) {
 	isc_result_t	     result;
 	isc_buffer_t	     argbuf;
 	size_t		     arglen, len;
 	cfg_parser_t	    *parser = NULL;
 	cfg_obj_t	    *config = NULL;
 	const cfg_obj_t     *vconfig = NULL;
 	const cfg_obj_t     *views = NULL;
 	const cfg_listelt_t *element;
 	const cfg_obj_t     *parms = NULL;
 	const cfg_obj_t     *obj = NULL;
 	const char	    *zonename;
 	const char	    *classname = NULL;
 	const char	    *argp;
 	const char	    *viewname = NULL;
 	dns_rdataclass_t     rdclass;
 	dns_view_t	    *view = 0;
 	isc_buffer_t	     buf, *nbuf = NULL;
 	dns_name_t	     dnsname;
 	const char	    *filename = 0;
 	const char	    *filepart = NULL;
 	char		     fnamebuf[512];
 	struct stat	     sb;
 	dns_zone_t	    *zone = NULL;
 	FILE		    *fp = NULL;
 	/* Are we accepting new zones? */
 	if (nzf_option == NULL)
 		return (ISC_R_FAILURE);
 	/* Try to parse the argument string */
 	arglen = strlen(args);
 	isc_buffer_init(&argbuf, args, arglen);
 	isc_buffer_add(&argbuf, strlen(args));
 	CHECK(cfg_parser_create(server->mctx, ns_g_lctx, &parser));
 	CHECK(cfg_parse_buffer(parser, &argbuf, &cfg_type_addzoneconf,
 			       &config));
 	CHECK(cfg_map_get(config, "addzone", &parms));
 	zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
 	isc_buffer_init(&buf, zonename, strlen(zonename));
 	isc_buffer_add(&buf, strlen(zonename));
 	dns_name_init(&dnsname, NULL);
 	isc_buffer_allocate(server->mctx, &nbuf, 256);
 	dns_name_setbuffer(&dnsname, nbuf);
 	CHECK(dns_name_fromtext(&dnsname, &buf, dns_rootname, ISC_FALSE, NULL));
 	/*
 	 * If new-zone-file indicates a directory rather than a file,
 	 * then "filepart" is the filename in the directory in which to
 	 * write the zone configuration text.
 	 */
 	obj = cfg_tuple_get(parms, "filepart");
 	if (obj && cfg_obj_isstring(obj))
 		filepart = cfg_obj_asstring(obj);
 	if (filepart != NULL && *filepart != '\0') {
 		/* No hidden fles or full paths */
 		if (*filepart == '.' ||
 #ifdef WIN32
 		    *filepart == '\\' ||
 #endif
 		    *filepart == '/')
+		{
 			result = ISC_R_INVALIDFILE;
 			goto cleanup;
+		}
 		/* No crawling up the directory tree */
 		if (strstr(filepart, "..") != NULL) {
 			result = ISC_R_INVALIDFILE;
 			goto cleanup;
+		}
+	}
 	/* Make sense of optional class argument */
 	obj = cfg_tuple_get(parms, "class");
 	CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
 	if (rdclass != dns_rdataclass_in && obj)
 		classname = cfg_obj_asstring(obj);
 	/* Make sense of optional view argument */
 	obj = cfg_tuple_get(parms, "view");
 	if (obj && cfg_obj_isstring(obj))
 		viewname = cfg_obj_asstring(obj);
 	if (viewname == NULL || *viewname == '\0')
 		viewname = "_default";
 	CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
 	/* Zone shouldn't already exist */
 	result = dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone);
 	if (result == ISC_R_SUCCESS) {
 		result = ISC_R_EXISTS;
 		goto cleanup;
 	} else if (result == DNS_R_PARTIALMATCH) {
 		/* Create our sub-zone anyway */
 		dns_zone_detach(&zone);
 		zone = NULL;
+	}
 	else if (result != ISC_R_NOTFOUND)
 		goto cleanup;
 	/* Find configuration for this view */
 	(void)cfg_map_get(nzf_config, "view", &views);
 	for (element = cfg_list_first(views);
 	     element != NULL;
 	     element = cfg_list_next(element))
+	{
 		const char *vname;
 		vconfig = cfg_listelt_value(element);
 		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
 		if (vname && !strcasecmp(vname, viewname)) {
 			/* What is save file for this view? */
 			if (vconfig != NULL) {
 				const cfg_obj_t *voptions;
 				voptions = cfg_tuple_get(vconfig, "options");
 				if (voptions) {
 					obj = NULL;
 					result = cfg_map_get(voptions,
 							     "new-zone-file",
 							     &obj);
 					if (result == ISC_R_SUCCESS)
 						filename =
 							cfg_obj_asstring(obj);
+				}
+			}
 			break;
+		}
 		vconfig = NULL;
+	}
 	/* Can we add and remove zones in this view? */
 	if (filename == NULL || *filename == '\0')
 		filename = nzf_file;
 	if (filename == NULL || *filename == '\0') {
 		/* No adding zones in this view */
 		result = ISC_R_FAILURE;
 		goto cleanup;
+	}
 	/* Possibly contruct a full path */
 	if (filepart != NULL && *filepart != '\0') {
 		snprintf(fnamebuf, 512, "%s/%s", filename, filepart);
 		filename = fnamebuf;
+	}
 	/* Path must be an existing file */
 	if (stat(filename, &sb) < 0) {
 		result = ISC_R_FILENOTFOUND;
 		goto cleanup;
+	}
 	if (!S_ISREG(sb.st_mode)) {
 		result = ISC_R_FILENOTFOUND;
 		goto cleanup;
+	}
 	/* Mark zone unfrozen so that zone can be added. */
 	dns_view_thaw(view);
 	result = configure_zone(nzf_option, parms, vconfig,
 		server->mctx, view, &nzf_actx);
 	dns_view_freeze(view);
 	if (result != ISC_R_SUCCESS) {
 		goto cleanup;
+	}
 	/* Is it there yet? */
 	CHECK(dns_zt_find(view->zonetable, &dnsname, 0, NULL, &zone));
 	/*
 	 * Load the zone from the master file.  If this fails, we'll
 	 * need to undo the configuration we've done already.
 	 */
 	result = dns_zone_loadnew(zone);
 	if (result != ISC_R_SUCCESS) {
 		dns_db_t *dbp = NULL;
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 			      "addzone failed; reverting.");
 		/* If the zone loaded partially, unload it */
 		if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
 			dns_db_detach(&dbp);
 			dns_zone_unload(zone);
+		}
 		/* Remove the zone from the zone table */
 		dns_zt_unmount(view->zonetable, zone);
 		goto cleanup;
+	}
 	/* Write zone configuration out to our save file */
 	CHECK(isc_stdio_open(filename, "a", &fp));
 	/* Emit just the zone name from args */
 	CHECK(isc_stdio_write("zone ", 5, 1, fp, &len));
 	CHECK(isc_stdio_write(zonename, strlen(zonename), 1, fp, &len));
 	CHECK(isc_stdio_write(" ", 1, 1, fp, &len));
 	/* Classname, if not default */
 	if (classname != NULL && *classname != '\0') {
 		CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
 				      &len));
 		CHECK(isc_stdio_write(" ", 1, 1, fp, &len));
+	}
 	/* Find beginning of option block from args */
 	for (argp = args; *argp; argp++, arglen--) {
 		if (*argp == '{') {	/* Assume matching '}' */
 			/* Add that to our file */
 			CHECK(isc_stdio_write(argp, arglen, 1, fp, &len));
 			/* Make sure we end with a LF */
 			if (argp[arglen-1] != '\n') {
 				CHECK(isc_stdio_write("\n", 1, 1, fp, &len));
+			}
 			break;
+		}
+	}
 	CHECK(isc_stdio_close(fp));
 	fp = NULL;
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 				  "zone %s added to view %s via addzone",
 				  zonename, viewname);
 	result = ISC_R_SUCCESS;
  cleanup:
 	if (fp != NULL)
 		isc_stdio_close(fp);
 	if (parser != NULL) {
 		if (config != NULL)
 			cfg_obj_destroy(parser, &config);
 		cfg_parser_destroy(&parser);
+	}
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 	if (view != NULL)
 		dns_view_detach(&view);
 	if (nbuf != NULL)
 		isc_buffer_free(&nbuf);
 	return (result);
+}
 /*
  * Pull an optional quoted filepart out of an arglist, shuffling memory
  * so we can hand it off to zone_from_args() later
  */
 static char *
 extract_optional_qstring(char **args) {
 	char  *p = *args;
 	char  *str, *d;
 	char   quote;
 	/* Skip past the command name */
 	while (isspace((unsigned char)*p))
 		p++;
 	while (*p && !isspace((unsigned char)*p))
 		p++;
 	/* Look for an open quote */
 	while (isspace((unsigned char)*p))
 		p++;
 	if (*p != '\'' && *p !=  '"')
 		return (NULL);
 	/* Move that string to the front of the buf */
 	quote = *p++;
 	str = d = *args;
 	while (*p && *p != quote)
 		*d++ = *p++;
 	if (!*p)
 		return (NULL);  /* No matching close quote */
 	/* End that string */
 	*d++ = 0;
 	*args = d;
 	/* A bogus command name to placate zone_from_args() */
 	*d++ = 'X';
 	/* Cover over any remainder with spaces */
 	while (d <= p)
 		*d++ = ' ';
 	return (str);
+}
 /*
  * Act on a "delzone" command from the command channel.
  */
 isc_result_t
 ns_server_del_zone(ns_server_t *server, char *args) {
 	isc_result_t	       result;
 	dns_zone_t	      *zone = NULL;
 	dns_view_t	      *view = NULL;
 	const cfg_obj_t       *views = NULL;
 	const cfg_obj_t       *obj = NULL;
 	const cfg_obj_t       *vconfig = NULL;
 	dns_db_t	      *dbp = NULL;
 	const char	      *filename = NULL;
 	char		      *filepart = NULL;
 	char		       fnamebuf[512];
 	char		      *tmpname = NULL;
 	const cfg_listelt_t   *element;
 	char		       buf[1024];
 	const char	      *zonename = NULL;
 	size_t		       znamelen = 0;
 	FILE		      *ifp = NULL, *ofp = NULL;
 	/* Only accept removes if we're accepting adds */
 	if (nzf_option == NULL)
 		return (ISC_R_FAILURE);
 	/* Possibly a filename in quotes */
 	filepart = extract_optional_qstring(&args);
 	if (filepart != NULL && *filepart != '\0') {
 		/* No hidden fles or full paths */
 		if (*filepart == '.' ||
 #ifdef WIN32
 		    *filepart == '\\' ||
 #endif
 		    *filepart == '/')
+		{
 			result = ISC_R_INVALIDFILE;
 			goto cleanup;
+		}
 		/* No crawling up the directory tree */
 		if (strstr(filepart, "..") != NULL) {
 			result = ISC_R_INVALIDFILE;
 			goto cleanup;
+		}
+	}
 	/* Make sense of rest of params */
 	CHECK(zone_from_args(server, args, &zone, &zonename));
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
 		result = ISC_R_UNEXPECTEDEND;
 		goto cleanup;
+	}
 	if (zonename != NULL && *zonename != '\0')
 		znamelen = strlen(zonename);
 	/* Dig out configuration for this zone */
 	view = dns_zone_getview(zone);
 	(void)cfg_map_get(nzf_config, "view", &views);
 	for (element = cfg_list_first(views);
 	     element != NULL;
 	     element = cfg_list_next(element))
+	{
 		const char *vname;
 		vconfig = cfg_listelt_value(element);
 		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
 		if (vname != NULL && !strcasecmp(vname, view->name)) {
 			/* What is save file for this view? */
 			if (vconfig != NULL) {
 				const cfg_obj_t *voptions;
 				voptions = cfg_tuple_get(vconfig, "options");
 				if (voptions != NULL) {
 					obj = NULL;
 					result = cfg_map_get(voptions,
 							     "new-zone-file",
 							     &obj);
 					if (result == ISC_R_SUCCESS)
 						filename =
 							cfg_obj_asstring(obj);
+				}
+			}
 			break;
+		}
 		vconfig = NULL;
+	}
 	/* Can we add and remove zones in this view? */
 	if (filename == NULL || *filename == '\0')
 		filename = nzf_file;
 	if (filename == NULL || *filename == '\0') {
 		/* No adding zones in this view */
 		result = ISC_R_FAILURE;
 		goto cleanup;
+	}
 	/* Possibly contruct a full path */
 	if (filepart != NULL && *filepart != '\0') {
 		snprintf(fnamebuf, 512, "%s/%s", filename, filepart);
 		filename = fnamebuf;
+	}
 	/* Rewrite zone list */
 	result = isc_stdio_open(filename, "r", &ifp);
 	if (ifp != NULL && result == ISC_R_SUCCESS) {
 		char *found = NULL, *p;
 		size_t n;
 		/* Create a temporary file */
 		CHECK(isc_string_printf(buf, 1023, "%s.%d", filename,
 					getpid()));
 		if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
 			result = ISC_R_NOMEMORY;
 			goto cleanup;
+		}
 		CHECK(isc_stdio_open(tmpname, "w", &ofp));
 		/* Look for the entry for that zone */
 		while (fgets(buf, 1024, ifp)) {
 			/* A 'zone' line */
 			if (strncasecmp(buf, "zone", 4)) {
 				fputs(buf, ofp);
 				continue;
+			}
 			p = buf+4;
 			/* Locate a name */
 			while (*p &&
 			       ((*p == '"') || isspace((unsigned char)*p)))
 				p++;
 			/* Is that the zone we're looking for */
 			if (strncasecmp(p, zonename, znamelen)) {
 				fputs(buf, ofp);
 				continue;
+			}
 			/* And nothing else? */
 			p += znamelen;
 			if (isspace((unsigned char)*p) ||
 			    *p == '"' || *p == '{') {
 				/* This must be the entry */
 				found = p;
 				break;
+			}
 			/* Spit it out, keep looking */
 			fputs(buf, ofp);
+		}
 		/* Skip over an option block (matching # of braces) */
 		if (found) {
 			int obrace = 0, cbrace = 0;
 			while (1) {
 				while (*p) {
 					if (*p == '{') obrace++;
 					if (*p == '}') cbrace++;
 					p++;
+				}
 				if (obrace && (obrace == cbrace))
 					break;
 				if (!fgets(buf, 1024, ifp))
 					break;
 				p = buf;
+			}
+		}
 		/* Just spool the remainder of the file out */
 		while ((n = fread(buf, 1, 1024, ifp)) > 0U)
 			fwrite(buf, 1, n, ofp);
 		/* Move temporary into place */
 		CHECK(isc_file_rename(tmpname, filename));
+	}
 	/* Stop answering for this zone */
 	if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
 		dns_db_detach(&dbp);
 		dns_zone_unload(zone);
+	}
 	CHECK(dns_zt_unmount(view->zonetable, zone));
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
 				  "zone %s removed via delzone", zonename);
 	result = ISC_R_SUCCESS;
  cleanup:
 	if (ifp != NULL)
 		isc_stdio_close(ifp);
 	if (ofp != NULL) {
 		isc_stdio_close(ofp);
 		isc_file_remove(tmpname);
+	}
 	if (tmpname != NULL)
 		isc_mem_free(server->mctx, tmpname);
 	if (zone != NULL)
 		dns_zone_detach(&zone);
 	return (result);
+}

--- src/external/bsd/bind/dist/lib/dns/Attic/keytable.c 2009/12/26 23:08:22	1.3
+++ src/external/bsd/bind/dist/lib/dns/Attic/keytable.c 2010/08/06 10:58:11	1.4

 @@ -1,33 +1,33 @@
-/*	$NetBSD: keytable.c,v 1.3 2009/12/26 23:08:22 christos Exp $	*/
+/*	$NetBSD: keytable.c,v 1.4 2010/08/06 10:58:11 christos Exp $	*/
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: keytable.c,v 1.39 2009/12/03 15:40:02 each Exp */
+/* Id: keytable.c,v 1.39.4.2 2010/06/25 23:46:33 tbox Exp */
 /*! \file */
 #include <config.h>
 #include <isc/mem.h>
 #include <isc/rwlock.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 #include <dns/keytable.h>
 #include <dns/fixedname.h>
 #include <dns/rbt.h>
 @@ -545,26 +545,64 @@ dns_keytable_issecuredomain(dns_keytable
 		INSIST(data != NULL);
 		*wantdnssecp = ISC_TRUE;
 		result = ISC_R_SUCCESS;
 	} else if (result == ISC_R_NOTFOUND) {
 		*wantdnssecp = ISC_FALSE;
 		result = ISC_R_SUCCESS;
+	}
 	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
 	return (result);
+}
 isc_result_t
 dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
+{
 	isc_result_t result;
 	dns_keynode_t *knode;
 	dns_rbtnode_t *node;
 	dns_rbtnodechain_t chain;
 	REQUIRE(VALID_KEYTABLE(keytable));
 	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
 	dns_rbtnodechain_init(&chain, keytable->mctx);
 	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
 	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
 		goto cleanup;
 	for (;;) {
 		char pbuf[DST_KEY_FORMATSIZE];
 		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
 		for (knode = node->data; knode != NULL; knode = knode->next) {
 			dst_key_format(knode->key, pbuf, sizeof(pbuf));
 			fprintf(fp, "%s ; %s\n", pbuf,
 				knode->managed ? "managed" : "trusted");
+		}
 		result = dns_rbtnodechain_next(&chain, NULL, NULL);
 		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
 			if (result == ISC_R_NOMORE)
 				result = ISC_R_SUCCESS;
 			break;
+		}
+	}
    cleanup:
 	dns_rbtnodechain_invalidate(&chain);
 	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
 	return (result);
+}
 dst_key_t *
 dns_keynode_key(dns_keynode_t *keynode) {
 	/*
 	 * Get the DST key associated with keynode.
 	 */
 	REQUIRE(VALID_KEYNODE(keynode));
 	return (keynode->key);
+}
 isc_boolean_t

--- src/external/bsd/bind/dist/lib/dns/Attic/message.c 2009/12/26 23:08:22	1.4
+++ src/external/bsd/bind/dist/lib/dns/Attic/message.c 2010/08/06 10:58:12	1.5

 @@ -1,33 +1,33 @@
-/*	$NetBSD: message.c,v 1.4 2009/12/26 23:08:22 christos Exp $	*/
+/*	$NetBSD: message.c,v 1.5 2010/08/06 10:58:12 christos Exp $	*/
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: message.c,v 1.249 2009/11/24 03:20:02 marka Exp */
+/* Id: message.c,v 1.249.10.4 2010/06/03 05:27:59 marka Exp */
 /*! \file */
 /***
  *** Imports
  ***/
 #include <config.h>
 #include <ctype.h>
 #include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/print.h>
 @@ -1523,26 +1523,28 @@ getsection(isc_buffer_t *source, dns_mes
 		 * If this is an SIG(0) or TSIG record, remember it.  Note
 		 * that msg->sig0 or msg->tsig will only be set if best-effort
 		 * parsing is enabled.
 		 */
 		if (issigzero && msg->sig0 == NULL) {
 			msg->sig0 = rdataset;
 			msg->sig0name = name;
 			rdataset = NULL;
 			free_rdataset = ISC_FALSE;
 			free_name = ISC_FALSE;
 		} else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
 			msg->tsig = rdataset;
 			msg->tsigname = name;
 			/* Windows doesn't like TSIG names to be compressed. */
 			msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
 			rdataset = NULL;
 			free_rdataset = ISC_FALSE;
 			free_name = ISC_FALSE;
+		}
 		if (seen_problem) {
 			if (free_name)
 				isc_mempool_put(msg->namepool, name);
 			if (free_rdataset)
 				isc_mempool_put(msg->rdspool, rdataset);
 			free_name = free_rdataset = ISC_FALSE;
+		}
 		INSIST(free_name == ISC_FALSE);
 @@ -2517,27 +2519,29 @@ dns_message_peekheader(isc_buffer_t *sou
 isc_result_t
 dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
 	unsigned int first_section;
 	isc_result_t result;
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE((msg->flags & DNS_MESSAGEFLAG_QR) == 0);
 	if (!msg->header_ok)
 		return (DNS_R_FORMERR);
 	if (msg->opcode != dns_opcode_query &&
 	    msg->opcode != dns_opcode_notify)
 		want_question_section = ISC_FALSE;
-	if (want_question_section) {
+	if (msg->opcode == dns_opcode_update)
 		first_section = DNS_SECTION_ADDITIONAL;
 	else if (want_question_section) {
 		if (!msg->question_ok)
 			return (DNS_R_FORMERR);
 		first_section = DNS_SECTION_ANSWER;
 	} else
 		first_section = DNS_SECTION_QUESTION;
 	msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
 	msgresetnames(msg, first_section);
 	msgresetopt(msg);
 	msgresetsigs(msg, ISC_TRUE);
 	msginitprivate(msg);
 	/*
 	 * We now clear most flags and then set QR, ensuring that the
 	 * reply's flags will be in a reasonable state.
 @@ -3194,80 +3198,85 @@ dns_message_pseudosectiontotext(dns_mess
 	case DNS_PSEUDOSECTION_OPT:
 		ps = dns_message_getopt(msg);
 		if (ps == NULL)
 			return (ISC_R_SUCCESS);
 		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
 			ADD_STRING(target, ";; OPT PSEUDOSECTION:\n");
 		ADD_STRING(target, "; EDNS: version: ");
 		snprintf(buf, sizeof(buf), "%u",
 			 (unsigned int)((ps->ttl & 0x00ff0000) >> 16));
 		ADD_STRING(target, buf);
 		ADD_STRING(target, ", flags:");
 		if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
 			ADD_STRING(target, " do");
-		mbz = ps->ttl & ~DNS_MESSAGEEXTFLAG_DO & 0xffff;
+		mbz = ps->ttl & 0xffff;
 		mbz &= ~DNS_MESSAGEEXTFLAG_DO;		/* Known Flags. */
 		if (mbz != 0) {
 			ADD_STRING(target, "; MBZ: ");
 			snprintf(buf, sizeof(buf), "%.4x ", mbz);
 			ADD_STRING(target, buf);
 			ADD_STRING(target, ", udp: ");
 		} else
 			ADD_STRING(target, "; udp: ");
 		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
 		ADD_STRING(target, buf);
 		result = dns_rdataset_first(ps);
 		if (result != ISC_R_SUCCESS)
 			return (ISC_R_SUCCESS);
 		/* Print EDNS info, if any */
 		dns_rdata_init(&rdata);
 		dns_rdataset_current(ps, &rdata);
 		if (rdata.length < 4)
 			return (ISC_R_SUCCESS);
 		isc_buffer_init(&optbuf, rdata.data, rdata.length);
 		isc_buffer_add(&optbuf, rdata.length);
-		optcode = isc_buffer_getuint16(&optbuf);
+		while (isc_buffer_remaininglength(&optbuf) != 0) {
-		optlen = isc_buffer_getuint16(&optbuf);
+			INSIST(isc_buffer_remaininglength(&optbuf) >= 4U);
 			optcode = isc_buffer_getuint16(&optbuf);
 			optlen = isc_buffer_getuint16(&optbuf);
 			INSIST(isc_buffer_remaininglength(&optbuf) >= optlen);
-		if (optcode == DNS_OPT_NSID) {
+			if (optcode == DNS_OPT_NSID) {
-			ADD_STRING(target, "; NSID");
+				ADD_STRING(target, "; NSID");
-		} else {
+			} else {
-			ADD_STRING(target, "; OPT=");
+				ADD_STRING(target, "; OPT=");
-			sprintf(buf, "%u", optcode);
+				sprintf(buf, "%u", optcode);
 			ADD_STRING(target, buf);
 		if (optlen != 0) {
 			int i;
 			ADD_STRING(target, ": ");
 			optdata = rdata.data + 4;
 			for (i = 0; i < optlen; i++) {
 				sprintf(buf, "%02x ", optdata[i]);
 				ADD_STRING(target, buf);
+			}
 			for (i = 0; i < optlen; i++) {
-				ADD_STRING(target, " (");
+			if (optlen != 0) {
-				if (isprint(optdata[i]))
+				int i;
-					isc_buffer_putmem(target, &optdata[i],
+				ADD_STRING(target, ": ");
 );
-				else
+				optdata = isc_buffer_current(&optbuf);
-					isc_buffer_putstr(target, ".");
+				for (i = 0; i < optlen; i++) {
-				ADD_STRING(target, ")");
+					sprintf(buf, "%02x ", optdata[i]);
 					ADD_STRING(target, buf);
+				}
 				for (i = 0; i < optlen; i++) {
 					ADD_STRING(target, " (");
 					if (isprint(optdata[i]))
 						isc_buffer_putmem(target,
 								  &optdata[i],
 );
 					else
 						isc_buffer_putstr(target, ".");
 					ADD_STRING(target, ")");
+				}
 				isc_buffer_forward(&optbuf, optlen);
+			}
 			ADD_STRING(target, "\n");
+		}
 		ADD_STRING(target, "\n");
 		return (ISC_R_SUCCESS);
 	case DNS_PSEUDOSECTION_TSIG:
 		ps = dns_message_gettsig(msg, &name);
 		if (ps == NULL)
 			return (ISC_R_SUCCESS);
 		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
 			ADD_STRING(target, ";; TSIG PSEUDOSECTION:\n");
 		result = dns_master_rdatasettotext(name, ps, style, target);
 		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
 		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
 			ADD_STRING(target, "\n");
 		return (result);
 	case DNS_PSEUDOSECTION_SIG0:
 @@ -3297,41 +3306,46 @@ dns_message_totext(dns_message_t *msg, c
 	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0) {
 		ADD_STRING(target, ";; ->>HEADER<<- opcode: ");
 		ADD_STRING(target, opcodetext[msg->opcode]);
 		ADD_STRING(target, ", status: ");
 		if (msg->rcode < (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
 			ADD_STRING(target, rcodetext[msg->rcode]);
 		} else {
 			snprintf(buf, sizeof(buf), "%4u", msg->rcode);
 			ADD_STRING(target, buf);
+		}
 		ADD_STRING(target, ", id: ");
 		snprintf(buf, sizeof(buf), "%6u", msg->id);
 		ADD_STRING(target, buf);
-		ADD_STRING(target, "\n;; flags: ");
+		ADD_STRING(target, "\n;; flags:");
 		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
-			ADD_STRING(target, "qr ");
+			ADD_STRING(target, " qr");
 		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
-			ADD_STRING(target, "aa ");
+			ADD_STRING(target, " aa");
 		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
-			ADD_STRING(target, "tc ");
+			ADD_STRING(target, " tc");
 		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
-			ADD_STRING(target, "rd ");
+			ADD_STRING(target, " rd");
 		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
-			ADD_STRING(target, "ra ");
+			ADD_STRING(target, " ra");
 		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
-			ADD_STRING(target, "ad ");
+			ADD_STRING(target, " ad");
 		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
-			ADD_STRING(target, "cd ");
+			ADD_STRING(target, " cd");
 		/*
 		 * The final unnamed flag must be zero.
 		 */
 		if ((msg->flags & 0x0040U) != 0)
 			ADD_STRING(target, "; MBZ: 0x4");
 		if (msg->opcode != dns_opcode_update) {
 			ADD_STRING(target, "; QUESTION: ");
 		} else {
 			ADD_STRING(target, "; ZONE: ");
+		}
 		snprintf(buf, sizeof(buf), "%1u",
 			 msg->counts[DNS_SECTION_QUESTION]);
 		ADD_STRING(target, buf);
 		if (msg->opcode != dns_opcode_update) {
 			ADD_STRING(target, ", ANSWER: ");
 		} else {
 			ADD_STRING(target, ", PREREQ: ");
+		}

--- src/external/bsd/bind/dist/lib/dns/Attic/rbtdb.c 2009/12/26 23:08:22	1.4
+++ src/external/bsd/bind/dist/lib/dns/Attic/rbtdb.c 2010/08/06 10:58:12	1.5

 @@ -1,33 +1,33 @@
-/*	$NetBSD: rbtdb.c,v 1.4 2009/12/26 23:08:22 christos Exp $	*/
+/*	$NetBSD: rbtdb.c,v 1.5 2010/08/06 10:58:12 christos Exp $	*/
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: rbtdb.c,v 1.292 2009/11/26 23:48:14 tbox Exp */
+/* Id: rbtdb.c,v 1.292.8.9 2010/05/10 01:41:11 marka Exp */
 /*! \file */
 /*
  * Principal Author: Bob Halley
  */
 #include <config.h>
 /* #define inline */
 #include <isc/event.h>
 #include <isc/heap.h>
 @@ -514,41 +514,45 @@ static isc_result_t rdataset_putaddition
 					   dns_rdatasetadditional_t type,
 					   dns_rdatatype_t qtype);
 static inline isc_boolean_t need_headerupdate(rdatasetheader_t *header,
 					      isc_stdtime_t now);
 static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
 			  isc_stdtime_t now);
 static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
 			  isc_boolean_t tree_locked);
 static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
 			  isc_stdtime_t now, isc_boolean_t tree_locked);
 static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
 				  rdatasetheader_t *newheader);
 static void prune_tree(isc_task_t *task, isc_event_t *event);
 static void rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
 static void rdataset_expire(dns_rdataset_t *rdataset);
 static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_disassociate,
 	rdataset_first,
 	rdataset_next,
 	rdataset_current,
 	rdataset_clone,
 	rdataset_count,
 	NULL,
 	rdataset_getnoqname,
 	NULL,
 	rdataset_getclosest,
 	rdataset_getadditional,
 	rdataset_setadditional,
-	rdataset_putadditional
+	rdataset_putadditional,
 	rdataset_settrust,
 	rdataset_expire
 };
 static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
 static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator);
 static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator);
 static void rdatasetiter_current(dns_rdatasetiter_t *iterator,
 				 dns_rdataset_t *rdataset);
 static dns_rdatasetitermethods_t rdatasetiter_methods = {
 	rdatasetiter_destroy,
 	rdatasetiter_first,
 	rdatasetiter_next,
 	rdatasetiter_current
 @@ -2098,26 +2102,54 @@ setnsec3parameters(dns_db_t *db, rbtdb_v
 				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG)
 					goto unlock;
+			}
+		}
+	}
  unlock:
 	NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
 		    isc_rwlocktype_read);
 	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+}
 #endif
 static void
 cleanup_dead_nodes_callback(isc_task_t *task, isc_event_t *event) {
 	dns_rbtdb_t *rbtdb = event->ev_arg;
 	isc_boolean_t again = ISC_FALSE;
 	unsigned int locknum;
 	unsigned int refs;
 	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 	for (locknum = 0; locknum < rbtdb->node_lock_count; locknum++) {
 		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
 			  isc_rwlocktype_write);
 		cleanup_dead_nodes(rbtdb, locknum);
 		if (ISC_LIST_HEAD(rbtdb->deadnodes[locknum]) != NULL)
 			again = ISC_TRUE;
 		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
 			    isc_rwlocktype_write);
+	}
 	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 	if (again)
 		isc_task_send(task, &event);
 	else {
 		isc_event_free(&event);
 		isc_refcount_decrement(&rbtdb->references, &refs);
 		if (refs == 0)
 			maybe_free_rbtdb(rbtdb);
+	}
+}
 static void
 closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	rbtdb_version_t *version, *cleanup_version, *least_greater;
 	isc_boolean_t rollback = ISC_FALSE;
 	rbtdb_changedlist_t cleanup_list;
 	rdatasetheaderlist_t resigned_list;
 	rbtdb_changed_t *changed, *next_changed;
 	rbtdb_serial_t serial, least_serial;
 	dns_rbtnode_t *rbtnode;
 	unsigned int refs;
 	rdatasetheader_t *header;
 	isc_boolean_t writer;
 @@ -2297,63 +2329,81 @@ closeversion(dns_db_t *db, dns_dbversion
 		ISC_LIST_UNLINK(resigned_list, header, link);
 		lock = &rbtdb->node_locks[header->node->locknum].lock;
 		NODE_LOCK(lock, isc_rwlocktype_write);
 		if (rollback)
 			resign_insert(rbtdb, header->node->locknum, header);
 		decrement_reference(rbtdb, header->node, least_serial,
 				    isc_rwlocktype_write, isc_rwlocktype_none,
 				    ISC_FALSE);
 		NODE_UNLOCK(lock, isc_rwlocktype_write);
+	}
 	if (!EMPTY(cleanup_list)) {
-		/*
+		isc_event_t *event = NULL;
-		 * We acquire a tree write lock here in order to make sure
+		isc_rwlocktype_t tlock = isc_rwlocktype_none;
 		 * that stale nodes will be removed in decrement_reference().
-		 * If we didn't have the lock, those nodes could miss the
+		if (rbtdb->task != NULL)
-		 * chance to be removed until the server stops.  The write lock
+			event = isc_event_allocate(rbtdb->common.mctx, NULL,
-		 * is expensive, but this event should be rare enough to justify
+						   DNS_EVENT_RBTDEADNODES,
-		 * the cost.
+						   cleanup_dead_nodes_callback,
-		 */
+						   rbtdb, sizeof(isc_event_t));
-		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		if (event == NULL) {
 			/*
 			 * We acquire a tree write lock here in order to make
 			 * sure that stale nodes will be removed in
 			 * decrement_reference().  If we didn't have the lock,
 			 * those nodes could miss the chance to be removed
 			 * until the server stops.  The write lock is
 			 * expensive, but this event should be rare enough
 			 * to justify the cost.
 			 */
 			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 			tlock = isc_rwlocktype_write;
+		}
 		for (changed = HEAD(cleanup_list);
 		     changed != NULL;
 		     changed = next_changed) {
 			nodelock_t *lock;
 			next_changed = NEXT(changed, link);
 			rbtnode = changed->node;
 			lock = &rbtdb->node_locks[rbtnode->locknum].lock;
 			NODE_LOCK(lock, isc_rwlocktype_write);
 			/*
 			 * This is a good opportunity to purge any dead nodes,
 			 * so use it.
 			 */
-			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+			if (event == NULL)
 				cleanup_dead_nodes(rbtdb, rbtnode->locknum);
 			if (rollback)
 				rollback_node(rbtnode, serial);
 			decrement_reference(rbtdb, rbtnode, least_serial,
-					    isc_rwlocktype_write,
+					    isc_rwlocktype_write, tlock,
-					    isc_rwlocktype_write, ISC_FALSE);
+					    ISC_FALSE);
 			NODE_UNLOCK(lock, isc_rwlocktype_write);
 			isc_mem_put(rbtdb->common.mctx, changed,
 				    sizeof(*changed));
+		}
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		if (event != NULL) {
 			isc_refcount_increment(&rbtdb->references, NULL);
 			isc_task_send(rbtdb->task, &event);
 		} else
 			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	}
  end:
 	*versionp = NULL;
+}
 /*
  * Add the necessary magic for the wildcard name 'name'
  * to be found in 'rbtdb'.
+ *
  * In order for wildcard matching to work correctly in
  * zone_find(), we must ensure that a node for the wildcarding
  * level exists in the database, and has its 'find_callback'
 @@ -2369,27 +2419,28 @@ add_wildcard_magic(dns_rbtdb_t *rbtdb, d
 	dns_name_t foundname;
 	dns_offsets_t offsets;
 	unsigned int n;
 	dns_rbtnode_t *node = NULL;
 	dns_name_init(&foundname, offsets);
 	n = dns_name_countlabels(name);
 	INSIST(n >= 2);
 	n--;
 	dns_name_getlabelsequence(name, 1, n, &foundname);
 	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
 	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 		return (result);
-	node->nsec = DNS_RBT_NSEC_NORMAL;
+	if (result == ISC_R_SUCCESS)
 		node->nsec = DNS_RBT_NSEC_NORMAL;
 	node->find_callback = 1;
 	node->wild = 1;
 	return (ISC_R_SUCCESS);
+}
 static isc_result_t
 add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
 	isc_result_t result;
 	dns_name_t foundname;
 	dns_offsets_t offsets;
 	unsigned int n, l, i;
 	dns_name_init(&foundname, offsets);
 @@ -2397,27 +2448,28 @@ add_empty_wildcards(dns_rbtdb_t *rbtdb,
 	l = dns_name_countlabels(&rbtdb->common.origin);
 	i = l + 1;
 	while (i < n) {
 		dns_rbtnode_t *node = NULL;     /* dummy */
 		dns_name_getlabelsequence(name, n - i, i, &foundname);
 		if (dns_name_iswildcard(&foundname)) {
 			result = add_wildcard_magic(rbtdb, &foundname);
 			if (result != ISC_R_SUCCESS)
 				return (result);
 			result = dns_rbt_addnode(rbtdb->tree, &foundname,
 						 &node);
 			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 				return (result);
-			node->nsec = DNS_RBT_NSEC_NORMAL;
+			if (result == ISC_R_SUCCESS)
 				node->nsec = DNS_RBT_NSEC_NORMAL;
+		}
 		i++;
+	}
 	return (ISC_R_SUCCESS);
+}
 static isc_result_t
 findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 	 dns_dbnode_t **nodep)
+{
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	dns_rbtnode_t *node = NULL;
 	dns_name_t nodename;
 @@ -3227,28 +3279,36 @@ matchparams(rdatasetheader_t *header, rb
+}
 static inline isc_result_t
 previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
 		    dns_name_t *name, dns_name_t *origin,
 		    dns_rbtnode_t **nodep, dns_rbtnodechain_t *nsecchain,
 		    isc_boolean_t *firstp)
+{
 	dns_fixedname_t ftarget;
 	dns_name_t *target;
 	dns_rbtnode_t *nsecnode;
 	isc_result_t result;
-	if (type == dns_rdatatype_nsec3)
+	if (type == dns_rdatatype_nsec3) {
-		return (dns_rbtnodechain_prev(&search->chain, NULL, NULL));
+		result = dns_rbtnodechain_prev(&search->chain, NULL, NULL);
 		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
 			return (result);
 		result = dns_rbtnodechain_current(&search->chain, name, origin,
 						  nodep);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		return (ISC_R_SUCCESS);
+	}
 	dns_fixedname_init(&ftarget);
 	target = dns_fixedname_name(&ftarget);
 	for (;;) {
 		if (*firstp) {
 			/*
 			 * Construct the name of the second node to check.
 			 * It is the first node sought in the NSEC tree.
 			 */
 			*firstp = ISC_FALSE;
 			dns_rbtnodechain_init(nsecchain, NULL);
 			result = dns_name_concatenate(name, origin,
 @@ -4662,27 +4722,27 @@ cache_find(dns_db_t *db, dns_name_t *nam
 		/*
 		 * We have an exact match for the name, but there are no
 		 * extant rdatasets.  That means that this node doesn't
 		 * meaningfully exist, and that we really have a partial match.
 		 */
 		NODE_UNLOCK(lock, locktype);
 		goto find_ns;
+	}
 	/*
 	 * If we didn't find what we were looking for...
 	 */
 	if (found == NULL ||
-	    (found->trust == dns_trust_additional &&
+	    (DNS_TRUST_ADDITIONAL(found->trust) &&
 	     ((options & DNS_DBFIND_ADDITIONALOK) == 0)) ||
 	    (found->trust == dns_trust_glue &&
 	     ((options & DNS_DBFIND_GLUEOK) == 0)) ||
 	    (DNS_TRUST_PENDING(found->trust) &&
 	     ((options & DNS_DBFIND_PENDINGOK) == 0))) {
 		/*
 		 * If there is an NS rdataset at this node, then this is the
 		 * deepest zone cut.
 		 */
 		if (nsheader != NULL) {
 			if (nodep != NULL) {
 				new_reference(search.rbtdb, node);
 				INSIST(!ISC_LINK_LINKED(node, deadlink));
 @@ -5746,26 +5806,27 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r
 					     flags, &merged);
 			if (result == ISC_R_SUCCESS) {
 				/*
 				 * If 'header' has the same serial number as
 				 * we do, we could clean it up now if we knew
 				 * that our caller had no references to it.
 				 * We don't know this, however, so we leave it
 				 * alone.  It will get cleaned up when
 				 * clean_zone_node() runs.
 				 */
 				free_rdataset(rbtdb, rbtdb->common.mctx,
 					      newheader);
 				newheader = (rdatasetheader_t *)merged;
 				init_rdataset(rbtdb, newheader);
 				if (loading && RESIGN(newheader) &&
 				    RESIGN(header) &&
 				    header->resign < newheader->resign)
 					newheader->resign = header->resign;
 			} else {
 				free_rdataset(rbtdb, rbtdb->common.mctx,
 					      newheader);
 				return (result);
+			}
+		}
 		/*
 		 * Don't replace existing NS, A and AAAA RRsets
 		 * in the cache if they are already exist.  This
 @@ -6496,45 +6557,45 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t
+{
 	isc_result_t noderesult, nsecresult;
 	dns_rbtnode_t *nsecnode;
 	noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep);
 	if (!hasnsec)
 		return (noderesult);
 	if (noderesult == ISC_R_EXISTS) {
 		/*
 		 * Add a node to the auxiliary NSEC tree for an old node
 		 * just now getting an NSEC record.
 		 */
 		if ((*nodep)->nsec == DNS_RBT_NSEC_HAS_NSEC)
-			return noderesult;
+			return (noderesult);
 	} else if (noderesult != ISC_R_SUCCESS) {
 		return (noderesult);
+	}
 	/*
 	 * Build the auxiliary tree for NSECs as we go.
 	 * This tree speeds searches for closest NSECs that would otherwise
 	 * need to examine many irrelevant nodes in large TLDs.
+	 *
 	 * Add nodes to the auxiliary tree after corresponding nodes have
 	 * been added to the main tree.
 	 */
 	nsecnode = NULL;
 	nsecresult = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
 	if (nsecresult == ISC_R_SUCCESS) {
 		nsecnode->nsec = DNS_RBT_NSEC_NSEC;
 		(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
-		return (ISC_R_SUCCESS);
+		return (noderesult);
+	}
 	if (nsecresult == ISC_R_EXISTS) {
 #if 1 /* 0 */
 		isc_log_write(dns_lctx,
 			      DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_CACHE,
 			      ISC_LOG_WARNING,
 			      "addnode: NSEC node already exists");
 #endif
 		(*nodep)->nsec = DNS_RBT_NSEC_HAS_NSEC;
 		return (noderesult);
+	}
 @@ -6916,67 +6977,75 @@ setsigningtime(dns_db_t *db, dns_rdatase
 		  isc_rwlocktype_write);
 	oldresign = header->resign;
 	header->resign = resign;
 	if (header->heap_index != 0) {
 		INSIST(RESIGN(header));
 		if (resign == 0) {
 			isc_heap_delete(rbtdb->heaps[header->node->locknum],
 					header->heap_index);
 			header->heap_index = 0;
 		} else if (resign < oldresign)
 			isc_heap_increased(rbtdb->heaps[header->node->locknum],
 					   header->heap_index);
-		else
+		else if (resign > oldresign)
 			isc_heap_decreased(rbtdb->heaps[header->node->locknum],
 					   header->heap_index);
 	} else if (resign && header->heap_index == 0) {
 		header->attributes |= RDATASET_ATTR_RESIGN;
 		result = resign_insert(rbtdb, header->node->locknum, header);
+	}
 	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
 		    isc_rwlocktype_write);
 	return (result);
+}
 static isc_result_t
 getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
 	       dns_name_t *foundname)
+{
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	rdatasetheader_t *header = NULL, *this;
 	unsigned int i;
 	isc_result_t result = ISC_R_NOTFOUND;
 	unsigned int locknum;
 	REQUIRE(VALID_RBTDB(rbtdb));
 	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
 	for (i = 0; i < rbtdb->node_lock_count; i++) {
 		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read);
 		this = isc_heap_element(rbtdb->heaps[i], 1);
-		if (this == NULL)
+		if (this == NULL) {
 			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
 				    isc_rwlocktype_read);
 			continue;
+		}
 		if (header == NULL)
 			header = this;
-		else if (isc_serial_lt(this->resign, header->resign))
+		else if (isc_serial_lt(this->resign, header->resign)) {
 			locknum = header->node->locknum;
 			NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
 				    isc_rwlocktype_read);
 			header = this;
 		} else
 			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
 				    isc_rwlocktype_read);
+	}
 	if (header == NULL)
 		goto unlock;
 	NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock,
 		  isc_rwlocktype_read);
 	bind_rdataset(rbtdb, header->node, header, 0, rdataset);
 	if (foundname != NULL)
 		dns_rbt_fullnamefromnode(header->node, foundname);
 	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
 		    isc_rwlocktype_read);
 	result = ISC_R_SUCCESS;
  unlock:
 	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
 @@ -7635,26 +7704,54 @@ rdataset_getclosest(dns_rdataset_t *rdat
 	nsecsig->private1 = rdataset->private1;
 	nsecsig->private2 = rdataset->private2;
 	nsecsig->private3 = closest->negsig;
 	nsecsig->privateuint4 = 0;
 	nsecsig->private5 = NULL;
 	nsec->private6 = NULL;
 	nsec->private7 = NULL;
 	dns_name_clone(&closest->name, name);
 	return (ISC_R_SUCCESS);
+}
 static void
 rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
 	rdatasetheader_t *header = rdataset->private3;
 	header--;
 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		  isc_rwlocktype_write);
 	header->trust = rdataset->trust = trust;
 	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		  isc_rwlocktype_write);
+}
 static void
 rdataset_expire(dns_rdataset_t *rdataset) {
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
 	rdatasetheader_t *header = rdataset->private3;
 	header--;
 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		  isc_rwlocktype_write);
 	expire_header(rbtdb, header, ISC_FALSE);
 	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		  isc_rwlocktype_write);
+}
 /*
  * Rdataset Iterator Methods
  */
 static void
 rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
 	rbtdb_rdatasetiter_t *rbtiterator;
 	rbtiterator = (rbtdb_rdatasetiter_t *)(*iteratorp);
 	if (rbtiterator->common.version != NULL)
 		closeversion(rbtiterator->common.db,
 			     &rbtiterator->common.version, ISC_FALSE);

--- src/external/bsd/bind/dist/lib/dns/Attic/resolver.c 2009/12/26 23:08:22	1.5
+++ src/external/bsd/bind/dist/lib/dns/Attic/resolver.c 2010/08/06 10:58:12	1.6

 @@ -1,33 +1,33 @@
-/*	$NetBSD: resolver.c,v 1.5 2009/12/26 23:08:22 christos Exp $	*/
+/*	$NetBSD: resolver.c,v 1.6 2010/08/06 10:58:12 christos Exp $	*/
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: resolver.c,v 1.413 2009/11/18 23:48:07 tbox Exp */
+/* Id: resolver.c,v 1.413.14.11 2010/07/11 00:12:18 each Exp */
 /*! \file */
 #include <config.h>
 #include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/random.h>
 #include <isc/task.h>
 #include <isc/stats.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 @@ -195,26 +195,27 @@ struct fetchctx {
 	dns_message_t *			rmessage;
 	ISC_LIST(resquery_t)		queries;
 	dns_adbfindlist_t		finds;
 	dns_adbfind_t *			find;
 	dns_adbfindlist_t		altfinds;
 	dns_adbfind_t *			altfind;
 	dns_adbaddrinfolist_t		forwaddrs;
 	dns_adbaddrinfolist_t		altaddrs;
 	isc_sockaddrlist_t		forwarders;
 	dns_fwdpolicy_t			fwdpolicy;
 	isc_sockaddrlist_t		bad;
 	isc_sockaddrlist_t		edns;
 	isc_sockaddrlist_t		edns512;
 	isc_sockaddrlist_t		bad_edns;
 	dns_validator_t			*validator;
 	ISC_LIST(dns_validator_t)       validators;
 	dns_db_t *			cache;
 	dns_adb_t *			adb;
 	/*%
 	 * The number of events we're waiting for.
 	 */
 	unsigned int			pending;
 	/*%
 	 * The number of times we've "restarted" the current
 	 * nameserver set.  This acts as a failsafe to prevent
 @@ -328,26 +329,38 @@ typedef struct fctxbucket {
 typedef struct alternate {
 	isc_boolean_t			isaddress;
 	union   {
 		isc_sockaddr_t		addr;
 		struct {
 			dns_name_t      name;
 			in_port_t       port;
 		} _n;
 	} _u;
 	ISC_LINK(struct alternate)      link;
 } alternate_t;
 typedef struct dns_badcache dns_badcache_t;
 struct dns_badcache {
 	dns_badcache_t *	next;
 	dns_rdatatype_t 	type;
 	isc_time_t		expire;
 	unsigned int		hashval;
 	dns_name_t		name;
 };
 #define DNS_BADCACHE_SIZE 1021
 #define DNS_BADCACHE_TTL(fctx) \
 	(((fctx)->res->lame_ttl > 30 ) ? (fctx)->res->lame_ttl : 30)
 struct dns_resolver {
 	/* Unlocked. */
 	unsigned int			magic;
 	isc_mem_t *			mctx;
 	isc_mutex_t			lock;
 	isc_mutex_t			nlock;
 	isc_mutex_t			primelock;
 	dns_rdataclass_t		rdclass;
 	isc_socketmgr_t *		socketmgr;
 	isc_timermgr_t *		timermgr;
 	isc_taskmgr_t *			taskmgr;
 	dns_view_t *			view;
 	isc_boolean_t			frozen;
 @@ -374,26 +387,33 @@ struct dns_resolver {
 	unsigned int			spillatmax;
 	unsigned int			spillatmin;
 	isc_timer_t *			spillattimer;
 	isc_boolean_t			zero_no_soa_ttl;
 	/* Locked by lock. */
 	unsigned int			references;
 	isc_boolean_t			exiting;
 	isc_eventlist_t			whenshutdown;
 	unsigned int			activebuckets;
 	isc_boolean_t			priming;
 	unsigned int			spillat;	/* clients-per-query */
 	unsigned int			nextdisp;
 	/* Bad cache. */
 	dns_badcache_t  ** 		badcache;
 	unsigned int 			badcount;
 	unsigned int 			badhash;
 	unsigned int 			badsweep;
 	/* Locked by primelock. */
 	dns_fetch_t *			primefetch;
 	/* Locked by nlock. */
 	unsigned int			nfctx;
 };
 #define RES_MAGIC			ISC_MAGIC('R', 'e', 's', '!')
 #define VALID_RESOLVER(res)		ISC_MAGIC_VALID(res, RES_MAGIC)
 /*%
  * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0,
  * which we also use as an addrinfo flag.
  */
 @@ -404,27 +424,28 @@ struct dns_resolver {
 					 == 0)
 #define ISFORWARDER(a)                  (((a)->flags & \
 					 FCTX_ADDRINFO_FORWARDER) != 0)
 #define TRIED(a)                        (((a)->flags & \
 					 FCTX_ADDRINFO_TRIED) != 0)
 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 static void destroy(dns_resolver_t *res);
 static void empty_bucket(dns_resolver_t *res);
 static isc_result_t resquery_send(resquery_t *query);
 static void resquery_response(isc_task_t *task, isc_event_t *event);
 static void resquery_connected(isc_task_t *task, isc_event_t *event);
-static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying);
+static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying,
 		     isc_boolean_t badcache);
 static isc_boolean_t fctx_destroy(fetchctx_t *fctx);
 static isc_result_t ncache_adderesult(dns_message_t *message,
 				      dns_db_t *cache, dns_dbnode_t *node,
 				      dns_rdatatype_t covers,
 				      isc_stdtime_t now, dns_ttl_t maxttl,
 				      isc_boolean_t optout,
 				      dns_rdataset_t *ardataset,
 				      isc_result_t *eresultp);
 static void validated(isc_task_t *task, isc_event_t *event);
 static void maybe_destroy(fetchctx_t *fctx);
 static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		    isc_result_t reason, badnstype_t badtype);
 @@ -456,27 +477,27 @@ valcreate(fetchctx_t *fctx, dns_adbaddri
 	valarg->addrinfo = addrinfo;
 	if (!ISC_LIST_EMPTY(fctx->validators))
 		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
 				      sigrdataset, fctx->rmessage,
 				      valoptions, task, validated, valarg,
 				      &validator);
 	if (result == ISC_R_SUCCESS) {
 		inc_stats(fctx->res, dns_resstatscounter_val);
 		if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
 			INSIST(fctx->validator == NULL);
-			fctx->validator  = validator;
+			fctx->validator = validator;
+		}
 		ISC_LIST_APPEND(fctx->validators, validator, link);
 	} else
 		isc_mem_put(fctx->res->buckets[fctx->bucketnum].mctx,
 			    valarg, sizeof(*valarg));
 	return (result);
+}
 static isc_boolean_t
 rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
 	dns_namereln_t namereln;
 	dns_rdata_rrsig_t rrsig;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 @@ -1166,27 +1187,27 @@ process_sendevent(resquery_t *query, isc
 	isc_event_free(&event);
 	if (retry) {
 		/*
 		 * Behave as if the idle timer has expired.  For TCP
 		 * this may not actually reflect the latest timer.
 		 */
 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 		result = fctx_stopidletimer(fctx);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result, __LINE__);
 		else
-			fctx_try(fctx, ISC_TRUE);
+			fctx_try(fctx, ISC_TRUE, ISC_FALSE);
+	}
+}
 static void
 resquery_udpconnected(isc_task_t *task, isc_event_t *event) {
 	resquery_t *query = event->ev_arg;
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
 	QTRACE("udpconnected");
 	UNUSED(task);
 @@ -1536,26 +1557,56 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr
  cleanup_query:
 	query->magic = 0;
 	isc_mem_put(res->buckets[fctx->bucketnum].mctx,
 		    query, sizeof(*query));
  stop_idle_timer:
 	RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
 	return (result);
+}
 static isc_boolean_t
 bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
 	isc_sockaddr_t *sa;
 	for (sa = ISC_LIST_HEAD(fctx->bad_edns);
 	     sa != NULL;
 	     sa = ISC_LIST_NEXT(sa, link)) {
 		if (isc_sockaddr_equal(sa, address))
 			return (ISC_TRUE);
+	}
 	return (ISC_FALSE);
+}
 static void
 add_bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
 	isc_sockaddr_t *sa;
 	if (bad_edns(fctx, address))
 		return;
 	sa = isc_mem_get(fctx->res->buckets[fctx->bucketnum].mctx,
 			 sizeof(*sa));
 	if (sa == NULL)
 		return;
 	*sa = *address;
 	ISC_LIST_INITANDAPPEND(fctx->bad_edns, sa, link);
+}
 static isc_boolean_t
 triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
 	isc_sockaddr_t *sa;
 	for (sa = ISC_LIST_HEAD(fctx->edns);
 	     sa != NULL;
 	     sa = ISC_LIST_NEXT(sa, link)) {
 		if (isc_sockaddr_equal(sa, address))
 			return (ISC_TRUE);
+	}
 	return (ISC_FALSE);
+}
 @@ -2067,27 +2118,27 @@ resquery_connected(isc_task_t *task, isc
 	isc_event_free(&event);
 	if (retry) {
 		/*
 		 * Behave as if the idle timer has expired.  For TCP
 		 * connections this may not actually reflect the latest timer.
 		 */
 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 		result = fctx_stopidletimer(fctx);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result, __LINE__);
 		else
-			fctx_try(fctx, ISC_TRUE);
+			fctx_try(fctx, ISC_TRUE, ISC_FALSE);
+	}
+}
 static void
 fctx_finddone(isc_task_t *task, isc_event_t *event) {
 	fetchctx_t *fctx;
 	dns_adbfind_t *find;
 	dns_resolver_t *res;
 	isc_boolean_t want_try = ISC_FALSE;
 	isc_boolean_t want_done = ISC_FALSE;
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	unsigned int bucketnum;
 @@ -2129,27 +2180,27 @@ fctx_finddone(isc_task_t *task, isc_even
 		/*
 		 * Note that we had to wait until we had the lock before
 		 * looking at fctx->references.
 		 */
 		if (fctx->references == 0)
 			bucket_empty = fctx_destroy(fctx);
 		UNLOCK(&res->buckets[bucketnum].lock);
+	}
 	isc_event_free(&event);
 	dns_adb_destroyfind(&find);
 	if (want_try)
-		fctx_try(fctx, ISC_TRUE);
+		fctx_try(fctx, ISC_TRUE, ISC_FALSE);
 	else if (want_done)
 		fctx_done(fctx, ISC_R_FAILURE, __LINE__);
 	else if (bucket_empty)
 		empty_bucket(res);
+}
 static inline isc_boolean_t
 bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
 	isc_sockaddr_t *sa;
 	for (sa = ISC_LIST_HEAD(fctx->bad);
 	     sa != NULL;
 @@ -2537,27 +2588,27 @@ findname(fetchctx_t *fctx, dns_name_t *n
+}
 static isc_boolean_t
 isstrictsubdomain(dns_name_t *name1, dns_name_t *name2) {
 	int order;
 	unsigned int nlabels;
 	dns_namereln_t namereln;
 	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
 	return (ISC_TF(namereln == dns_namereln_subdomain));
+}
 static isc_result_t
-fctx_getaddresses(fetchctx_t *fctx) {
+fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
 	dns_resolver_t *res;
 	isc_stdtime_t now;
 	unsigned int stdoptions;
 	isc_sockaddr_t *sa;
 	dns_adbaddrinfo_t *ai;
 	isc_boolean_t all_bad;
 	dns_rdata_ns_t ns;
 	isc_boolean_t need_alternate = ISC_FALSE;
 	FCTXTRACE("getaddresses");
 @@ -2756,32 +2807,44 @@ fctx_getaddresses(fetchctx_t *fctx) {
 	 * How are we doing?
 	 */
 	if (all_bad) {
 		/*
 		 * We've got no addresses.
 		 */
 		if (fctx->pending > 0) {
 			/*
 			 * We're fetching the addresses, but don't have any
 			 * yet.   Tell the caller to wait for an answer.
 			 */
 			result = DNS_R_WAIT;
 		} else {
 			isc_time_t expire;
 			isc_interval_t i;
 			/*
 			 * We've lost completely.  We don't know any
 			 * addresses, and the ADB has told us it can't get
 			 * them.
 			 */
 			FCTXTRACE("no addresses");
 			isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0);
 			result = isc_time_nowplusinterval(&expire, &i);
 			if (badcache &&
 			    (fctx->type == dns_rdatatype_dnskey ||
 			     fctx->type == dns_rdatatype_dlv ||
 			     fctx->type == dns_rdatatype_ds) &&
 			     result == ISC_R_SUCCESS)
 				dns_resolver_addbadcache(fctx->res,
 							 &fctx->name,
 							 fctx->type, &expire);
 			result = ISC_R_FAILURE;
+		}
 	} else {
 		/*
 		 * We've found some addresses.  We might still be looking
 		 * for more addresses.
 		 */
 		sort_finds(fctx, &fctx->finds);
 		sort_finds(fctx, &fctx->altfinds);
 		result = ISC_R_SUCCESS;
+	}
 	return (result);
 @@ -2984,45 +3047,45 @@ fctx_nextaddress(fetchctx_t *fctx) {
 			break;
+		}
+	}
 	if (addrinfo == NULL) {
 		addrinfo = faddrinfo;
 		fctx->altfind = find;
+	}
 	return (addrinfo);
+}
 static void
-fctx_try(fetchctx_t *fctx, isc_boolean_t retrying) {
+fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
 	isc_result_t result;
 	dns_adbaddrinfo_t *addrinfo;
 	FCTXTRACE("try");
 	REQUIRE(!ADDRWAIT(fctx));
 	addrinfo = fctx_nextaddress(fctx);
 	if (addrinfo == NULL) {
 		/*
 		 * We have no more addresses.  Start over.
 		 */
 		fctx_cancelqueries(fctx, ISC_TRUE);
 		fctx_cleanupfinds(fctx);
 		fctx_cleanupaltfinds(fctx);
 		fctx_cleanupforwaddrs(fctx);
 		fctx_cleanupaltaddrs(fctx);
-		result = fctx_getaddresses(fctx);
+		result = fctx_getaddresses(fctx, badcache);
 		if (result == DNS_R_WAIT) {
 			/*
 			 * Sleep waiting for addresses.
 			 */
 			FCTXTRACE("addrwait");
 			fctx->attributes |= FCTX_ATTR_ADDRWAIT;
 			return;
 		} else if (result != ISC_R_SUCCESS) {
 			/*
 			 * Something bad happened.
 			 */
 			fctx_done(fctx, result, __LINE__);
 			return;
 @@ -3091,26 +3154,34 @@ fctx_destroy(fetchctx_t *fctx) {
 		next_sa = ISC_LIST_NEXT(sa, link);
 		ISC_LIST_UNLINK(fctx->edns, sa, link);
 		isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa));
+	}
 	for (sa = ISC_LIST_HEAD(fctx->edns512);
 	     sa != NULL;
 	     sa = next_sa) {
 		next_sa = ISC_LIST_NEXT(sa, link);
 		ISC_LIST_UNLINK(fctx->edns512, sa, link);
 		isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa));
+	}
 	for (sa = ISC_LIST_HEAD(fctx->bad_edns);
 	     sa != NULL;
 	     sa = next_sa) {
 		next_sa = ISC_LIST_NEXT(sa, link);
 		ISC_LIST_UNLINK(fctx->bad_edns, sa, link);
 		isc_mem_put(res->buckets[bucketnum].mctx, sa, sizeof(*sa));
+	}
 	isc_timer_detach(&fctx->timer);
 	dns_message_destroy(&fctx->rmessage);
 	dns_message_destroy(&fctx->qmessage);
 	if (dns_name_countlabels(&fctx->domain) > 0)
 		dns_name_free(&fctx->domain, res->buckets[bucketnum].mctx);
 	if (dns_rdataset_isassociated(&fctx->nameservers))
 		dns_rdataset_disassociate(&fctx->nameservers);
 	dns_name_free(&fctx->name, res->buckets[bucketnum].mctx);
 	dns_db_detach(&fctx->cache);
 	dns_adb_detach(&fctx->adb);
 	isc_mem_free(res->buckets[bucketnum].mctx, fctx->info);
 	isc_mem_put(res->buckets[bucketnum].mctx, fctx, sizeof(*fctx));
 @@ -3167,27 +3238,27 @@ fctx_timeout(isc_task_t *task, isc_event
+		}
 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 		/*
 		 * Our timer has triggered.  Reestablish the fctx lifetime
 		 * timer.
 		 */
 		result = fctx_starttimer(fctx);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result, __LINE__);
 		else
 			/*
 			 * Keep trying.
 			 */
-			fctx_try(fctx, ISC_TRUE);
+			fctx_try(fctx, ISC_TRUE, ISC_FALSE);
+	}
 	isc_event_free(&event);
+}
 static void
 fctx_shutdown(fetchctx_t *fctx) {
 	isc_event_t *cevent;
 	/*
 	 * Start the shutdown process for fctx, if it isn't already underway.
 	 */
 @@ -3337,27 +3408,27 @@ fctx_start(isc_task_t *task, isc_event_t
 	UNLOCK(&res->buckets[bucketnum].lock);
 	if (!done) {
 		isc_result_t result;
 		/*
 		 * All is well.  Start working on the fetch.
 		 */
 		result = fctx_starttimer(fctx);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result, __LINE__);
 		else
-			fctx_try(fctx, ISC_FALSE);
+			fctx_try(fctx, ISC_FALSE, ISC_FALSE);
 	} else if (bucket_empty)
 		empty_bucket(res);
+}
 /*
  * Fetch Creation, Joining, and Cancelation.
  */
 static inline isc_result_t
 fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
 	  dns_messageid_t id, isc_taskaction_t action, void *arg,
 	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
 	  dns_fetch_t *fetch)
 @@ -3462,26 +3533,27 @@ fctx_create(dns_resolver_t *res, dns_nam
 	fctx->state = fetchstate_init;
 	fctx->want_shutdown = ISC_FALSE;
 	fctx->cloned = ISC_FALSE;
 	ISC_LIST_INIT(fctx->queries);
 	ISC_LIST_INIT(fctx->finds);
 	ISC_LIST_INIT(fctx->altfinds);
 	ISC_LIST_INIT(fctx->forwaddrs);
 	ISC_LIST_INIT(fctx->altaddrs);
 	ISC_LIST_INIT(fctx->forwarders);
 	fctx->fwdpolicy = dns_fwdpolicy_none;
 	ISC_LIST_INIT(fctx->bad);
 	ISC_LIST_INIT(fctx->edns);
 	ISC_LIST_INIT(fctx->edns512);
 	ISC_LIST_INIT(fctx->bad_edns);
 	ISC_LIST_INIT(fctx->validators);
 	fctx->validator = NULL;
 	fctx->find = NULL;
 	fctx->altfind = NULL;
 	fctx->pending = 0;
 	fctx->restarts = 0;
 	fctx->querysent = 0;
 	fctx->referrals = 0;
 	TIME_NOW(&fctx->start);
 	fctx->timeouts = 0;
 	fctx->lamecount = 0;
 	fctx->adberr = 0;
 	fctx->neterr = 0;
 @@ -3873,34 +3945,26 @@ maybe_destroy(fetchctx_t *fctx) {
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	dns_resolver_t *res = fctx->res;
 	dns_validator_t *validator, *next_validator;
 	REQUIRE(SHUTTINGDOWN(fctx));
 	if (fctx->pending != 0 || fctx->nqueries != 0)
 		return;
 	for (validator = ISC_LIST_HEAD(fctx->validators);
 	     validator != NULL; validator = next_validator) {
 		next_validator = ISC_LIST_NEXT(validator, link);
 		dns_validator_cancel(validator);
 		/*
 		 * If this is a active validator wait for the cancel
 		 * to complete before calling dns_validator_destroy().
 		 */
 		if (validator == fctx->validator)
 			continue;
 		ISC_LIST_UNLINK(fctx->validators, validator, link);
 		dns_validator_destroy(&validator);
+	}
 	bucketnum = fctx->bucketnum;
 	LOCK(&res->buckets[bucketnum].lock);
 	if (fctx->references == 0 && ISC_LIST_EMPTY(fctx->validators))
 		bucket_empty = fctx_destroy(fctx);
 	UNLOCK(&res->buckets[bucketnum].lock);
 	if (bucket_empty)
 		empty_bucket(res);
+}
 /*
 @@ -3959,26 +4023,28 @@ validated(isc_task_t *task, isc_event_t
 	/*
 	 * If shutting down, ignore the results.  Check to see if we're
 	 * done waiting for validator completions and ADB pending events; if
 	 * so, destroy the fctx.
 	 */
 	if (SHUTTINGDOWN(fctx) && !sentresponse) {
 		maybe_destroy(fctx);    /* Locks bucket. */
 		goto cleanup_event;
+	}
 	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
 	isc_stdtime_get(&now);
 	/*
 	 * If chaining, we need to make sure that the right result code is
 	 * returned, and that the rdatasets are bound.
 	 */
 	if (vevent->result == ISC_R_SUCCESS &&
 	    !negative &&
 	    vevent->rdataset != NULL &&
 	    CHAINING(vevent->rdataset))
+	{
 		if (vevent->rdataset->type == dns_rdatatype_cname)
 			eresult = DNS_R_CNAME;
 		else {
 			INSIST(vevent->rdataset->type == dns_rdatatype_dname);
 @@ -4005,55 +4071,100 @@ validated(isc_task_t *task, isc_event_t
 			 * will iterate the node.
 			 */
 		} else {
 			ardataset = hevent->rdataset;
 			asigrdataset = hevent->sigrdataset;
+		}
+	}
 	if (vevent->result != ISC_R_SUCCESS) {
 		FCTXTRACE("validation failed");
 		inc_stats(fctx->res, dns_resstatscounter_valfail);
 		fctx->valfail++;
 		fctx->vresult = vevent->result;
-		result = ISC_R_NOTFOUND;
+		if (fctx->vresult != DNS_R_BROKENCHAIN) {
-		if (vevent->rdataset != NULL)
+			result = ISC_R_NOTFOUND;
-			result = dns_db_findnode(fctx->cache, vevent->name,
+			if (vevent->rdataset != NULL)
-						 ISC_TRUE, &node);
+				result = dns_db_findnode(fctx->cache,
-		if (result == ISC_R_SUCCESS)
+							 vevent->name,
-			(void)dns_db_deleterdataset(fctx->cache, node, NULL,
+							 ISC_TRUE, &node);
-						    vevent->type, 0);
+			if (result == ISC_R_SUCCESS)
-		if (result == ISC_R_SUCCESS && vevent->sigrdataset != NULL)
+				(void)dns_db_deleterdataset(fctx->cache, node,
-			(void)dns_db_deleterdataset(fctx->cache, node, NULL,
+							     NULL,
-						    dns_rdatatype_rrsig,
+							    vevent->type, 0);
-						    vevent->type);
+			if (result == ISC_R_SUCCESS &&
-		if (result == ISC_R_SUCCESS)
+			     vevent->sigrdataset != NULL)
-			dns_db_detachnode(fctx->cache, &node);
+				(void)dns_db_deleterdataset(fctx->cache, node,
-		result = vevent->result;
+							    NULL,
 							    dns_rdatatype_rrsig,
 							    vevent->type);
 			if (result == ISC_R_SUCCESS)
 				dns_db_detachnode(fctx->cache, &node);
+		}
 		if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) {
 			/*
 			 * Cache the data as pending for later validation.
 			 */
 			result = ISC_R_NOTFOUND;
 			if (vevent->rdataset != NULL)
 				result = dns_db_findnode(fctx->cache,
 							 vevent->name,
 							 ISC_TRUE, &node);
 			if (result == ISC_R_SUCCESS) {
 				(void)dns_db_addrdataset(fctx->cache, node,
 							 NULL, now,
 							 vevent->rdataset, 0,
 							 NULL);
+			}
 			if (result == ISC_R_SUCCESS &&
 			    vevent->sigrdataset != NULL)
 				(void)dns_db_addrdataset(fctx->cache, node,
 							 NULL, now,
 							 vevent->sigrdataset,
 , NULL);
 			if (result == ISC_R_SUCCESS)
 				dns_db_detachnode(fctx->cache, &node);
+		}
 		result = fctx->vresult;
 		add_bad(fctx, addrinfo, result, badns_validation);
 		isc_event_free(&event);
 		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
 		INSIST(fctx->validator == NULL);
 		fctx->validator = ISC_LIST_HEAD(fctx->validators);
-		if (fctx->validator != NULL) {
+		if (fctx->validator != NULL)
 			dns_validator_send(fctx->validator);
-		} else if (sentresponse)
+		else if (sentresponse)
 			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
-		else
+		else if (result == DNS_R_BROKENCHAIN) {
-			fctx_try(fctx, ISC_TRUE);       /* Locks bucket. */
+			isc_result_t tresult;
 			isc_time_t expire;
 			isc_interval_t i;
 			isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0);
 			tresult = isc_time_nowplusinterval(&expire, &i);
 			if (negative &&
 			    (fctx->type == dns_rdatatype_dnskey ||
 			     fctx->type == dns_rdatatype_dlv ||
 			     fctx->type == dns_rdatatype_ds) &&
 			     tresult == ISC_R_SUCCESS)
 				dns_resolver_addbadcache(fctx->res,
 							 &fctx->name,
 							 fctx->type, &expire);
 			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
 		} else
 			fctx_try(fctx, ISC_TRUE, ISC_TRUE); /* Locks bucket. */
 		return;
+	}
 	isc_stdtime_get(&now);
 	if (negative) {
 		dns_rdatatype_t covers;
 		FCTXTRACE("nonexistence validation OK");
 		inc_stats(fctx->res, dns_resstatscounter_valnegsuccess);
 		if (fctx->rmessage->rcode == dns_rcode_nxdomain)
 			covers = dns_rdatatype_any;
 		else
 			covers = fctx->type;
 		result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE,
 @@ -4353,31 +4464,39 @@ cache_name(fetchctx_t *fctx, dns_name_t
 					return (DNS_R_BADNAME);
+				}
 				continue;
+			}
+		}
 		/*
 		 * Enforce the configure maximum cache TTL.
 		 */
 		if (rdataset->ttl > res->view->maxcachettl)
 			rdataset->ttl = res->view->maxcachettl;
 		/*
-		 * If this rrset is in a secure domain, do DNSSEC validation
+		 * If this RRset is in a secure domain, is in bailiwick,
-		 * for it, unless it is glue.
+		 * and is not glue, attempt DNSSEC validation.	(We do not
 		 * attempt to validate glue or out-of-bailiwick data--even
 		 * though there might be some performance benefit to doing
 		 * so--because it makes it simpler and safer to ensure that
 		 * records from a secure domain are only cached if validated
 		 * within the context of a query to the domain that owns
 		 * them.)
 		 */
-		if (secure_domain && rdataset->trust != dns_trust_glue) {
+		if (secure_domain && rdataset->trust != dns_trust_glue &&
 		    !EXTERNAL(rdataset)) {
 			dns_trust_t trust;
 			/*
 			 * RRSIGs are validated as part of validating the
 			 * type they cover.
 			 */
 			if (rdataset->type == dns_rdatatype_rrsig)
 				continue;
 			/*
 			 * Find the SIG for this rdataset, if we have it.
 			 */
 			for (sigrdataset = ISC_LIST_HEAD(name->list);
 			     sigrdataset != NULL;
 			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
 				if (sigrdataset->type == dns_rdatatype_rrsig &&
 @@ -4394,42 +4513,26 @@ cache_name(fetchctx_t *fctx, dns_name_t
+				}
+			}
 			/*
 			 * Normalize the rdataset and sigrdataset TTLs.
 			 */
 			if (sigrdataset != NULL) {
 				rdataset->ttl = ISC_MIN(rdataset->ttl,
 							sigrdataset->ttl);
 				sigrdataset->ttl = rdataset->ttl;
+			}
 			/*
 			 * Reject out of bailiwick additional records
 			 * without RRSIGs as they can't possibly validate
 			 * as "secure" and as we will never never want to
 			 * store these as "answers" after validation.
 			 */
 			if (rdataset->trust == dns_trust_additional &&
 			    sigrdataset == NULL && EXTERNAL(rdataset))
 				continue;
 			/*
 			 * XXXMPA: If we store as "answer" after validating
 			 * then we need to do bailiwick processing and
 			 * also need to track whether RRsets are in or
 			 * out of bailiwick.  This will require a another
 			 * pending trust level.
 			 * Cache this rdataset/sigrdataset pair as
 			 * pending data.  Track whether it was additional
 			 * or not.
 			 */
 			if (rdataset->trust == dns_trust_additional)
 				trust = dns_trust_pending_additional;
 			else
 				trust = dns_trust_pending_answer;
 			rdataset->trust = trust;
 			if (sigrdataset != NULL)
 				sigrdataset->trust = trust;
 			if (!need_validation || !ANSWER(rdataset)) {
 @@ -5778,29 +5881,27 @@ answer_response(fetchctx_t *fctx) {
 						if (aflag ==
 						    DNS_RDATASETATTR_ANSWER)
 							have_answer = ISC_TRUE;
 						name->attributes |=
 							DNS_NAMEATTR_ANSWER;
 						rdataset->attributes |= aflag;
 						if (aa)
 							rdataset->trust =
 							  dns_trust_authanswer;
 					} else if (external) {
 						/*
 						 * This data is outside of
 						 * our query domain, and
-						 * may only be cached if it
+						 * may not be cached.
 						 * comes from a secure zone
 						 * and validates.
 						 */
 						rdataset->attributes |=
 						    DNS_RDATASETATTR_EXTERNAL;
+					}
 					/*
 					 * Mark any additional data related
 					 * to this rdataset.
 					 */
 					(void)dns_rdataset_additionaldata(
 							rdataset,
 							check_related,
 							fctx);
 @@ -6052,33 +6153,60 @@ answer_response(fetchctx_t *fctx) {
 							fctx);
 					done = ISC_TRUE;
+				}
+			}
+		}
 		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
 	return (result);
+}
 static isc_boolean_t
 fctx_decreference(fetchctx_t *fctx) {
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	INSIST(fctx->references > 0);
 	fctx->references--;
 	if (fctx->references == 0) {
 		/*
 		 * No one cares about the result of this fetch anymore.
 		 */
 		if (fctx->pending == 0 && fctx->nqueries == 0 &&
 		    ISC_LIST_EMPTY(fctx->validators) && SHUTTINGDOWN(fctx)) {
 			/*
 			 * This fctx is already shutdown; we were just
 			 * waiting for the last reference to go away.
 			 */
 			bucket_empty = fctx_destroy(fctx);
 		} else {
 			/*
 			 * Initiate shutdown.
 			 */
 			fctx_shutdown(fctx);
+		}
+	}
 	return (bucket_empty);
+}
 static void
 resume_dslookup(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *fevent;
 	dns_resolver_t *res;
 	fetchctx_t *fctx;
 	isc_result_t result;
-	isc_boolean_t bucket_empty = ISC_FALSE;
+	isc_boolean_t bucket_empty;
 	isc_boolean_t locked = ISC_FALSE;
 	unsigned int bucketnum;
 	dns_rdataset_t nameservers;
 	dns_fixedname_t fixed;
 	dns_name_t *domain;
 	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
 	fevent = (dns_fetchevent_t *)event;
 	fctx = event->ev_arg;
 	REQUIRE(VALID_FCTX(fctx));
 	res = fctx->res;
 	UNUSED(task);
 @@ -6106,27 +6234,27 @@ resume_dslookup(isc_task_t *task, isc_ev
 		dns_name_free(&fctx->domain,
 			      fctx->res->buckets[bucketnum].mctx);
 		dns_name_init(&fctx->domain, NULL);
 		result = dns_name_dup(&fctx->nsname,
 				      fctx->res->buckets[bucketnum].mctx,
 				      &fctx->domain);
 		if (result != ISC_R_SUCCESS) {
 			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 			goto cleanup;
+		}
 		/*
 		 * Try again.
 		 */
-		fctx_try(fctx, ISC_TRUE);
+		fctx_try(fctx, ISC_TRUE, ISC_FALSE);
 	} else {
 		unsigned int n;
 		dns_rdataset_t *nsrdataset = NULL;
 		/*
 		 * Retrieve state from fctx->nsfetch before we destroy it.
 		 */
 		dns_fixedname_init(&fixed);
 		domain = dns_fixedname_name(&fixed);
 		dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
 		if (dns_name_equal(&fctx->nsname, domain)) {
 			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 			dns_resolver_destroyfetch(&fctx->nsfetch);
 @@ -6162,29 +6290,27 @@ resume_dslookup(isc_task_t *task, isc_ev
 			fctx->references++;
+		}
+	}
  cleanup:
 	if (dns_rdataset_isassociated(&nameservers))
 		dns_rdataset_disassociate(&nameservers);
 	if (dns_rdataset_isassociated(fevent->rdataset))
 		dns_rdataset_disassociate(fevent->rdataset);
 	INSIST(fevent->sigrdataset == NULL);
 	isc_event_free(&event);
 	if (!locked)
 		LOCK(&res->buckets[bucketnum].lock);
-	fctx->references--;
+	bucket_empty = fctx_decreference(fctx);
 	if (fctx->references == 0)
 		bucket_empty = fctx_destroy(fctx);
 	UNLOCK(&res->buckets[bucketnum].lock);
 	if (bucket_empty)
 		empty_bucket(res);
+}
 static inline void
 checknamessection(dns_message_t *message, dns_section_t section) {
 	isc_result_t result;
 	dns_name_t *name;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t *rdataset;
 	for (result = dns_message_firstname(message, section);
 @@ -6337,48 +6463,50 @@ resquery_response(isc_task_t *task, isc_
 	isc_boolean_t truncated;
 	dns_message_t *message;
 	dns_rdataset_t *opt;
 	fetchctx_t *fctx;
 	dns_name_t *fname;
 	dns_fixedname_t foundname;
 	isc_stdtime_t now;
 	isc_time_t tnow, *finish;
 	dns_adbaddrinfo_t *addrinfo;
 	unsigned int options;
 	unsigned int findoptions;
 	isc_result_t broken_server;
 	badnstype_t broken_type = badns_response;
 	isc_boolean_t no_response;
 	REQUIRE(VALID_QUERY(query));
 	fctx = query->fctx;
 	options = query->options;
 	REQUIRE(VALID_FCTX(fctx));
 	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
 	QTRACE("response");
 	if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET)
 		inc_stats(fctx->res, dns_resstatscounter_responsev4);
 	else
 		inc_stats(fctx->res, dns_resstatscounter_responsev6);
 	(void)isc_timer_touch(fctx->timer);
 	keep_trying = ISC_FALSE;
 	broken_server = ISC_R_SUCCESS;
 	get_nameservers = ISC_FALSE;
 	resend = ISC_FALSE;
 	truncated = ISC_FALSE;
 	finish = NULL;
 	no_response = ISC_FALSE;
 	if (fctx->res->exiting) {
 		result = ISC_R_SHUTTINGDOWN;
 		goto done;
+	}
 	fctx->timeouts = 0;
 	fctx->timeout = ISC_FALSE;
 	fctx->addrinfo = query->addrinfo;
 	/*
 	 * XXXRTH  We should really get the current time just once.  We
 	 *		need a routine to convert from an isc_time_t to an
 @@ -6407,35 +6535,39 @@ resquery_response(isc_task_t *task, isc_
 			dns_adb_changeflags(fctx->adb,
 					    query->addrinfo,
 					    DNS_FETCHOPT_NOEDNS0,
 					    DNS_FETCHOPT_NOEDNS0);
 		} else {
 			/*
 			 * There's no hope for this query.
 			 */
 			keep_trying = ISC_TRUE;
 			/*
 			 * If this is a network error on an exclusive query
 			 * socket, mark the server as bad so that we won't try
-			 * it for this fetch again.
+			 * it for this fetch again.  Also adjust finish and
 			 * no_response so that we penalize this address in SRTT
 			 * adjustment later.
 			 */
 			if (query->exclusivesocket &&
 			    (devent->result == ISC_R_HOSTUNREACH ||
 			     devent->result == ISC_R_NETUNREACH ||
 			     devent->result == ISC_R_CONNREFUSED ||
 			     devent->result == ISC_R_CANCELED)) {
 				    broken_server = devent->result;
 				    broken_type = badns_unreachable;
 				    finish = NULL;
 				    no_response = ISC_TRUE;
+			}
+		}
 		goto done;
+	}
 	message = fctx->rmessage;
 	if (query->tsig != NULL) {
 		result = dns_message_setquerytsig(message, query->tsig);
 		if (result != ISC_R_SUCCESS)
 			goto done;
+	}
 @@ -6547,26 +6679,45 @@ resquery_response(isc_task_t *task, isc_
 	/*
 	 * The dispatcher should ensure we only get responses with QR set.
 	 */
 	INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
 	/*
 	 * INSIST() that the message comes from the place we sent it to,
 	 * since the dispatch code should ensure this.
+	 *
 	 * INSIST() that the message id is correct (this should also be
 	 * ensured by the dispatch code).
 	 */
 	/*
 	 * We have an affirmative response to the query and we have
 	 * previously got a response from this server which indicated
 	 * EDNS may not be supported so we can now cache the lack of
 	 * EDNS support.
 	 */
 	if (opt == NULL &&
 	    (message->rcode == dns_rcode_noerror ||
 	     message->rcode == dns_rcode_nxdomain ||
 	     message->rcode == dns_rcode_refused ||
 	     message->rcode == dns_rcode_yxdomain) &&
 	     bad_edns(fctx, &query->addrinfo->sockaddr)) {
 		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
 				    sizeof(addrbuf));
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
 				    DNS_FETCHOPT_NOEDNS0,
 				    DNS_FETCHOPT_NOEDNS0);
+	}
 	/*
 	 * Deal with truncated responses by retrying using TCP.
 	 */
 	if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
 		truncated = ISC_TRUE;
 	if (truncated) {
 		inc_stats(fctx->res, dns_resstatscounter_truncated);
 		if ((options & DNS_FETCHOPT_TCP) != 0) {
 			broken_server = DNS_R_TRUNCATEDTCP;
 			keep_trying = ISC_TRUE;
 		} else {
 @@ -6602,50 +6753,47 @@ resquery_response(isc_task_t *task, isc_
 			break;
 		default:
 			inc_stats(fctx->res, dns_resstatscounter_othererror);
 			break;
+		}
+	}
 	/*
 	 * Is the remote server broken, or does it dislike us?
 	 */
 	if (message->rcode != dns_rcode_noerror &&
 	    message->rcode != dns_rcode_nxdomain) {
 		if (((message->rcode == dns_rcode_formerr ||
-		     message->rcode == dns_rcode_notimp) ||
+		      message->rcode == dns_rcode_notimp) ||
-		    (message->rcode == dns_rcode_servfail &&
+		     (message->rcode == dns_rcode_servfail &&
-		     dns_message_getopt(message) == NULL)) &&
+		      dns_message_getopt(message) == NULL)) &&
 		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 			/*
 			 * It's very likely they don't like EDNS0.
 			 * If the response code is SERVFAIL, also check if the
 			 * response contains an OPT RR and don't cache the
 			 * failure since it can be returned for various other
 			 * reasons.
+			 *
 			 * XXXRTH  We should check if the question
 			 *		we're asking requires EDNS0, and
 			 *		if so, we should bail out.
 			 */
 			options |= DNS_FETCHOPT_NOEDNS0;
 			resend = ISC_TRUE;
 			/*
-			 * Remember that they don't like EDNS0.
+			 * Remember that they may not like EDNS0.
 			 */
-			if (message->rcode != dns_rcode_servfail)
+			add_bad_edns(fctx, &query->addrinfo->sockaddr);
 				dns_adb_changeflags(fctx->adb, query->addrinfo,
 						    DNS_FETCHOPT_NOEDNS0,
 						    DNS_FETCHOPT_NOEDNS0);
 			inc_stats(fctx->res, dns_resstatscounter_edns0fail);
 		} else if (message->rcode == dns_rcode_formerr) {
 			if (ISFORWARDER(query->addrinfo)) {
 				/*
 				 * This forwarder doesn't understand us,
 				 * but other forwarders might.  Keep trying.
 				 */
 				broken_server = DNS_R_REMOTEFORMERR;
 				keep_trying = ISC_TRUE;
 			} else {
 				/*
 				 * The server doesn't understand us.  Since
 				 * all servers for a zone need similar
 @@ -6918,27 +7066,27 @@ resquery_response(isc_task_t *task, isc_
  done:
 	/*
 	 * Remember the query's addrinfo, in case we need to mark the
 	 * server as broken.
 	 */
 	addrinfo = query->addrinfo;
 	/*
 	 * Cancel the query.
+	 *
 	 * XXXRTH  Don't cancel the query if waiting for validation?
 	 */
-	fctx_cancelquery(&query, &devent, finish, ISC_FALSE);
+	fctx_cancelquery(&query, &devent, finish, no_response);
 	if (keep_trying) {
 		if (result == DNS_R_FORMERR)
 			broken_server = DNS_R_FORMERR;
 		if (broken_server != ISC_R_SUCCESS) {
 			/*
 			 * Add this server to the list of bad servers for
 			 * this fctx.
 			 */
 			add_bad(fctx, addrinfo, broken_server, broken_type);
+		}
 		if (get_nameservers) {
 @@ -6985,27 +7133,27 @@ resquery_response(isc_task_t *task, isc_
 			if (result != ISC_R_SUCCESS) {
 				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 				return;
+			}
 			fctx_cancelqueries(fctx, ISC_TRUE);
 			fctx_cleanupfinds(fctx);
 			fctx_cleanupaltfinds(fctx);
 			fctx_cleanupforwaddrs(fctx);
 			fctx_cleanupaltaddrs(fctx);
+		}
 		/*
 		 * Try again.
 		 */
-		fctx_try(fctx, !get_nameservers);
+		fctx_try(fctx, !get_nameservers, ISC_FALSE);
 	} else if (resend) {
 		/*
 		 * Resend (probably with changed options).
 		 */
 		FCTXTRACE("resend");
 		inc_stats(fctx->res, dns_resstatscounter_retry);
 		result = fctx_query(fctx, addrinfo, options);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result, __LINE__);
 	} else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
 		/*
 		 * All has gone well so far, but we are waiting for the
 		 * DNSSEC validator to validate the answer.
 @@ -7029,44 +7177,67 @@ resquery_response(isc_task_t *task, isc_
 		n = dns_name_countlabels(&fctx->name);
 		dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
 		FCTXTRACE("suspending DS lookup to find parent's NS records");
 		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
 						  dns_rdatatype_ns,
 						  NULL, NULL, NULL, 0, task,
 						  resume_dslookup, fctx,
 						  &fctx->nsrrset, NULL,
 						  &fctx->nsfetch);
 		if (result != ISC_R_SUCCESS)
 			fctx_done(fctx, result, __LINE__);
-		LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+		else {
-		fctx->references++;
+			LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+			fctx->references++;
-		result = fctx_stopidletimer(fctx);
+			UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-		if (result != ISC_R_SUCCESS)
+			result = fctx_stopidletimer(fctx);
-			fctx_done(fctx, result, __LINE__);
+			if (result != ISC_R_SUCCESS)
 				fctx_done(fctx, result, __LINE__);
+		}
 	} else {
 		/*
 		 * We're done.
 		 */
 		fctx_done(fctx, result, __LINE__);
+	}
+}
 /***
  *** Resolver Methods
  ***/
 static void
 destroy_badcache(dns_resolver_t *res) {
 	dns_badcache_t *bad, *next;
 	unsigned int i;
 	if (res->badcache != NULL) {
 		for (i = 0; i < res->badhash; i++)
 			for (bad = res->badcache[i]; bad != NULL;
 			     bad = next) {
 				next = bad->next;
 				isc_mem_put(res->mctx, bad, sizeof(*bad) +
 					    bad->name.length);
 				res->badcount--;
+			}
 		isc_mem_put(res->mctx, res->badcache,
 			    sizeof(*res->badcache) * res->badhash);
 		res->badcache = NULL;
 		res->badhash = 0;
 		INSIST(res->badcount == 0);
+	}
+}
 static void
 destroy(dns_resolver_t *res) {
 	unsigned int i;
 	alternate_t *a;
 	REQUIRE(res->references == 0);
 	REQUIRE(!res->priming);
 	REQUIRE(res->primefetch == NULL);
 	RTRACE("destroy");
 	INSIST(res->nfctx == 0);
 @@ -7084,26 +7255,27 @@ destroy(dns_resolver_t *res) {
 	isc_mem_put(res->mctx, res->buckets,
 		    res->nbuckets * sizeof(fctxbucket_t));
 	if (res->dispatchv4 != NULL)
 		dns_dispatch_detach(&res->dispatchv4);
 	if (res->dispatchv6 != NULL)
 		dns_dispatch_detach(&res->dispatchv6);
 	while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
 		ISC_LIST_UNLINK(res->alternates, a, link);
 		if (!a->isaddress)
 			dns_name_free(&a->_u._n.name, res->mctx);
 		isc_mem_put(res->mctx, a, sizeof(*a));
+	}
 	dns_resolver_reset_algorithms(res);
 	destroy_badcache(res);
 	dns_resolver_resetmustbesecure(res);
 #if USE_ALGLOCK
 	isc_rwlock_destroy(&res->alglock);
 #endif
 #if USE_MBSLOCK
 	isc_rwlock_destroy(&res->mbslock);
 #endif
 	isc_timer_detach(&res->spillattimer);
 	res->magic = 0;
 	isc_mem_put(res->mctx, res, sizeof(*res));
+}
 static void
 @@ -7207,26 +7379,30 @@ dns_resolver_create(dns_view_t *view,
 	RTRACE("create");
 	res->mctx = view->mctx;
 	res->rdclass = view->rdclass;
 	res->socketmgr = socketmgr;
 	res->timermgr = timermgr;
 	res->taskmgr = taskmgr;
 	res->dispatchmgr = dispatchmgr;
 	res->view = view;
 	res->options = options;
 	res->lame_ttl = 0;
 	ISC_LIST_INIT(res->alternates);
 	res->udpsize = RECV_BUFFER_SIZE;
 	res->algorithms = NULL;
 	res->badcache = NULL;
 	res->badcount = 0;
 	res->badhash = 0;
 	res->badsweep = 0;
 	res->mustbesecure = NULL;
 	res->spillatmin = res->spillat = 10;
 	res->spillatmax = 100;
 	res->spillattimer = NULL;
 	res->zero_no_soa_ttl = ISC_FALSE;
 	res->ndisps = 0;
 	res->nextdisp = 0; /* meaningless at this point, but init it */
 	res->nbuckets = ntasks;
 	res->activebuckets = ntasks;
 	res->buckets = isc_mem_get(view->mctx,
 				   ntasks * sizeof(fctxbucket_t));
 	if (res->buckets == NULL) {
 		result = ISC_R_NOMEMORY;
 @@ -7473,33 +7649,31 @@ dns_resolver_prime(dns_resolver_t *res)
 		UNLOCK(&res->primelock);
 		if (result != ISC_R_SUCCESS) {
 			LOCK(&res->lock);
 			INSIST(res->priming);
 			res->priming = ISC_FALSE;
 			UNLOCK(&res->lock);
+		}
+	}
+}
 #endif /* BIND9 */
 void
 dns_resolver_freeze(dns_resolver_t *res) {
 	/*
 	 * Freeze resolver.
 	 */
 	REQUIRE(VALID_RESOLVER(res));
 	REQUIRE(!res->frozen);
 	res->frozen = ISC_TRUE;
+}
 void
 dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
 	REQUIRE(VALID_RESOLVER(source));
 	REQUIRE(targetp != NULL && *targetp == NULL);
 	RRTRACE(source, "attach");
 	LOCK(&source->lock);
 	REQUIRE(!source->exiting);
 @@ -7855,27 +8029,27 @@ dns_resolver_cancelfetch(dns_fetch_t *fe
 	 * the answer is still cached.
 	 */
 	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
 void
 dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 	dns_fetch_t *fetch;
 	dns_resolver_t *res;
 	dns_fetchevent_t *event, *next_event;
 	fetchctx_t *fctx;
 	unsigned int bucketnum;
-	isc_boolean_t bucket_empty = ISC_FALSE;
+	isc_boolean_t bucket_empty;
 	REQUIRE(fetchp != NULL);
 	fetch = *fetchp;
 	REQUIRE(DNS_FETCH_VALID(fetch));
 	fctx = fetch->private;
 	REQUIRE(VALID_FCTX(fctx));
 	res = fctx->res;
 	FTRACE("destroyfetch");
 	bucketnum = fctx->bucketnum;
 	LOCK(&res->buckets[bucketnum].lock);
 @@ -7883,47 +8057,27 @@ dns_resolver_destroyfetch(dns_fetch_t **
 	 * Sanity check: the caller should have gotten its event before
 	 * trying to destroy the fetch.
 	 */
 	event = NULL;
 	if (fctx->state != fetchstate_done) {
 		for (event = ISC_LIST_HEAD(fctx->events);
 		     event != NULL;
 		     event = next_event) {
 			next_event = ISC_LIST_NEXT(event, ev_link);
 			RUNTIME_CHECK(event->fetch != fetch);
+		}
+	}
-	INSIST(fctx->references > 0);
+	bucket_empty = fctx_decreference(fctx);
 	fctx->references--;
 	if (fctx->references == 0) {
 		/*
 		 * No one cares about the result of this fetch anymore.
 		 */
 		if (fctx->pending == 0 && fctx->nqueries == 0 &&
 		    ISC_LIST_EMPTY(fctx->validators) &&
 		    SHUTTINGDOWN(fctx)) {
 			/*
 			 * This fctx is already shutdown; we were just
 			 * waiting for the last reference to go away.
 			 */
 			bucket_empty = fctx_destroy(fctx);
 		} else {
 			/*
 			 * Initiate shutdown.
 			 */
 			fctx_shutdown(fctx);
 	UNLOCK(&res->buckets[bucketnum].lock);
 	isc_mem_put(res->mctx, fetch, sizeof(*fetch));
 	*fetchp = NULL;
 	if (bucket_empty)
 		empty_bucket(res);
+}
 void
 dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
 		      isc_logcategory_t *category, isc_logmodule_t *module,
 @@ -8050,26 +8204,276 @@ dns_resolver_addalternate(dns_resolver_t
 void
 dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) {
 	REQUIRE(VALID_RESOLVER(resolver));
 	resolver->udpsize = udpsize;
+}
 isc_uint16_t
 dns_resolver_getudpsize(dns_resolver_t *resolver) {
 	REQUIRE(VALID_RESOLVER(resolver));
 	return (resolver->udpsize);
+}
 void
 dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name) {
 	unsigned int i;
 	dns_badcache_t *bad, *prev, *next;
 	REQUIRE(VALID_RESOLVER(resolver));
 	LOCK(&resolver->lock);
 	if (resolver->badcache == NULL)
 		goto unlock;
 	if (name != NULL) {
 		isc_time_t now;
 		isc_result_t result;
 		result = isc_time_now(&now);
 		if (result != ISC_R_SUCCESS)
 			isc_time_settoepoch(&now);
 		i = dns_name_hash(name, ISC_FALSE) % resolver->badhash;
 		prev = NULL;
 		for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
 			int n;
 			next = bad->next;
 			n = isc_time_compare(&bad->expire, &now);
 			if (n < 0 || dns_name_equal(name, &bad->name)) {
 				if (prev == NULL)
 					resolver->badcache[i] = bad->next;
 				else
 					prev->next = bad->next;
 				isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
 					    bad->name.length);
 				resolver->badcount--;
 			} else
 				prev = bad;
+		}
 	} else
 		destroy_badcache(resolver);
  unlock:
 	UNLOCK(&resolver->lock);
+}
 static void
 resizehash(dns_resolver_t *resolver, isc_time_t *now, isc_boolean_t grow) {
 	unsigned int newsize;
 	dns_badcache_t **new, *bad, *next;
 	unsigned int i;
 	if (grow)
 		newsize = resolver->badhash * 2 + 1;
 	else
 		newsize = (resolver->badhash - 1) / 2;
 	new = isc_mem_get(resolver->mctx,
 			  sizeof(*resolver->badcache) * newsize);
 	if (new == NULL)
 		return;
 	memset(new, 0, sizeof(*resolver->badcache) * newsize);
 	for (i = 0; i < resolver->badhash; i++) {
 		for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
 			next = bad->next;
 			if (isc_time_compare(&bad->expire, now) < 0) {
 				isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
 					    bad->name.length);
 				resolver->badcount--;
 			} else {
 				bad->next = new[bad->hashval % newsize];
 				new[bad->hashval % newsize] = bad;
+			}
+		}
+	}
 	isc_mem_put(resolver->mctx, resolver->badcache,
 		    sizeof(*resolver->badcache) * resolver->badhash);
 	resolver->badhash = newsize;
 	resolver->badcache = new;
+}
 void
 dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
 			 dns_rdatatype_t type, isc_time_t *expire)
+{
 	isc_time_t now;
 	isc_result_t result = ISC_R_SUCCESS;
 	unsigned int i, hashval;
 	dns_badcache_t *bad, *prev, *next;
 	REQUIRE(VALID_RESOLVER(resolver));
 	LOCK(&resolver->lock);
 	if (resolver->badcache == NULL) {
 		resolver->badcache = isc_mem_get(resolver->mctx,
 						 sizeof(*resolver->badcache) *
 						 DNS_BADCACHE_SIZE);
 		if (resolver->badcache == NULL) {
 			result = ISC_R_NOMEMORY;
 			goto cleanup;
+		}
 		resolver->badhash = DNS_BADCACHE_SIZE;
 		memset(resolver->badcache, 0, sizeof(*resolver->badcache) *
 		       resolver->badhash);
+	}
 	result = isc_time_now(&now);
 	if (result != ISC_R_SUCCESS)
 		isc_time_settoepoch(&now);
 	hashval = dns_name_hash(name, ISC_FALSE);
 	i = hashval % resolver->badhash;
 	prev = NULL;
 	for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
 		next = bad->next;
 		if (bad->type == type && dns_name_equal(name, &bad->name))
 			break;
 		if (isc_time_compare(&bad->expire, &now) < 0) {
 			if (prev == NULL)
 				resolver->badcache[i] = bad->next;
 			else
 				prev->next = bad->next;
 			isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
 				    bad->name.length);
 			resolver->badcount--;
 		} else
 			prev = bad;
+	}
 	if (bad == NULL) {
 		isc_buffer_t buffer;
 		bad = isc_mem_get(resolver->mctx, sizeof(*bad) + name->length);
 		if (bad == NULL) {
 			result = ISC_R_NOMEMORY;
 			goto cleanup;
+		}
 		bad->type = type;
 		bad->hashval = hashval;
 		isc_buffer_init(&buffer, bad + 1, name->length);
 		dns_name_init(&bad->name, NULL);
 		dns_name_copy(name, &bad->name, &buffer);
 		bad->next = resolver->badcache[i];
 		resolver->badcache[i] = bad;
 		resolver->badcount++;
 		if (resolver->badcount > resolver->badhash * 8)
 			resizehash(resolver, &now, ISC_TRUE);
 		if (resolver->badcount < resolver->badhash * 2 &&
 		    resolver->badhash > DNS_BADCACHE_SIZE)
 			resizehash(resolver, &now, ISC_FALSE);
+	}
 	bad->expire = *expire;
  cleanup:
 	UNLOCK(&resolver->lock);
+}
 isc_boolean_t
 dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name,
 			 dns_rdatatype_t type, isc_time_t *now)
+{
 	dns_badcache_t *bad, *prev, *next;
 	isc_boolean_t answer = ISC_FALSE;
 	unsigned int i;
 	REQUIRE(VALID_RESOLVER(resolver));
 	LOCK(&resolver->lock);
 	if (resolver->badcache == NULL)
 		goto unlock;
 	i = dns_name_hash(name, ISC_FALSE) % resolver->badhash;
 	prev = NULL;
 	for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
 		next = bad->next;
 		/*
 		 * Search the hash list. Clean out expired records as we go.
 		 */
 		if (isc_time_compare(&bad->expire, now) < 0) {
 			if (prev != NULL)
 				prev->next = bad->next;
 			else
 				resolver->badcache[i] = bad->next;
 			isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
 				    bad->name.length);
 			resolver->badcount--;
 			continue;
+		}
 		if (bad->type == type && dns_name_equal(name, &bad->name)) {
 			answer = ISC_TRUE;
 			break;
+		}
 		prev = bad;
+	}
 	/*
 	 * Slow sweep to clean out stale records.
 	 */
 	i = resolver->badsweep++ % resolver->badhash;
 	bad = resolver->badcache[i];
 	if (bad != NULL && isc_time_compare(&bad->expire, now) < 0) {
 		resolver->badcache[i] = bad->next;
 		isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
 			    bad->name.length);
 		resolver->badcount--;
+	}
  unlock:
 	UNLOCK(&resolver->lock);
 	return (answer);
+}
 void
 dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp) {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char typebuf[DNS_RDATATYPE_FORMATSIZE];
 	dns_badcache_t *bad, *next, *prev;
 	isc_time_t now;
 	unsigned int i;
 	isc_uint64_t t;
 	LOCK(&resolver->lock);
 	fprintf(fp, ";\n; Bad cache\n;\n");
 	if (resolver->badcache == NULL)
 		goto unlock;
 	TIME_NOW(&now);
 	for (i = 0; i < resolver->badhash; i++) {
 		prev = NULL;
 		for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
 			next = bad->next;
 			if (isc_time_compare(&bad->expire, &now) < 0) {
 				if (prev != NULL)
 					prev->next = bad->next;
 				else
 					resolver->badcache[i] = bad->next;
 				isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
 					    bad->name.length);
 				resolver->badcount--;
 				continue;
+			}
 			prev = bad;
 			dns_name_format(&bad->name, namebuf, sizeof(namebuf));
 			dns_rdatatype_format(bad->type, typebuf,
 					     sizeof(typebuf));
 			t = isc_time_microdiff(&bad->expire, &now);
 			t /= 1000;
 			fprintf(fp, "; %s/%s [ttl "
 				"%" ISC_PLATFORM_QUADFORMAT "u]\n",
 				namebuf, typebuf, t);
+		}
+	}
  unlock:
 	UNLOCK(&resolver->lock);
+}
 static void
 free_algorithm(void *node, void *arg) {
 	unsigned char *algorithms = node;
 	isc_mem_t *mctx = arg;
 	isc_mem_put(mctx, algorithms, *algorithms);
+}
 void
 dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
 	REQUIRE(VALID_RESOLVER(resolver));

--- src/external/bsd/bind/dist/lib/dns/include/dns/Attic/name.h 2009/10/25 00:14:33	1.3
+++ src/external/bsd/bind/dist/lib/dns/include/dns/Attic/name.h 2010/08/06 10:58:12	1.4

 @@ -1,33 +1,33 @@
-/*	$NetBSD: name.h,v 1.3 2009/10/25 00:14:33 christos Exp $	*/
+/*	$NetBSD: name.h,v 1.4 2010/08/06 10:58:12 christos Exp $	*/
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: name.h,v 1.132 2009/09/01 17:36:51 jinmei Exp */
+/* Id: name.h,v 1.132.104.3 2010/07/09 23:46:27 tbox Exp */
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
 /*****
  ***** Module Info
  *****/
 /*! \file dns/name.h
  * \brief
  * Provides facilities for manipulating DNS names and labels, including
  * conversions to and from wire format and text format.
+ *
 @@ -91,32 +91,26 @@ ISC_LANG_BEGINDECLS
  ***** label of type 00 (ordinary).
  *****/
 /*****
  ***** Names
  *****
  ***** A 'name' is a handle to a binary region.  It contains a sequence of one
  ***** or more DNS wire format labels of type 00 (ordinary).
  ***** Note that all names are not required to end with the root label,
  ***** as they are in the actual DNS wire protocol.
  *****/
 /***
  *** Compression pointer chaining limit
  ***/
 #define DNS_POINTER_MAXHOPS		16
 /***
  *** Types
  ***/
 /*%
  * Clients are strongly discouraged from using this type directly,  with
  * the exception of the 'link' and 'list' fields which may be used directly
  * for whatever purpose the client desires.
  */
 struct dns_name {
 	unsigned int			magic;
 	unsigned char *			ndata;
 	unsigned int			length;
 	unsigned int			labels;
 @@ -800,36 +794,51 @@ dns_name_fromtext(dns_name_t *name, isc_
+ *
  * Result:
  *\li	#ISC_R_SUCCESS
  *\li	#DNS_R_EMPTYLABEL
  *\li	#DNS_R_LABELTOOLONG
  *\li	#DNS_R_BADESCAPE
  *\li	(#DNS_R_BADBITSTRING: should not be returned)
  *\li	(#DNS_R_BITSTRINGTOOLONG: should not be returned)
  *\li	#DNS_R_BADDOTTEDQUAD
  *\li	#ISC_R_NOSPACE
  *\li	#ISC_R_UNEXPECTEDEND
  */
 #define DNS_NAME_OMITFINALDOT	0x01U
 #define DNS_NAME_MASTERFILE	0x02U	/* escape $ and @ */
 isc_result_t
 dns_name_toprincipal(dns_name_t *name, isc_buffer_t *target);
 isc_result_t
 dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 		isc_buffer_t *target);
 isc_result_t
 dns_name_totext2(dns_name_t *name, unsigned int options, isc_buffer_t *target);
 /*%<
  * Convert 'name' into text format, storing the result in 'target'.
+ *
  * Notes:
  *\li	If 'omit_final_dot' is true, then the final '.' in absolute
  *	names other than the root name will be omitted.
+ *
  *\li	If DNS_NAME_OMITFINALDOT is set in options, then the final '.'
  *	in absolute names other than the root name will be omitted.
+ *
  *\li	If DNS_NAME_MASTERFILE is set in options, '$' and '@' will also
  *	be escaped.
+ *
  *\li	If dns_name_countlabels == 0, the name will be "@", representing the
  *	current origin as described by RFC1035.
+ *
  *\li	The name is not NUL terminated.
+ *
  * Requires:
+ *
  *\li	'name' is a valid name
+ *
  *\li	'target' is a valid buffer.
+ *
  *\li	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
+ *

--- src/external/bsd/bind/dist/lib/dns/include/dns/Attic/zone.h 2009/12/26 23:08:23	1.4
+++ src/external/bsd/bind/dist/lib/dns/include/dns/Attic/zone.h 2010/08/06 10:58:12	1.5

 @@ -1,33 +1,33 @@
-/*	$NetBSD: zone.h,v 1.4 2009/12/26 23:08:23 christos Exp $	*/
+/*	$NetBSD: zone.h,v 1.5 2010/08/06 10:58:12 christos Exp $	*/
 /*
  * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: zone.h,v 1.174 2009/12/04 22:06:37 tbox Exp */
+/* Id: zone.h,v 1.174.4.1 2009/12/29 22:23:00 marka Exp */
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
 /*! \file dns/zone.h */
 /***
  ***	Imports
  ***/
 #include <stdio.h>
 #include <isc/formatcheck.h>
 @@ -1770,27 +1770,27 @@ dns_zone_addnsec3chain(dns_zone_t *zone,
 /*%<
  * Incrementally add a NSEC3 chain that corresponds to nsec3param.
  */
 void
 dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type);
 dns_rdatatype_t
 dns_zone_getprivatetype(dns_zone_t *zone);
 /*
  * Get/Set the private record type.  It is expected that these interfaces
  * will not be permanent.
  */
-isc_result_t
+void
 dns_zone_rekey(dns_zone_t *zone);
 /*%<
  * Update the zone's DNSKEY set from the key repository.
  */
 isc_result_t
 dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
 		 unsigned int *errors);
 /*%
  * Check if the name servers for the zone are sane (have address, don't
  * refer to CNAMEs/DNAMEs.  The number of constiancy errors detected in
  * returned in '*errors'
+ *

--- src/external/bsd/bind/dist/lib/isc/include/isc/Attic/mem.h 2009/10/25 00:14:33	1.3
+++ src/external/bsd/bind/dist/lib/isc/include/isc/Attic/mem.h 2010/08/06 10:58:12	1.4

 @@ -1,33 +1,33 @@
-/*	$NetBSD: mem.h,v 1.3 2009/10/25 00:14:33 christos Exp $	*/
+/*	$NetBSD: mem.h,v 1.4 2010/08/06 10:58:12 christos Exp $	*/
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: mem.h,v 1.86 2009/09/04 18:51:37 jinmei Exp */
+/* Id: mem.h,v 1.86.102.2 2010/03/04 23:49:20 tbox Exp */
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
 /*! \file isc/mem.h */
 #include <stdio.h>
 #include <isc/lang.h>
 #include <isc/mutex.h>
 #include <isc/platform.h>
 #include <isc/types.h>
 #include <isc/xml.h>
 @@ -113,27 +113,27 @@ LIBISC_EXTERNAL_DATA extern unsigned int
+ *
  * \li #ISC_MEM_DEBUGSIZE
  *	Check the size argument being passed to isc_mem_put() matches
  *	that passed to isc_mem_get().
+ *
  * \li #ISC_MEM_DEBUGCTX
  *	Check the mctx argument being passed to isc_mem_put() matches
  *	that passed to isc_mem_get().
  */
 /*@}*/
 #if ISC_MEM_TRACKLINES
 #define _ISC_MEM_FILELINE	, __FILE__, __LINE__
-#define _ISC_MEM_FLARG		, const char *, int
+#define _ISC_MEM_FLARG		, const char *, unsigned int
 #else
 #define _ISC_MEM_FILELINE
 #define _ISC_MEM_FLARG
 #endif
 /*!
  * Define ISC_MEM_USE_INTERNAL_MALLOC=1 to use the internal malloc()
  * implementation in preference to the system one.  The internal malloc()
  * is very space-efficient, and quite fast on uniprocessor systems.  It
  * performs poorly on multiprocessor machines.
  * JT: we can overcome the performance issue on multiprocessor machines
  * by carefully separating memory contexts.
  */

--- src/external/bsd/bind/dist/lib/isc/include/isc/Attic/util.h 2009/04/12 03:46:08	1.2
+++ src/external/bsd/bind/dist/lib/isc/include/isc/Attic/util.h 2010/08/06 10:58:12	1.3

 @@ -1,33 +1,33 @@
-/*	$NetBSD: util.h,v 1.2 2009/04/12 03:46:08 christos Exp $	*/
+/*	$NetBSD: util.h,v 1.3 2010/08/06 10:58:12 christos Exp $	*/
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: util.h,v 1.30 2007/06/19 23:47:18 tbox Exp */
+/* Id: util.h,v 1.30.558.1 2010/01/13 19:31:53 each Exp */
 #ifndef ISC_UTIL_H
 #define ISC_UTIL_H 1
 /*! \file isc/util.h
  * NOTE:
+ *
  * This file is not to be included from any <isc/???.h> (or other) library
  * files.
+ *
  * \brief
  * Including this file puts several macros in your name space that are
  * not protected (as all the other ISC functions/macros do) by prepending
 @@ -222,14 +222,24 @@
 /*% Unexpected Error */
 #define UNEXPECTED_ERROR		isc_error_unexpected
 /*% Fatal Error */
 #define FATAL_ERROR			isc_error_fatal
 /*% Runtime Check */
 #define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
 /*%
  * Time
  */
 #define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
 /*%
  * Prevent Linux spurious warnings
  */
 #if defined(__GNUC__) && (__GNUC__ > 3)
 #define isc_util_fwrite(a, b, c, d)	\
 	__builtin_expect(fwrite((a), (b), (c), (d)), (c))
 #else
 #define isc_util_fwrite(a, b, c, d)	fwrite((a), (b), (c), (d))
 #endif
 #endif /* ISC_UTIL_H */

--- src/external/bsd/bind/dist/lib/isc/unix/Attic/socket.c 2009/12/26 23:08:23	1.3
+++ src/external/bsd/bind/dist/lib/isc/unix/Attic/socket.c 2010/08/06 10:58:12	1.4

 @@ -1,33 +1,33 @@
-/*	$NetBSD: socket.c,v 1.3 2009/12/26 23:08:23 christos Exp $	*/
+/*	$NetBSD: socket.c,v 1.4 2010/08/06 10:58:12 christos Exp $	*/
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: socket.c,v 1.326 2009/11/13 00:41:58 each Exp */
+/* Id: socket.c,v 1.326.20.4 2010/03/12 03:25:20 marka Exp */
 /*! \file */
 #include <config.h>
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/uio.h>
 #include <errno.h>
 @@ -798,26 +798,27 @@ watch_fd(isc__socketmgr_t *manager, int
 	evchange.flags = EV_ADD;
 	evchange.ident = fd;
 	if (kevent(manager->kqueue_fd, &evchange, 1, NULL, 0, NULL) != 0)
 		result = isc__errno2result(errno);
 	return (result);
 #elif defined(USE_EPOLL)
 	struct epoll_event event;
 	if (msg == SELECT_POKE_READ)
 		event.events = EPOLLIN;
 	else
 		event.events = EPOLLOUT;
 	memset(&event.data, 0, sizeof(event.data));
 	event.data.fd = fd;
 	if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_ADD, fd, &event) == -1 &&
 	    errno != EEXIST) {
 		result = isc__errno2result(errno);
+	}
 	return (result);
 #elif defined(USE_DEVPOLL)
 	struct pollfd pfd;
 	int lockid = FDLOCK_ID(fd);
 	memset(&pfd, 0, sizeof(pfd));
 	if (msg == SELECT_POKE_READ)
 @@ -865,26 +866,27 @@ unwatch_fd(isc__socketmgr_t *manager, in
 	evchange.flags = EV_DELETE;
 	evchange.ident = fd;
 	if (kevent(manager->kqueue_fd, &evchange, 1, NULL, 0, NULL) != 0)
 		result = isc__errno2result(errno);
 	return (result);
 #elif defined(USE_EPOLL)
 	struct epoll_event event;
 	if (msg == SELECT_POKE_READ)
 		event.events = EPOLLIN;
 	else
 		event.events = EPOLLOUT;
 	memset(&event.data, 0, sizeof(event.data));
 	event.data.fd = fd;
 	if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_DEL, fd, &event) == -1 &&
 	    errno != ENOENT) {
 		char strbuf[ISC_STRERRORSIZE];
 		isc__strerror(errno, strbuf, sizeof(strbuf));
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "epoll_ctl(DEL), %d: %s", fd, strbuf);
 		result = ISC_R_UNEXPECTED;
+	}
 	return (result);
 #elif defined(USE_DEVPOLL)
 	struct pollfd pfds[2];
 	size_t writelen = sizeof(pfds[0]);
 @@ -1666,32 +1668,42 @@ doio_recv(isc__socket_t *sock, isc_socke
 #endif
 		SOFT_OR_HARD(EINVAL, ISC_R_HOSTUNREACH);
 #undef SOFT_OR_HARD
 #undef ALWAYS_HARD
 		dev->result = isc__errno2result(recv_errno);
 		inc_stats(sock->manager->stats,
 			  sock->statsindex[STATID_RECVFAIL]);
 		return (DOIO_HARD);
+	}
 	/*
-	 * On TCP, zero length reads indicate EOF, while on
+	 * On TCP and UNIX sockets, zero length reads indicate EOF,
-	 * UDP, zero length reads are perfectly valid, although
+	 * while on UDP sockets, zero length reads are perfectly valid,
-	 * strange.
+	 * although strange.
 	 */
-	if ((sock->type == isc_sockettype_tcp) && (cc == 0))
+	switch (sock->type) {
-		return (DOIO_EOF);
+	case isc_sockettype_tcp:
 	case isc_sockettype_unix:
 		if (cc == 0)
 			return (DOIO_EOF);
 		break;
 	case isc_sockettype_udp:
 		break;
 	case isc_sockettype_fdwatch:
 	default:
 		INSIST(0);
+	}
 	if (sock->type == isc_sockettype_udp) {
 		dev->address.length = msghdr.msg_namelen;
 		if (isc_sockaddr_getport(&dev->address) == 0) {
 			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
 				socket_log(sock, &dev->address, IOEVENT,
 					   isc_msgcat, ISC_MSGSET_SOCKET,
 					   ISC_MSG_ZEROPORT,
 					   "dropping source port zero packet");
+			}
 			return (DOIO_SOFT);
+		}
 		/*
 @@ -2378,26 +2390,46 @@ opensocket(isc__socketmgr_t *manager, is
 							"failed"),
 					 strbuf);
+		}
 #endif /* IPV6_RECVPKTINFO */
 #endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
 #ifdef IPV6_USE_MIN_MTU        /* RFC 3542, not too common yet*/
 		/* use minimum MTU */
 		if (sock->pf == AF_INET6) {
 			(void)setsockopt(sock->fd, IPPROTO_IPV6,
 					 IPV6_USE_MIN_MTU,
 					 (void *)&on, sizeof(on));
+		}
 #endif
 #if defined(IPV6_MTU)
 		/*
 		 * Use minimum MTU on IPv6 sockets.
 		 */
 		if (sock->pf == AF_INET6) {
 			int mtu = 1280;
 			(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU,
 					 &mtu, sizeof(mtu));
+		}
 #endif
 #if defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DONT)
 		/*
 		 * Turn off Path MTU discovery on IPv6/UDP sockets.
 		 */
 		if (sock->pf == AF_INET6) {
 			int action = IPV6_PMTUDISC_DONT;
 			(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
 					 &action, sizeof(action));
+		}
 #endif
 #endif /* ISC_PLATFORM_HAVEIPV6 */
 #endif /* defined(USE_CMSG) */
 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
 		/*
 		 * Turn off Path MTU discovery on IPv4/UDP sockets.
 		 */
 		if (sock->pf == AF_INET) {
 			int action = IP_PMTUDISC_DONT;
 			(void)setsockopt(sock->fd, IPPROTO_IP, IP_MTU_DISCOVER,
 					 &action, sizeof(action));
+		}
 #endif

--- src/external/bsd/bind/include/Attic/config.h 2009/12/26 23:08:23	1.3
+++ src/external/bsd/bind/include/Attic/config.h 2010/08/06 10:58:12	1.4

 @@ -7,27 +7,27 @@
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: config.h.in,v 1.122 2009/10/27 22:26:05 marka Exp */
+/* Id: config.h.in,v 1.122.32.10 2010/06/22 04:04:22 marka Exp */
 /*! \file */
 /***
  *** This file is not to be included by any public header files, because
  *** it does not get installed.
  ***/
 /** define on DEC OSF to enable 4.4BSD style sa_len support */
 /* #undef _SOCKADDR_LEN */
 /** define if your system needs pthread_init() before using pthreads */
 /* #undef NEED_PTHREAD_INIT */
 @@ -160,50 +160,68 @@ int sigwait(const unsigned int *set, int
 /* Define if recvmsg() does not meet all of the BSD socket API specifications.
    */
 /* #undef BROKEN_RECVMSG */
 /* Define if you cannot bind() before connect() for TCP sockets. */
 /* #undef BROKEN_TCP_BIND_BEFORE_CONNECT */
 /* Define to enable "rrset-order fixed" syntax. */
 #define DNS_RDATASET_FIXED 1
 /* Solaris hack to get select_large_fdset. */
 /* #undef FD_SETSIZE */
 /* Define to nothing if C supports flexible array members, and to 1 if it does
    not. That way, with a declaration like `struct s { int n; double
    d[FLEXIBLE_ARRAY_MEMBER]; };', the struct hack can be used with pre-C99
    compilers. When computing the size of such an object, don't use 'sizeof
    (struct s)' as it overestimates the size. Use 'offsetof (struct s, d)'
    instead. Don't use 'offsetof (struct s, d[0])', as this doesn't work with
    MSVC and with C++ compilers. */
 #define FLEXIBLE_ARRAY_MEMBER /**/
 /* Define to 1 if you have the `chroot' function. */
 #define HAVE_CHROOT 1
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #define HAVE_DLFCN_H 1
 /* Define to 1 if you have the `EVP_sha256' function. */
 #define HAVE_EVP_SHA256 1
 /* Define to 1 if you have the `EVP_sha512' function. */
 #define HAVE_EVP_SHA512 1
 /* Define to 1 if you have the <fcntl.h> header file. */
 #define HAVE_FCNTL_H 1
 /* Define to 1 if you have the <gssapi/gssapi.h> header file. */
 #define HAVE_GSSAPI_GSSAPI_H 1
 /* Define to 1 if you have the <gssapi.h> header file. */
 #define HAVE_GSSAPI_H 1
 /* Define to 1 if you have the <inttypes.h> header file. */
 #define HAVE_INTTYPES_H 1
 /* Define to 1 if you have the <kerberosv5/krb5.h> header file. */
 /* #undef HAVE_KERBEROSV5_KRB5_H */
 /* Define to 1 if you have the <krb5.h> header file. */
 /* #undef HAVE_KRB5_H */
 /* Define to 1 if you have the <krb5/krb5.h> header file. */
 #define HAVE_KRB5_KRB5_H 1
 /* Define to 1 if you have the `c' library (-lc). */
 /* #undef HAVE_LIBC */
 /* Define to 1 if you have the `cap' library (-lcap). */
 /* #undef HAVE_LIBCAP */
 /* if system have backtrace function */
 /* #undef HAVE_LIBCTRACE */
 /* Define to 1 if you have the `c_r' library (-lc_r). */
 /* #undef HAVE_LIBC_R */
 /* Define to 1 if you have the `nsl' library (-lnsl). */
 @@ -301,27 +319,27 @@ int sigwait(const unsigned int *set, int
 /* Define to 1 if you have the <sys/types.h> header file. */
 #define HAVE_SYS_TYPES_H 1
 /* Define to 1 if you have the <sys/un.h> header file. */
 #define HAVE_SYS_UN_H 1
 /* Define if running under Compaq TruCluster */
 /* #undef HAVE_TRUCLUSTER */
 /* Define to 1 if you have the <unistd.h> header file. */
 #define HAVE_UNISTD_H 1
-/* return type of gai_srerror */
+/* return type of gai_strerror */
 #define IRS_GAISTRERROR_RETURN_T const char *
 /* Define to the buffer length type used by getnameinfo(3). */
 #define IRS_GETNAMEINFO_BUFLEN_T socklen_t
 /* Define to the flags type used by getnameinfo(3). */
 #define IRS_GETNAMEINFO_FLAGS_T int
 /* Defined if extern char *optarg is not declared. */
 /* #undef NEED_OPTARG */
 /* Define if connect does not honour the permission on the UNIX domain socket.
    */
 @@ -365,27 +383,27 @@ int sigwait(const unsigned int *set, int
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
 #include <sys/endian.h>
 #if _BYTE_ORDER == _BIG_ENDIAN
 #define WORDS_BIGENDIAN
 #endif
 /* Define to empty if `const' does not conform to ANSI C. */
 /* #undef const */
 /* Define to `__inline__' or `__inline' if that's what the C compiler
    calls it, or to nothing if 'inline' is not supported under any name.  */
 #ifndef __cplusplus
-/* #undef inline */
+/* #define inline */
 #endif
 /* Define to `unsigned int' if <sys/types.h> does not define. */
 /* #undef size_t */
 /* Define to `int' if <sys/types.h> does not define. */
 /* #undef ssize_t */
 /* Define to `unsigned long' if <sys/types.h> does not define. */
 /* #undef uintptr_t */
 /* Define to empty if the keyword `volatile' does not work. Warning: valid
    code using `volatile' can become incorrect without. Disable with care. */

--- src/external/bsd/bind/include/dns/Attic/code.h 2009/12/26 23:08:23	1.3
+++ src/external/bsd/bind/include/dns/Attic/code.h 2010/08/06 10:58:13	1.4

 @@ -1,15 +1,15 @@
 /*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003 Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.

--- src/external/bsd/bind/include/dns/Attic/enumclass.h 2009/04/12 03:46:09	1.1
+++ src/external/bsd/bind/include/dns/Attic/enumclass.h 2010/08/06 10:58:13	1.2

 @@ -1,15 +1,15 @@
 /*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003 Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.

--- src/external/bsd/bind/include/dns/Attic/enumtype.h 2009/10/25 00:18:39	1.2
+++ src/external/bsd/bind/include/dns/Attic/enumtype.h 2010/08/06 10:58:13	1.3

 @@ -1,15 +1,15 @@
 /*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003 Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.

--- src/external/bsd/bind/include/dns/Attic/rdatastruct.h 2009/10/25 00:18:39	1.2
+++ src/external/bsd/bind/include/dns/Attic/rdatastruct.h 2010/08/06 10:58:13	1.3

 @@ -1,15 +1,15 @@
 /*
- * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003 Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.

--- src/external/bsd/bind/include/isc/Attic/platform.h 2009/10/25 00:18:39	1.4
+++ src/external/bsd/bind/include/isc/Attic/platform.h 2010/08/06 10:58:13	1.5

 @@ -1,31 +1,31 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
+ *
  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  * PERFORMANCE OF THIS SOFTWARE.
  */
-/* Id: platform.h.in,v 1.53 2009/09/29 15:06:07 fdupont Exp */
+/* Id: platform.h.in,v 1.53.66.2 2010/06/03 23:49:23 tbox Exp */
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
 /*! \file */
 /*****
  ***** Platform-dependent defines.
  *****/
 #include <sys/atomic.h>
 /***
  *** Network.
 @@ -211,26 +211,32 @@
 /*
  * Defined if unistd.h does not cause fd_set to be delared.
  */
 #undef ISC_PLATFORM_NEEDSYSSELECTH
 /*
  * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
  * the GSSAPI header.
  */
 /*
  * Defined to <krb5.h> or <krb5/krb5.h> for how to include
  * the KRB5 header.
  */
 /*
  * Type used for resource limits.
  */
 #define ISC_PLATFORM_RLIMITTYPE rlim_t
 /*
  * Define if your compiler supports "long long int".
  */
 #define ISC_PLATFORM_HAVELONGLONG 1
 /*
  * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
  * prevent compiler warnings (such as with gcc on Solaris 2.8).
  */
 @@ -240,27 +246,29 @@
  * Used to control how extern data is linked; needed for Win32 platforms.
  */
 #undef ISC_PLATFORM_USEDECLSPEC
 /*
  * Define if the platform has <sys/un.h>.
  */
 #define ISC_PLATFORM_HAVESYSUNH 1
 /*
  * If the "xadd" operation is available on this architecture,
  * ISC_PLATFORM_HAVEXADD will be defined.
  */
 #ifdef __HAVE_ATOMIC64_OPS
 #define ISC_PLATFORM_HAVEXADD 1
 #endif
 /*
  * If the "xaddq" operation (64bit xadd) is available on this architecture,
  * ISC_PLATFORM_HAVEXADDQ will be defined.
  */
 #ifdef __HAVE_ATOMIC64_OPS
 #define ISC_PLATFORM_HAVEXADDQ 1
 #endif
 /*
  * If the "atomic swap" operation is available on this architecture,
  * ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
  */